On 01/18/2017 02:57 PM, Harald Dunkel wrote:
On 01/17/17 11:38, Sumit Bose wrote:
On Tue, Jan 17, 2017 at 10:44:14AM +0100, Harald Dunkel wrote:
It seems something got corrupted in my ipa setup. I found this in the
sssd log file on Wheezy:
(Tue Jan 17 10:19:02 2017) [hbac_shost_attrs_to_rule] (0x0400): Processing
source hosts for rule [allow_all]
(Tue Jan 17 10:19:02 2017) [hbac_eval_user_element] (0x0080): Parse error on
[cn=System: Manage Host
Principals+nsuniqueid=109be36e-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de]
Looks like there was a replication conflict, please see
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html
how to resolve it.
This is *way* too hot for me.
I think the procedure in the link about renaming is only needed if you
want to keep both entries with a "normal" dn. But you want to get rid of
the conflict entries. Since you have to cleanup each of them
individually I would suggest to start with one of them.
First get both the conflict entry and the normal entry and compare them:
ldapsearch -D "cn=directory manager" ..... -b "cn=System: Manage Host
Principals,cn=permissions,cn=pbac,dc=example,dc=de" -s base
ldapsearch -D "cn=directory manager" ..... -b "cn=System: Manage Host
Principals+nsuniqueid=109be36e-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de"
-s base
They should be identical.
Next check if the conflict entry has child entries:
ldapsearch -D "cn=directory manager" ..... -b "cn=System: Manage Host
Principals+nsuniqueid=109be36e-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de"
dn
If there are no entries below the conflict entry you can remove it:
ldapmodify - D "cn=directory manager" ......
dn: cn=System: Manage Host
Principals+nsuniqueid=109be36e-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de
changetype: delete
How can I try this in a sandbox?
you can try to reproduce this state on two other machines.
and if you have an established backup and restore process do a backup
before doing the cleanup
Every helpful comment is highly appreciated
Harri
--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric
Shander
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project