On 04/30/2015 12:41 PM, Andy Thompson wrote:
You got a first replica where you failed to delete the entry.
You got a second replica where you succeeded to delete the entry.

On first replica you can see messages like:

[29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a
tombstone into a tombstone! "nsuniqueid=7e1a1f87-e82611e4-99f1b343-
f0abc1a8,cn=<username>,cn=groups,cn=accounts,dc=domain,dc=com"; e:
0x7fcc84226070, cache_state: 0x0, refcnt: 1

On the second replica you can see messages like:

[29/Apr/2015:09:35:40 -0400] NSMMReplicationPlugin -
agmt="cn=meTomdhixnpipa01.domain.com" (mdhixnpipa01:389): Consumer
failed to replay change (uniqueid 7e1a1f87-e82611e4-99f1b343-f0abc1a8,
CSN 5540deb8000300030000): Operations error (1). Will retry later.


On the first replica, you had difficulties to retrieve the entry and finally 
had to
remove 'nsuniqueid' from the filter to retrieve this entry

dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-
f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-
f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
...
nscpentrywsi: objectClass;vucsn-5540deb8000000030000: nsTombstone ...
nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8
...


On the second replica you can the entry:

dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-
f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-
f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
...
nscpentrywsi: objectClass;vucsn-5540deb8000300030000: nsTombstone ...
nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8


Note that the entry retrieved on the first replica has nsuniqueid=7e1a1f82..
while the entry retrieved on the second replica has nsuniqueid=7e1a1f87 ...

It differs '2' instead of '7'. So this is not the same entry (from replication 
point
of view).

The error reported in the first replica was about Turning a tombstone into a
tombstone! "nsuniqueid=7e1a1f87...


The error reported in the second replica was also about
Consumer failed to replay change (uniqueid 7e1a1f87...


So I think the entry you dumped on the first replica is not (should not be) the
one we are looking for.
It appears that f82 is the user object and f87 is the group object.  So you are 
right, I don't think f82 is what we were looking for, it just happened to have 
the username in it when I grepped without filtering the uniqueid.  I'm not sure 
why it was having problems with the user group object, but I don't have 
individual group objects showing up for any local accounts I've created.
You are right. I think the private group of a user is/should be deleted at the same time when you delete a user.

All that being said, I put 389-ds-base-1.3.3.1-16.el7_1.x86_64 on the box 
yesterday and the error has not shown since.  So I'm not sure if it was because 
of the minor upgrade or cycling the daemon.
The logs gave a lot of information but without a test case it could be difficult to identify the RC. Now as I mentioned I hit (with a non systematic test case) an other bug when deleting a user. It was impossible to remove the entry/group. In this bug I tested on standalone instance but on replicated topology I wonder if it could have the same symptom.


Is there any way to find the root cause of this?  And is it normal that 
individual group objects are not created for users?  I thought I remembered 
reading somewhere that they were derived and not static entries?   The few 
accounts I have on there were created in the web interface, most of my users 
are all trust users.

Although it could be two entries having the same DN but that was deleted,
added and then deleted again.

The difficulty is to retrieve it (on the first replica) as we cannot specify its
'nsuniqueid' to retrieve it.
May be you can retrieve it with its
(&(objectclass=nstombstone)(ipauniqueid=94dc1638-e826-11e4-878a-
005056a92af3))


thanks
thierry




        dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-
f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
        nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-
f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
        nscpentrywsi: modifyTimestamp;adcsn-
5540be0c000200040002;vucsn-5540be0c000200040002: 20150429111607Z
        nscpentrywsi: modifiersName;adcsn-5540be0c000200040001;vucsn-
5540be0c000200040001: uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin
        nscpentrywsi: nsAccountLock;adcsn-5540be0c000200040000;vucsn-
5540be0c000200040000: TRUE
        nscpentrywsi: krbLastSuccessfulAuth;adcsn-
5537c9b2000000030000;vucsn-5537c9b2000000030000: 20150422161526Z
        nscpentrywsi: memberOf;adcsn-5537c2f5000400030000;vucsn-
5537c2f5000400030000:
cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin
        nscpentrywsi: memberOf;vucsn-5537c2f5000400030000:
ipaUniqueID=3897c894-e764-11e4-b05b-
005056a92af3,cn=hbac,dc=mhbenp,dc=lin
        nscpentrywsi: ipaNTSecurityIdentifier;adcsn-
5537a1b1000300040001;vucsn-5537a1b1000300040001: S-1-5-21-1257946092-
587846975-4124201916-1003
        nscpentrywsi: passwordGraceUserTime;adcsn-
55369200000400040000;vucsn-55369200000400040000: 0
        nscpentrywsi: krbPasswordExpiration;adcsn-
55369200000200040005;vucsn-55369200000200040005: 20150720180532Z
        nscpentrywsi: userPassword;adcsn-55369200000200040004;vucsn-
55369200000200040004:
{SHA512}pzLvO+jHoXAi0/TLZ+WpN8vaQFqDYBwSyk12Zoa+5GpjGVMPgK9I+
KquavoJWv6JmVnf7Vokqlm85zbYXjMt1Q==
        nscpentrywsi: krbExtraData;adcsn-55369200000200040003;vucsn-
55369200000200040003:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA==
        nscpentrywsi: krbPrincipalKey;adcsn-55369200000200040002;vucsn-
55369200000200040002::
MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIB
AKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5E
P9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A0miart7lTDnRh
89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKE5MDegAwIB
EaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/lbFKDbSkZYSJpFnzSRaaI
WW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKFBMD+gAw
IBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCzxInn+33pOsEX
PlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooT
kwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZjwMj1cTwzD1
FH6/IbmDSvRMUVw8wE=
        nscpentrywsi: krbTicketFlags;adcsn-55369200000200040001;vucsn-
55369200000200040001: 128
        nscpentrywsi: krbLastPwdChange;adcsn-
55369200000200040000;vucsn-55369200000200040000: 20150421180532Z
        nscpentrywsi: mepManagedEntry;vucsn-55364a42000700040000:
cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
        nscpentrywsi: displayName;vucsn-55364a42000100040000:
UserName
        nscpentrywsi: cn;vucsn-55364a42000100040000: UserName
        nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaobject
        nscpentrywsi: objectClass;vucsn-55364a42000100040000: person
        nscpentrywsi: objectClass;vucsn-55364a42000100040000: top
        nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipasshuser
        nscpentrywsi: objectClass;vucsn-55364a42000100040000:
inetorgperson
        nscpentrywsi: objectClass;vucsn-55364a42000100040000:
organizationalperson
        nscpentrywsi: objectClass;vucsn-55364a42000100040000:
krbticketpolicyaux
        nscpentrywsi: objectClass;vucsn-55364a42000100040000:
krbprincipalaux
        nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetuser
        nscpentrywsi: objectClass;vucsn-55364a42000100040000:
posixaccount
        nscpentrywsi: objectClass;vucsn-55364a42000100040000:
ipaSshGroupOfPubKeys
        nscpentrywsi: objectClass;vucsn-55364a42000600040000:
mepOriginEntry
        nscpentrywsi: objectClass;vucsn-5537a1b1000300040000:
ipantuserattrs
        nscpentrywsi: objectClass;vucsn-5540deb8000000030000:
nsTombstone
        nscpentrywsi: loginShell;vucsn-55364a42000100040000: /bin/bash
        nscpentrywsi: initials;vucsn-55364a42000100040000: GF
        nscpentrywsi: gecos;vucsn-55364a42000100040000: UserName
        nscpentrywsi: homeDirectory;vucsn-55364a42000100040000:
/home/username
        nscpentrywsi: uid;vucsn-55364a42000100040000;mdcsn-
55364a42000100040000: username
        nscpentrywsi: mail;vucsn-55364a42000100040000:
usern...@mhbenp.lin <mailto:usern...@mhbenp.lin>
        nscpentrywsi: krbPrincipalName;vucsn-55364a42000100040000:
usern...@mhbenp.lin <mailto:usern...@mhbenp.lin>
        nscpentrywsi: givenName;vucsn-55364a42000100040000: Gregg
        nscpentrywsi: sn;vucsn-55364a42000100040000: Name
        nscpentrywsi: creatorsName;vucsn-55364a42000100040000:
uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin
        nscpentrywsi: createTimestamp;vucsn-55364a42000100040000:
20150421130152Z
        nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8
        nscpentrywsi: ipaUniqueID;vucsn-55364a42000100040000: 94d31f06-
e826-11e4-878a-005056a92af3
        nscpentrywsi: parentid: 3
        nscpentrywsi: entryid: 384
        nscpentrywsi: uidNumber;vucsn-55364a42000100040000: 1249000003
        nscpentrywsi: gidNumber;vucsn-55364a42000100040000: 1249000003
        nscpentrywsi: nsParentUniqueId: 3763f192-e76411e4-99f1b343-
f0abc1a8
        nscpentrywsi: nstombstonecsn: 5540deb8000000030000
        nscpentrywsi: nscpEntryDN:
uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
        nscpentrywsi: entryusn: 52322
        nscpentrywsi: passwordHistory;adcsn-55369200000500040000;vdcsn-
55369200000500040000;deletedattribute;deleted:


                dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-

        f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
                nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-

        f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
                ...
                nscpentrywsi: objectClass;vucsn-5540deb8000300030000:
nsTombstone ...
                nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-
f0abc1a8



                On the first replica (where you failed to delete the entry and
where you can
                see the replication errors)
                dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-

        f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
                nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-

        f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
                ...
                nscpentrywsi: objectClass;vucsn-5540deb8000000030000:
nsTombstone ...
                nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-
f0abc1a8


                This is not the same entry. It is like two entries with the same
'uid' were
                created.
                Also note that those two entries were deleted on the same
replica (replica
                ID=3: likely the second replica) almost at the same time.

                The errors is logged on the first replica about "
                nsuniqueid=7e1a1f87-e82611e4-99f1b343-

        f0abc1a8,cn=<username>,cn=groups,cn=accounts,dc=domain,dc=co
m".

                So I think the entry you dumped on the first replica, is not the
one we were
                looking at.
                The entry (nsuniqueid=7e1a1f87-e82611e4-99f1b343-
f0abc1a8) should
                exists, but was not returned by the search.







--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to