Bob Hinton wrote:
On 03/08/2016 07:15, Petr Spacek wrote:
On 3.8.2016 00:58, Bob Hinton wrote:

Something went wrong when trying to restore some preserved users so I
deleted them and then tried to recreate them. This failed with -

ipa: ERROR: Unable to create private group. A group 'XXXXX'  already exists.

Trying to delete this group produces -

ipa: ERROR: Unable to create private group. A group 'XXXXX' already exists.

Trying to detach it with

ipa group-detach XXXXX


ipa: ERROR: XXXXX: group not found

ipa group-show XXXXX
I would try
$ ipa group show XXXXX --all --raw

that could show us if there is something interesting like replication conflict
or so.

Petr^2 Spacek
Hi Petr,

This produces ...

ipa group-show XXXXX --all --raw
   dn: cn=XXXXX,cn=groups,cn=accounts,dc=local,dc=com
   cn: XXXXX
   description: User private group for XXXXX
   gidnumber: 799830053
   ipaUniqueID: 3b8e0ec8-58c4-11e6-806d-005056015864
   mepManagedBy: uid=XXXXX,cn=users,cn=accounts,dc=local,dc=com
   objectClass: posixgroup
   objectClass: ipaobject
   objectClass: mepManagedEntry
   objectClass: top

We do have some replication problems at the moment - two recreated
replicas currently have two RUVs so this could this be how the user
delete completed without the corresponding group?

Not sure. The 389-ds plugin should, by definition, remove the group when a user is deleted. I'd be more inclined to believe that the group was added and the user not in a replication event.

Removing the group requires an ldapmodify:

% kinit admin
% ldapmodify -Y GSSAPI
SASL/GSSAPI authentication started
SASL username:
SASL data security layer installed.
dn: cn=deleteme,cn=groups,cn=accounts,dc=example,dc=com
changetype: modify
delete: objectclass
objectclass: mepManagedEntry
delete: mepManagedBy
mepManagedBy: uid=deleteme,cn=users,cn=accounts,dc=example,dc=com
modifying entry "cn=deleteme,cn=groups,cn=accounts,dc=example,dc=com"

% ipa group-del deleteme
Deleted group "deleteme"

Makes me wonder if the managed entry plugin should allow deletion if the other side of the link doesn't exist. I'll investigate this.


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to