This is rhel 7.1 with ipa version 4.1.0

user-show shows the user. However, if the user contains
ipaNTSecurityIdentifier: attribute, user-del hangs with no response.

Meanwhile, the KDC and 389ds stop working. The only way to recover
functionality is to reboot the machine.  ipactl restart does nothing.

In the ldap access log I see this when trying to delete user sclown:

[14/Sep/2015:09:28:27 -0700] conn=326 op=18 RESULT err=0 tag=101 nentries=0
[14/Sep/2015:09:28:27 -0700] conn=326 op=19 DEL
[14/Sep/2015:09:30:03 -0700] conn=12 op=442 MOD
[14/Sep/2015:09:30:03 -0700] conn=12 op=442 RESULT err=1 tag=103 nentries=0
[14/Sep/2015:09:30:06 -0700] conn=20 op=288 SRCH
base="ou=sessions,ou=Security Domain,o=ipaca" scope=2
filter="(objectClass=securityDomainSessionEntry)" attrs="cn"
[14/Sep/2015:09:30:06 -0700] conn=20 op=288 RESULT err=32 tag=101
nentries=0 etime=0
[14/Sep/2015:09:30:08 -0700] conn=12 op=444 SRCH
base="ou=certificateRepository,ou=ca,o=ipaca" scope=1
filter="(certStatus=INVALID)" attrs="objectClass serialno notBefore
notAfter duration extension subjectName userCertificate version algorithmId
signingAlgorithmId publicKeyData"
[14/Sep/2015:09:30:08 -0700] conn=12 op=444 SORT notBefore
[14/Sep/2015:09:30:08 -0700] conn=12 op=444 VLV 200:0:20150914093009Z 1:0
[14/Sep/2015:09:30:08 -0700] conn=12 op=444 RESULT err=0 tag=101 nentries=0
[14/Sep/2015:09:30:08 -0700] conn=12 op=445 SRCH
base="ou=certificateRepository,ou=ca,o=ipaca" scope=1
filter="(certStatus=VALID)" attrs="objectClass serialno notBefore notAfter
duration extension subjectName userCertificate version algorithmId
signingAlgorithmId publicKeyData"
[14/Sep/2015:09:30:08 -0700] conn=12 op=445 SORT notAfter
[14/Sep/2015:09:30:08 -0700] conn=12 op=445 VLV 200:0:20150914093009Z 1:10
[14/Sep/2015:09:30:08 -0700] conn=12 op=445 RESULT err=0 tag=101 nentries=1
[14/Sep/2015:09:30:08 -0700] conn=12 op=446 SRCH
base="ou=certificateRepository,ou=ca,o=ipaca" scope=1
filter="(certStatus=REVOKED)" attrs="objectClass revokedOn serialno revInfo
notAfter notBefore duration extension subjectName userCertificate version
algorithmId signingAlgorithmId publicKeyData"
[14/Sep/2015:09:30:08 -0700] conn=12 op=446 VLV 200:0:20150914093009Z 0:0
[14/Sep/2015:09:30:08 -0700] conn=12 op=446 RESULT err=0 tag=101 nentries=0
etime=0 notes=U
[14/Sep/2015:09:30:08 -0700] conn=12 op=447 SRCH
base="ou=certificateRepository,ou=ca,o=ipaca" scope=0
filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="description"
[14/Sep/2015:09:30:08 -0700] conn=12 op=447 RESULT err=0 tag=101 nentries=1
[14/Sep/2015:09:30:19 -0700] conn=322 op=6 UNBIND

Then in the ldap error log I see this, which makes me think there is a
problem with the changelog:

[14/Sep/2015:09:30:03 -0700] - dn2entry_ext: Failed to get id for
changenumber=91314,cn=changelog from entryrdn index (-30993)
[14/Sep/2015:09:30:03 -0700] - Operation error fetching
changenumber=91314,cn=changelog (null), error -30993.
[14/Sep/2015:09:30:03 -0700] DSRetroclPlugin - replog: an error occured
while adding change number 91314, dn = changenumber=91314,cn=changelog:
Operations error.
[14/Sep/2015:09:30:03 -0700] retrocl-plugin - retrocl_postob: operation
failure [1]

After this both kdc and ldap stop responding. In the krb5kdc.log I see
server errors after the user-del command is run. The only way to resume
normal operations is to restart the whole machine. ipactl restart doesn't

Any help would be highly appreciated!
Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to