Something went wrong when trying to restore some preserved users so I
deleted them and then tried to recreate them. This failed with -

ipa: ERROR: Unable to create private group. A group 'XXXXX'  already exists.

Trying to delete this group produces -

ipa: ERROR: Unable to create private group. A group 'XXXXX' already exists.

Trying to detach it with

ipa group-detach XXXXX


ipa: ERROR: XXXXX: group not found

ipa group-show XXXXX
I would try
$ ipa group show XXXXX --all --raw

that could show us if there is something interesting like replication conflict
or so.

This produces ...

ipa group-show XXXXX --all --raw
   dn: cn=XXXXX,cn=groups,cn=accounts,dc=local,dc=com
   cn: XXXXX
   description: User private group for XXXXX
   gidnumber: 799830053
   ipaUniqueID: 3b8e0ec8-58c4-11e6-806d-005056015864
   mepManagedBy: uid=XXXXX,cn=users,cn=accounts,dc=local,dc=com
   objectClass: posixgroup
   objectClass: ipaobject
   objectClass: mepManagedEntry
   objectClass: top

We do have some replication problems at the moment - two recreated
replicas currently have two RUVs so this could this be how the user
delete completed without the corresponding group?

Not sure. The 389-ds plugin should, by definition, remove the group when a user is deleted. I'd be more inclined to believe that the group was added and the user not in a replication event.

Removing the group requires an ldapmodify:

% kinit admin
% ldapmodify -Y GSSAPI
SASL/GSSAPI authentication started
SASL username:
SASL data security layer installed.
dn: cn=deleteme,cn=groups,cn=accounts,dc=example,dc=com
changetype: modify
delete: objectclass
objectclass: mepManagedEntry
delete: mepManagedBy
mepManagedBy: uid=deleteme,cn=users,cn=accounts,dc=example,dc=com
modifying entry "cn=deleteme,cn=groups,cn=accounts,dc=example,dc=com"

% ipa group-del deleteme
Deleted group "deleteme"

Makes me wonder if the managed entry plugin should allow deletion if the other side of the link doesn't exist. I'll investigate this.


