Hi Ludwig, On 01/17/17 17:01, Ludwig Krispenz wrote: > > On 01/17/2017 04:48 PM, Harald Dunkel wrote: >> On 01/17/17 16:12, Harald Dunkel wrote: >>> On 01/17/17 11:38, Sumit Bose wrote: >>>> On Tue, Jan 17, 2017 at 10:44:14AM +0100, Harald Dunkel wrote: >>>>> It seems something got corrupted in my ipa setup. I found this in the >>>>> sssd log file on Wheezy: >>>>> >>>>> (Tue Jan 17 10:19:02 2017) [hbac_shost_attrs_to_rule] (0x0400): >>>>> Processing source hosts for rule [allow_all] >>>>> (Tue Jan 17 10:19:02 2017) [hbac_eval_user_element] (0x0080): Parse error >>>>> on [cn=System: Manage Host >>>>> Principals+nsuniqueid=109be36e-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de] >>>> Looks like there was a replication conflict, please see >>>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html >>>> how to resolve it. >>>> >>> % ldapsearch -D "cn=directory manager" -w secret -b "dc=example,dc=de" >>> "nsds5ReplConflict=*" \* nsds5ReplConflict | grep nsds5ReplConflict | wc -l >>> 26 >>> >> PS: >> >> nsds5ReplConflict: namingConflict >> cn=ipaservers,cn=hostgroups,cn=accounts,dc=example,dc=de >> nsds5ReplConflict: namingConflict cn=ipaservers,cn=ng,cn=alt,dc=example,dc=de >> nsds5ReplConflict: namingConflict >> cn=domain,cn=topology,cn=ipa,cn=etc,dc=example,dc=de >> nsds5ReplConflict: namingConflict cn=locations,cn=etc,dc=example,dc=de >> nsds5ReplConflict: namingConflict cn=dns >> administrators,cn=privileges,cn=pbac,dc=example,dc=de >> nsds5ReplConflict: namingConflict cn=dns >> servers,cn=privileges,cn=pbac,dc=example,dc=de >> nsds5ReplConflict: namingConflict cn=cas,cn=ca,dc=example,dc=de >> nsds5ReplConflict: namingConflict cn=custodia,cn=ipa,cn=etc,dc=example,dc=de >> nsds5ReplConflict: namingConflict >> cn=dogtag,cn=custodia,cn=ipa,cn=etc,dc=example,dc=de >> nsds5ReplConflict: namingConflict cn=system: add >> ca,cn=permissions,cn=pbac,dc=example,dc=de >> nsds5ReplConflict: namingConflict cn=system: delete >> ca,cn=permissions,cn=pbac,dc=example,dc=de >> nsds5ReplConflict: namingConflict cn=system: modify >> ca,cn=permissions,cn=pbac,dc=example,dc=de >> nsds5ReplConflict: namingConflict cn=system: read >> cas,cn=permissions,cn=pbac,dc=example,dc=de >> nsds5ReplConflict: namingConflict cn=system: modify dns servers >> configuration,cn=permissions,cn=pbac,dc=example,dc=de >> nsds5ReplConflict: namingConflict cn=system: read dns servers >> configuration,cn=permissions,cn=pbac,dc=example,dc=de >> nsds5ReplConflict: namingConflict cn=System: Manage Host >> Principals,cn=permissions,cn=pbac,dc=example,dc=de >> nsds5ReplConflict: namingConflict cn=System: Add IPA >> Locations,cn=permissions,cn=pbac,dc=example,dc=de >> nsds5ReplConflict: namingConflict cn=System: Modify IPA >> Locations,cn=permissions,cn=pbac,dc=example,dc=de >> nsds5ReplConflict: namingConflict cn=System: Read IPA >> Locations,cn=permissions,cn=pbac,dc=example,dc=de >> nsds5ReplConflict: namingConflict cn=System: Remove IPA >> Locations,cn=permissions,cn=pbac,dc=example,dc=de >> nsds5ReplConflict: namingConflict cn=System: Read Locations of IPA >> Servers,cn=permissions,cn=pbac,dc=example,dc=de >> nsds5ReplConflict: namingConflict cn=System: Read Status of Services on IPA >> Servers,cn=permissions,cn=pbac,dc=example,dc=de >> nsds5ReplConflict: namingConflict cn=System: Manage Service >> Principals,cn=permissions,cn=pbac,dc=example,dc=de >> nsds5ReplConflict: namingConflict cn=System: Manage User >> Principals,cn=permissions,cn=pbac,dc=example,dc=de >> >> This looks like a problem of ipa-server-install. These entries were created >> in the very first seconds. > Conflict entries are created if an entry is added on different servers at the > "same time", where same time means it is created on instance x before the add > of the entry on instance y was replicated to x. This can happen if you run > things in parallel, eg upgrades. >
You mean Freeipa has a race condition? I use tools like clusterssh to install or upgrade several hosts in parallel (n <= 49 due to available screen and font size). The "same time" is built in. Of course I understand that Freeipa is a special case, because it is network application, but it should be able to handle n = 2. > There is no simple way to get rid of them, you need to delete them one by > one, so do: > ldapmodify ....... > dn: cn=System: Manage Host > Principals+nsuniqueid=109be36e-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de > changetype: delete > > for all of your conflict entries I am surely no specialist for ldap, so hopefully its allowed to ask a question: This is a tree-like structure. If I delete a conflicting node, what happens to the leafs? Is there any indication that these leafs contain information that is not needed anymore? Isn't it possible that server b created a huge tree with tons of subnodes and leafs before the conflict is detected? Every helpful comment is highly appreciated Harri -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project