On Tue, Jan 17, 2017 at 04:12:51PM +0100, Harald Dunkel wrote: > On 01/17/17 11:38, Sumit Bose wrote: > > On Tue, Jan 17, 2017 at 10:44:14AM +0100, Harald Dunkel wrote: > >> It seems something got corrupted in my ipa setup. I found this in the > >> sssd log file on Wheezy: > >> > >> (Tue Jan 17 10:19:02 2017) [hbac_shost_attrs_to_rule] (0x0400): Processing > >> source hosts for rule [allow_all] > >> (Tue Jan 17 10:19:02 2017) [hbac_eval_user_element] (0x0080): Parse error > >> on [cn=System: Manage Host > >> Principals+nsuniqueid=109be36e-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de] > > > > Looks like there was a replication conflict, please see > > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html > > how to resolve it. > > > > % ldapsearch -D "cn=directory manager" -w secret -b "dc=example,dc=de" > "nsds5ReplConflict=*" \* nsds5ReplConflict | grep nsds5ReplConflict | wc -l > 26 > > :-( > > I have 4 ipa servers. How can I make sure that no new problem arises > while I try to cleanup this mess? Can I freeze Freeipa somehow to > resolve this? > > > We already have a ticket for SSSD to ignore those object, but > > unfortunately there is currently no patch available for SSSD so you have > > to resolve the replication conflict to get it working again. > > > > You mean sssd should ignore the conflict, not telling anybody? > I am not sure if thats the right way.
SSSD will of course write a log messages when a DN is ignored. Since the default for HBAC is deny and a rule must allow you access e.g. a missing group membership will in the worst case cause a denied access because not all criteria defined be the rule are matched. bye, Sumit > > > Thanx very much for your advice > Harri > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project