Re: [Freeipa-users] deleting ipa user
On 04/30/2015 02:31 PM, Andy Thompson wrote: It appears that f82 is the user object and f87 is the group object. So you are right, I don't think f82 is what we were looking for, it just happened to have the username in it when I grepped without filtering the uniqueid. I'm not sure why it was having problems with the user group object, but I don't have individual group objects showing up for any local accounts I've created. You are right. I think the private group of a user is/should be deleted at the same time when you delete a user. Is it normal that private groups do not show up in the user group listing or with ipa group-find commands? I thought I remembered seeing them on a freeipa 3 installation but I've checked a couple 4 installs and they don't show up. User private groups should not show up in the results of ipa group-* commands. I'm not sure what you meant by user group listing, but they should show up when running the id command. I just had a random issue a little bit ago with another account when I checked the user groups in the web interface it popped with an unknown error dialog. I have not been able to reproduce it again and don't see anything in the error logs or access log which would indicate any problems. All that being said, I put 389-ds-base-1.3.3.1-16.el7_1.x86_64 on the box yesterday and the error has not shown since. So I'm not sure if it was because of the minor upgrade or cycling the daemon. The logs gave a lot of information but without a test case it could be difficult to identify the RC. Now as I mentioned I hit (with a non systematic test case) an other bug when deleting a user. It was impossible to remove the entry/group. In this bug I tested on standalone instance but on replicated topology I wonder if it could have the same symptom. I've not been able to reproduce the issue in my sandbox environment so I'm not sure. It is also replicated. -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
On 04/29/2015 07:15 PM, Andy Thompson wrote: -Original Message- From: thierry bordaz [mailto:tbor...@redhat.com] Sent: Wednesday, April 29, 2015 1:07 PM To: Andy Thompson Cc: Ludwig Krispenz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 06:45 PM, Andy Thompson wrote: -Original Message- From: thierry bordaz [mailto:tbor...@redhat.com] Sent: Wednesday, April 29, 2015 12:28 PM To: Andy Thompson Cc: Ludwig Krispenz; Martin Kosek; freeipa- us...@redhat.com mailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 05:58 PM, Andy Thompson wrote: dn: nsuniqueid=7e1a1f87-e82611e4- 99f1b343- f0abc1a8,cn=username,cn=groups,c n=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4- 99f1b343- f0abc1a8,cn=username,cn=groups,c n=accounts,dc=mhbenp,dc=lin nscpentrywsi: objectClass;vucsn- 55364a4200050004: posixgroup nscpentrywsi: objectClass;vucsn- 55364a4200050004: ipaobject nscpentrywsi: objectClass;vucsn- 55364a4200050004: mepManagedEntry nscpentrywsi: objectClass;vucsn- 55364a4200050004: top nscpentrywsi: objectClass;vucsn- 5540deb800030003: nsTombstone nscpentrywsi: cn;vucsn- 55364a4200050004;mdcsn- 55364a4200050004: gfeigh nscpentrywsi: gidNumber;vucsn- 55364a4200050004: 124903 nscpentrywsi: description;vucsn- 55364a4200050004: User private group for username nscpentrywsi: mepManagedBy;vucsn- 55364a4200050004: uid= username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: creatorsName;vucsn- 55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: modifiersName;vucsn- 55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: createTimestamp;vucsn- 55364a4200050004: 20150421130152Z nscpentrywsi: modifyTimestamp;vucsn- 55364a4200050004: 20150421130152Z nscpentrywsi: nsUniqueId: 7e1a1f87- e82611e4- 99f1b343-f0abc1a8 nscpentrywsi: ipaUniqueID;vucsn- 55364a4200050004: 94dc1638-e826-11e4-878a- 005056a92af3 nscpentrywsi: parentid: 4 nscpentrywsi: entryid: 385 nscpentrywsi: nsParentUniqueId: 3763f193- e76411e4-99f1b343-f0abc1a8 nscpentrywsi: nstombstonecsn: 5540deb800030003 nscpentrywsi: nscpEntryDN: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: entryusn: 52327 thought I tried that before, apparently not. ok, so we have the entry on one server, the csn of the objectclass: tombstone is : objectClass;vucsn-5540deb800030003: nsTombstone , which matches the csn in the error log: Consumer failed to replay change (uniqueid 7e1a1f87- e82611e4-99f1b343- f0abc1a8, CSN 5540deb800030003): Operations error (1) so the state of the entry is as expected. Now we nend to find it on the other server
Re: [Freeipa-users] deleting ipa user
You got a first replica where you failed to delete the entry. You got a second replica where you succeeded to delete the entry. On first replica you can see messages like: [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=groups,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 On the second replica you can see messages like: [29/Apr/2015:09:35:40 -0400] NSMMReplicationPlugin - agmt=cn=meTomdhixnpipa01.domain.com (mdhixnpipa01:389): Consumer failed to replay change (uniqueid 7e1a1f87-e82611e4-99f1b343-f0abc1a8, CSN 5540deb800030003): Operations error (1). Will retry later. On the first replica, you had difficulties to retrieve the entry and finally had to remove 'nsuniqueid' from the filter to retrieve this entry dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin ... nscpentrywsi: objectClass;vucsn-5540deb80003: nsTombstone ... nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8 ... On the second replica you can the entry: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin ... nscpentrywsi: objectClass;vucsn-5540deb800030003: nsTombstone ... nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8 Note that the entry retrieved on the first replica has nsuniqueid=7e1a1f82.. while the entry retrieved on the second replica has nsuniqueid=7e1a1f87 ... It differs '2' instead of '7'. So this is not the same entry (from replication point of view). The error reported in the first replica was about Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87... The error reported in the second replica was also about Consumer failed to replay change (uniqueid 7e1a1f87... So I think the entry you dumped on the first replica is not (should not be) the one we are looking for. It appears that f82 is the user object and f87 is the group object. So you are right, I don't think f82 is what we were looking for, it just happened to have the username in it when I grepped without filtering the uniqueid. I'm not sure why it was having problems with the user group object, but I don't have individual group objects showing up for any local accounts I've created. All that being said, I put 389-ds-base-1.3.3.1-16.el7_1.x86_64 on the box yesterday and the error has not shown since. So I'm not sure if it was because of the minor upgrade or cycling the daemon. Is there any way to find the root cause of this? And is it normal that individual group objects are not created for users? I thought I remembered reading somewhere that they were derived and not static entries? The few accounts I have on there were created in the web interface, most of my users are all trust users. Although it could be two entries having the same DN but that was deleted, added and then deleted again. The difficulty is to retrieve it (on the first replica) as we cannot specify its 'nsuniqueid' to retrieve it. May be you can retrieve it with its ((objectclass=nstombstone)(ipauniqueid=94dc1638-e826-11e4-878a- 005056a92af3)) thanks thierry dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: modifyTimestamp;adcsn- 5540be0c000200040002;vucsn-5540be0c000200040002: 20150429111607Z nscpentrywsi: modifiersName;adcsn-5540be0c000200040001;vucsn- 5540be0c000200040001: uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: nsAccountLock;adcsn-5540be0c00020004;vucsn- 5540be0c00020004: TRUE nscpentrywsi: krbLastSuccessfulAuth;adcsn- 5537c9b20003;vucsn-5537c9b20003: 20150422161526Z nscpentrywsi: memberOf;adcsn-5537c2f500040003;vucsn- 5537c2f500040003: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: memberOf;vucsn-5537c2f500040003: ipaUniqueID=3897c894-e764-11e4-b05b- 005056a92af3,cn=hbac,dc=mhbenp,dc=lin nscpentrywsi: ipaNTSecurityIdentifier;adcsn- 5537a1b1000300040001;vucsn-5537a1b1000300040001: S-1-5-21-1257946092- 587846975-4124201916-1003 nscpentrywsi: passwordGraceUserTime;adcsn- 553692040004;vucsn-553692040004: 0 nscpentrywsi: krbPasswordExpiration;adcsn- 5536920200040005;vucsn-5536920200040005: 20150720180532Z nscpentrywsi: userPassword;adcsn-5536920200040004;vucsn- 5536920200040004:
Re: [Freeipa-users] deleting ipa user
On 04/30/2015 12:41 PM, Andy Thompson wrote: You got a first replica where you failed to delete the entry. You got a second replica where you succeeded to delete the entry. On first replica you can see messages like: [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=groups,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 On the second replica you can see messages like: [29/Apr/2015:09:35:40 -0400] NSMMReplicationPlugin - agmt=cn=meTomdhixnpipa01.domain.com (mdhixnpipa01:389): Consumer failed to replay change (uniqueid 7e1a1f87-e82611e4-99f1b343-f0abc1a8, CSN 5540deb800030003): Operations error (1). Will retry later. On the first replica, you had difficulties to retrieve the entry and finally had to remove 'nsuniqueid' from the filter to retrieve this entry dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin ... nscpentrywsi: objectClass;vucsn-5540deb80003: nsTombstone ... nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8 ... On the second replica you can the entry: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin ... nscpentrywsi: objectClass;vucsn-5540deb800030003: nsTombstone ... nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8 Note that the entry retrieved on the first replica has nsuniqueid=7e1a1f82.. while the entry retrieved on the second replica has nsuniqueid=7e1a1f87 ... It differs '2' instead of '7'. So this is not the same entry (from replication point of view). The error reported in the first replica was about Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87... The error reported in the second replica was also about Consumer failed to replay change (uniqueid 7e1a1f87... So I think the entry you dumped on the first replica is not (should not be) the one we are looking for. It appears that f82 is the user object and f87 is the group object. So you are right, I don't think f82 is what we were looking for, it just happened to have the username in it when I grepped without filtering the uniqueid. I'm not sure why it was having problems with the user group object, but I don't have individual group objects showing up for any local accounts I've created. You are right. I think the private group of a user is/should be deleted at the same time when you delete a user. All that being said, I put 389-ds-base-1.3.3.1-16.el7_1.x86_64 on the box yesterday and the error has not shown since. So I'm not sure if it was because of the minor upgrade or cycling the daemon. The logs gave a lot of information but without a test case it could be difficult to identify the RC. Now as I mentioned I hit (with a non systematic test case) an other bug when deleting a user. It was impossible to remove the entry/group. In this bug I tested on standalone instance but on replicated topology I wonder if it could have the same symptom. Is there any way to find the root cause of this? And is it normal that individual group objects are not created for users? I thought I remembered reading somewhere that they were derived and not static entries? The few accounts I have on there were created in the web interface, most of my users are all trust users. Although it could be two entries having the same DN but that was deleted, added and then deleted again. The difficulty is to retrieve it (on the first replica) as we cannot specify its 'nsuniqueid' to retrieve it. May be you can retrieve it with its ((objectclass=nstombstone)(ipauniqueid=94dc1638-e826-11e4-878a- 005056a92af3)) thanks thierry dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: modifyTimestamp;adcsn- 5540be0c000200040002;vucsn-5540be0c000200040002: 20150429111607Z nscpentrywsi: modifiersName;adcsn-5540be0c000200040001;vucsn- 5540be0c000200040001: uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: nsAccountLock;adcsn-5540be0c00020004;vucsn- 5540be0c00020004: TRUE nscpentrywsi: krbLastSuccessfulAuth;adcsn- 5537c9b20003;vucsn-5537c9b20003: 20150422161526Z nscpentrywsi: memberOf;adcsn-5537c2f500040003;vucsn- 5537c2f500040003: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: memberOf;vucsn-5537c2f500040003: ipaUniqueID=3897c894-e764-11e4-b05b- 005056a92af3,cn=hbac,dc=mhbenp,dc=lin
Re: [Freeipa-users] deleting ipa user
It appears that f82 is the user object and f87 is the group object. So you are right, I don't think f82 is what we were looking for, it just happened to have the username in it when I grepped without filtering the uniqueid. I'm not sure why it was having problems with the user group object, but I don't have individual group objects showing up for any local accounts I've created. You are right. I think the private group of a user is/should be deleted at the same time when you delete a user. Is it normal that private groups do not show up in the user group listing or with ipa group-find commands? I thought I remembered seeing them on a freeipa 3 installation but I've checked a couple 4 installs and they don't show up. I just had a random issue a little bit ago with another account when I checked the user groups in the web interface it popped with an unknown error dialog. I have not been able to reproduce it again and don't see anything in the error logs or access log which would indicate any problems. All that being said, I put 389-ds-base-1.3.3.1-16.el7_1.x86_64 on the box yesterday and the error has not shown since. So I'm not sure if it was because of the minor upgrade or cycling the daemon. The logs gave a lot of information but without a test case it could be difficult to identify the RC. Now as I mentioned I hit (with a non systematic test case) an other bug when deleting a user. It was impossible to remove the entry/group. In this bug I tested on standalone instance but on replicated topology I wonder if it could have the same symptom. I've not been able to reproduce the issue in my sandbox environment so I'm not sure. It is also replicated. -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] deleting ipa user
I'm trying to delete an IPA account and I get a generic operations error when trying to remove it. It looks like something is messed up with the group object. The user doesn't show up in the ipausers group and there also isn't a group object for the user in question. Here is the error from the attempt. [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting member: uid=username,cn=users,cn=accounts,dc=domain,dc=com failed (16) [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry ipaUniqueID=3897c894-e764-11e4-b05b-005056a92af3,cn=hbac,dc=domain,dc=com: deleting memberUser: uid=username,cn=users,cn=accounts,dc=domain,dc=com failed (16) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: failed to delete managed entry (cn=username,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: failed to delete managed entry (cn=username,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) Thanks -andy *** This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. *** -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
On 04/29/2015 01:26 PM, Andy Thompson wrote: I'm trying to delete an IPA account and I get a generic operations error when trying to remove it. It looks like something is messed up with the group object. The user doesn't show up in the ipausers group and there also isn't a group object for the user in question. Here is the error from the attempt. [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting member: uid=username,cn=users,cn=accounts,dc=domain,dc=com failed (16) [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry ipaUniqueID=3897c894-e764-11e4-b05b-005056a92af3,cn=hbac,dc=domain,dc=com: deleting memberUser: uid=username,cn=users,cn=accounts,dc=domain,dc=com failed (16) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: failed to delete managed entry (cn=username,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: failed to delete managed entry (cn=username,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) This is the first time I see this error. CCing Ludwig or Thierry to advise. Andy, please also include FreeIPA and 389-ds-base packages versions so that Thierry and Ludwig know what to look at. Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
-Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, April 29, 2015 8:31 AM To: Andy Thompson; freeipa-users@redhat.com; Ludwig Krispenz; Thierry Bordaz Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 01:26 PM, Andy Thompson wrote: I'm trying to delete an IPA account and I get a generic operations error when trying to remove it. It looks like something is messed up with the group object. The user doesn't show up in the ipausers group and there also isn't a group object for the user in question. Here is the error from the attempt. [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting member: uid=username,cn=users,cn=accounts,dc=domain,dc=com failed (16) [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry ipaUniqueID=3897c894-e764-11e4-b05b- 005056a92af3,cn=hbac,dc=domain,dc= com: deleting memberUser: uid=username,cn=users,cn=accounts,dc=domain,dc=com failed (16) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=group s,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: failed to delete managed entry (cn=username,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=group s,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: failed to delete managed entry (cn=username,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) This is the first time I see this error. CCing Ludwig or Thierry to advise. Andy, please also include FreeIPA and 389-ds-base packages versions so that Thierry and Ludwig know what to look at. Here you go ipa-server-4.1.0-18.el7_1.3.x86_64 389-ds-base-1.3.3.1-15.el7_1.x86_64 Thanks much -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
On 04/29/2015 05:58 PM, Andy Thompson wrote: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=groups,c n=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=groups,c n=accounts,dc=mhbenp,dc=lin nscpentrywsi: objectClass;vucsn-55364a4200050004: posixgroup nscpentrywsi: objectClass;vucsn-55364a4200050004: ipaobject nscpentrywsi: objectClass;vucsn-55364a4200050004: mepManagedEntry nscpentrywsi: objectClass;vucsn-55364a4200050004: top nscpentrywsi: objectClass;vucsn-5540deb800030003: nsTombstone nscpentrywsi: cn;vucsn-55364a4200050004;mdcsn-55364a4200050004: gfeigh nscpentrywsi: gidNumber;vucsn-55364a4200050004: 124903 nscpentrywsi: description;vucsn-55364a4200050004: User private group for username nscpentrywsi: mepManagedBy;vucsn-55364a4200050004: uid= username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: creatorsName;vucsn-55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: modifiersName;vucsn-55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: createTimestamp;vucsn-55364a4200050004: 20150421130152Z nscpentrywsi: modifyTimestamp;vucsn-55364a4200050004: 20150421130152Z nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8 nscpentrywsi: ipaUniqueID;vucsn-55364a4200050004: 94dc1638-e826-11e4-878a-005056a92af3 nscpentrywsi: parentid: 4 nscpentrywsi: entryid: 385 nscpentrywsi: nsParentUniqueId: 3763f193-e76411e4-99f1b343-f0abc1a8 nscpentrywsi: nstombstonecsn: 5540deb800030003 nscpentrywsi: nscpEntryDN: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: entryusn: 52327 thought I tried that before, apparently not. ok, so we have the entry on one server, the csn of the objectclass: tombstone is : objectClass;vucsn-5540deb800030003: nsTombstone , which matches the csn in the error log: Consumer failed to replay change (uniqueid 7e1a1f87-e82611e4-99f1b343- f0abc1a8, CSN 5540deb800030003): Operations error (1) so the state of the entry is as expected. Now we nend to find it on the other server. If the search for the filter with nstombstone does return nothing, could you try If I run ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa01 -x -D cn=directory manager -W -b dc=mhbenp,dc=lin ((objectclass=nstombstone)) I get below. If I add nsuniqueid to the filter it returns nothing on the primary server dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin memberOf: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin memberOf: ipaUniqueID=3897c894-e764-11e4-b05b-005056a92af3,cn=hbac,dc=mhbenp,dc=lin ipaNTSecurityIdentifier: S-1-5-21-1257946092-587846975-4124201916-1003 krbLastSuccessfulAuth: 20150421180533Z krbPasswordExpiration: 20150720180532Z userPassword:: e1NIQTUxMn1wekx2TytqSG9YQWkwL1RMWitXcE44dmFRRnFEWUJ3U3lrMTJab2ErNUdwakdWTVBnSzlJK0txdWF2b0pXdjZKbVZuZjdWb2txbG04NXpiWVhqTXQxUT09 krbExtraData:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA== krbPrincipalKey:: MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5EP9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A 0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/lbFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKFBMD +gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCzxInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooTkwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZjwMj1cTwzD1FH6/IbmDSvRMUVw8wE= krbLoginFailedCount: 0 krbTicketFlags: 128 krbLastPwdChange: 20150421180532Z krbLastFailedAuth: 20150421180457Z mepManagedEntry: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin displayName: user name cn: User Name objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry objectClass: ipantuserattrs objectClass: nsTombstone loginShell: /bin/bash initials: GF gecos: User Name homeDirectory: /home/username uid: username mail: usern...@mhbenp.lin krbPrincipalName: usern...@mhbenp.lin givenName: User sn: name ipaUniqueID: 94d31f06-e826-11e4-878a-005056a92af3 uidNumber: 124903 gidNumber: 124903 nsParentUniqueId: 3763f192-e76411e4-99f1b343-f0abc1a8 In fact, nsuniqueid does not appear in this entry. It is a distinguished RDN but is missing. Did you run the command with 'nscpentrywsi' requested attribute. May be nsuniqueid was hidden for that reason but I would be surprised. nsuniqueid is a key element of replication. I wonder how replication can find the entry itself. nsuniqueid could be in the index but then the entry is corrupted. -- Manage your subscription for the
Re: [Freeipa-users] deleting ipa user
On 04/29/2015 06:45 PM, Andy Thompson wrote: -Original Message- From: thierry bordaz [mailto:tbor...@redhat.com] Sent: Wednesday, April 29, 2015 12:28 PM To: Andy Thompson Cc: Ludwig Krispenz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 05:58 PM, Andy Thompson wrote: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=groups,c n=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=groups,c n=accounts,dc=mhbenp,dc=lin nscpentrywsi: objectClass;vucsn- 55364a4200050004: posixgroup nscpentrywsi: objectClass;vucsn- 55364a4200050004: ipaobject nscpentrywsi: objectClass;vucsn- 55364a4200050004: mepManagedEntry nscpentrywsi: objectClass;vucsn- 55364a4200050004: top nscpentrywsi: objectClass;vucsn- 5540deb800030003: nsTombstone nscpentrywsi: cn;vucsn-55364a4200050004;mdcsn- 55364a4200050004: gfeigh nscpentrywsi: gidNumber;vucsn- 55364a4200050004: 124903 nscpentrywsi: description;vucsn- 55364a4200050004: User private group for username nscpentrywsi: mepManagedBy;vucsn- 55364a4200050004: uid= username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: creatorsName;vucsn- 55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: modifiersName;vucsn- 55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: createTimestamp;vucsn- 55364a4200050004: 20150421130152Z nscpentrywsi: modifyTimestamp;vucsn- 55364a4200050004: 20150421130152Z nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4- 99f1b343-f0abc1a8 nscpentrywsi: ipaUniqueID;vucsn- 55364a4200050004: 94dc1638-e826-11e4-878a-005056a92af3 nscpentrywsi: parentid: 4 nscpentrywsi: entryid: 385 nscpentrywsi: nsParentUniqueId: 3763f193- e76411e4-99f1b343-f0abc1a8 nscpentrywsi: nstombstonecsn: 5540deb800030003 nscpentrywsi: nscpEntryDN: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: entryusn: 52327 thought I tried that before, apparently not. ok, so we have the entry on one server, the csn of the objectclass: tombstone is : objectClass;vucsn-5540deb800030003: nsTombstone , which matches the csn in the error log: Consumer failed to replay change (uniqueid 7e1a1f87- e82611e4-99f1b343- f0abc1a8, CSN 5540deb800030003): Operations error (1) so the state of the entry is as expected. Now we nend to find it on the other server. If the search for the filter with nstombstone does return nothing, could you try If I run ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa01 -x -D cn=directory manager -W -b dc=mhbenp,dc=lin ((objectclass=nstombstone)) I get below. If I add nsuniqueid to the filter it returns nothing on the primary server dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin memberOf: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin memberOf: ipaUniqueID=3897c894-e764-11e4-b05b- 005056a92af3,cn=hbac,dc=mhbenp,dc=lin ipaNTSecurityIdentifier: S-1-5-21-1257946092-587846975-4124201916- 1003 krbLastSuccessfulAuth: 20150421180533Z krbPasswordExpiration: 20150720180532Z userPassword:: e1NIQTUxMn1wekx2TytqSG9YQWkwL1RMWitXcE44dmFRRnFEWUJ3U3lrMTJ ab2ErNUdwakdWTVBnSzlJK0txdWF2b0pXdjZKbVZuZjdWb2txbG04NXpiWVh qTXQxUT09 krbExtraData:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA== krbPrincipalKey:: MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIB AKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5E P9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A 0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmd mZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/l bFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJT mdmZWlnaKFBMD +gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCz xInn+33pOsEXPlsdsYfc6uJeVl2bN
Re: [Freeipa-users] deleting ipa user
This is looking like that on the replica where the errors are logged. The entry is a tombstone but can not be find with the nsuniqueid. If on that server you do ldapsearch -LLL -o ldif-wrap=no -Hldap://mdhixnpipa02 -x -D cn=directory manager -W -b dc=... ((objectclass=nstombstone)(ipaUniqueID=94dc1638-e826-11e4-878a- 005056a92af3)) This one returns nothing on either server. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
-Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 11:28 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 05:08 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:59 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 04:49 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:51 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user did you run the searches as directory manager ? Yep sure did that's weird, as directory manager you should be able to see the nscpentrywsi attribute, could you paste your full search request ? This returns the object ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D cn=directory manager -W -b dc=... ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0a bc1a8)) | grep -i objectClass This returns nothing ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D cn=directory manager -W -b dc=... ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0a bc1a8)) nscpentrywsi | grep -i objectClass and if you omit the grep ? still puzzled. Ah if I omit the grep on the second server I get dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: objectClass;vucsn-55364a4200050004: posixgroup nscpentrywsi: objectClass;vucsn-55364a4200050004: ipaobject nscpentrywsi: objectClass;vucsn-55364a4200050004: mepManagedEntry nscpentrywsi: objectClass;vucsn-55364a4200050004: top nscpentrywsi: objectClass;vucsn-5540deb800030003: nsTombstone nscpentrywsi: cn;vucsn-55364a4200050004;mdcsn-55364a4200050004: gfeigh nscpentrywsi: gidNumber;vucsn-55364a4200050004: 124903 nscpentrywsi: description;vucsn-55364a4200050004: User private group for username nscpentrywsi: mepManagedBy;vucsn-55364a4200050004: uid= username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: creatorsName;vucsn-55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: modifiersName;vucsn-55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: createTimestamp;vucsn-55364a4200050004: 20150421130152Z nscpentrywsi: modifyTimestamp;vucsn-55364a4200050004: 20150421130152Z nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8 nscpentrywsi: ipaUniqueID;vucsn-55364a4200050004: 94dc1638-e826-11e4-878a-005056a92af3 nscpentrywsi: parentid: 4 nscpentrywsi: entryid: 385 nscpentrywsi: nsParentUniqueId: 3763f193-e76411e4-99f1b343-f0abc1a8 nscpentrywsi: nstombstonecsn: 5540deb800030003 nscpentrywsi: nscpEntryDN: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: entryusn: 52327 thought I tried that before, apparently not. what is logged in the access log for these two searches? On 04/29/2015 04:34 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:28 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user can you do the followin search on both servers ? ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D cn=directory manager - w xxx -b dc=xxx ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4- 99f1b343- f0abc1a8)) nscpentrywsi | grep -i objectClass The server that I initially attempted the deletion on returns nothing. The second server (the one currently throwing the consumer failed replay error) returns this if I remove the nscpentrywsi attribute filter. If I leave the attribute filter I don't get anything objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top objectClass: nsTombstone -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
On 04/29/2015 05:35 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 11:28 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 05:08 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:59 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 04:49 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:51 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user did you run the searches as directory manager ? Yep sure did that's weird, as directory manager you should be able to see the nscpentrywsi attribute, could you paste your full search request ? This returns the object ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D cn=directory manager -W -b dc=... ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0a bc1a8)) | grep -i objectClass This returns nothing ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D cn=directory manager -W -b dc=... ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0a bc1a8)) nscpentrywsi | grep -i objectClass and if you omit the grep ? still puzzled. Ah if I omit the grep on the second server I get dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: objectClass;vucsn-55364a4200050004: posixgroup nscpentrywsi: objectClass;vucsn-55364a4200050004: ipaobject nscpentrywsi: objectClass;vucsn-55364a4200050004: mepManagedEntry nscpentrywsi: objectClass;vucsn-55364a4200050004: top nscpentrywsi: objectClass;vucsn-5540deb800030003: nsTombstone nscpentrywsi: cn;vucsn-55364a4200050004;mdcsn-55364a4200050004: gfeigh nscpentrywsi: gidNumber;vucsn-55364a4200050004: 124903 nscpentrywsi: description;vucsn-55364a4200050004: User private group for username nscpentrywsi: mepManagedBy;vucsn-55364a4200050004: uid= username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: creatorsName;vucsn-55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: modifiersName;vucsn-55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: createTimestamp;vucsn-55364a4200050004: 20150421130152Z nscpentrywsi: modifyTimestamp;vucsn-55364a4200050004: 20150421130152Z nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8 nscpentrywsi: ipaUniqueID;vucsn-55364a4200050004: 94dc1638-e826-11e4-878a-005056a92af3 nscpentrywsi: parentid: 4 nscpentrywsi: entryid: 385 nscpentrywsi: nsParentUniqueId: 3763f193-e76411e4-99f1b343-f0abc1a8 nscpentrywsi: nstombstonecsn: 5540deb800030003 nscpentrywsi: nscpEntryDN: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: entryusn: 52327 thought I tried that before, apparently not. ok, so we have the entry on one server, the csn of the objectclass: tombstone is : objectClass;vucsn-5540deb800030003: nsTombstone , which matches the csn in the error log: Consumer failed to replay change (uniqueid 7e1a1f87-e82611e4-99f1b343-f0abc1a8, CSN 5540deb800030003): Operations error (1) so the state of the entry is as expected. Now we nend to find it on the other server. If the search for the filter with nstombstone does return nothing, could you try - a plain search (nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8) (also with nscpentrywsi) or if this doesn't return anything: - (objectclass=nstombstone) and grep for your username what is logged in the access log for these two searches? On 04/29/2015 04:34 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:28 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user can you do the followin search on both servers ? ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D cn=directory manager - w xxx -b dc=xxx ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4- 99f1b343- f0abc1a8)) nscpentrywsi | grep -i objectClass The server that I initially attempted the deletion on returns nothing. The second server (the one currently throwing the consumer failed replay error) returns this if I remove the nscpentrywsi attribute filter. If I leave the attribute filter I don't get anything objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top objectClass: nsTombstone
Re: [Freeipa-users] deleting ipa user
dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=groups,c n=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=groups,c n=accounts,dc=mhbenp,dc=lin nscpentrywsi: objectClass;vucsn-55364a4200050004: posixgroup nscpentrywsi: objectClass;vucsn-55364a4200050004: ipaobject nscpentrywsi: objectClass;vucsn-55364a4200050004: mepManagedEntry nscpentrywsi: objectClass;vucsn-55364a4200050004: top nscpentrywsi: objectClass;vucsn-5540deb800030003: nsTombstone nscpentrywsi: cn;vucsn-55364a4200050004;mdcsn-55364a4200050004: gfeigh nscpentrywsi: gidNumber;vucsn-55364a4200050004: 124903 nscpentrywsi: description;vucsn-55364a4200050004: User private group for username nscpentrywsi: mepManagedBy;vucsn-55364a4200050004: uid= username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: creatorsName;vucsn-55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: modifiersName;vucsn-55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: createTimestamp;vucsn-55364a4200050004: 20150421130152Z nscpentrywsi: modifyTimestamp;vucsn-55364a4200050004: 20150421130152Z nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8 nscpentrywsi: ipaUniqueID;vucsn-55364a4200050004: 94dc1638-e826-11e4-878a-005056a92af3 nscpentrywsi: parentid: 4 nscpentrywsi: entryid: 385 nscpentrywsi: nsParentUniqueId: 3763f193-e76411e4-99f1b343-f0abc1a8 nscpentrywsi: nstombstonecsn: 5540deb800030003 nscpentrywsi: nscpEntryDN: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: entryusn: 52327 thought I tried that before, apparently not. ok, so we have the entry on one server, the csn of the objectclass: tombstone is : objectClass;vucsn-5540deb800030003: nsTombstone , which matches the csn in the error log: Consumer failed to replay change (uniqueid 7e1a1f87-e82611e4-99f1b343- f0abc1a8, CSN 5540deb800030003): Operations error (1) so the state of the entry is as expected. Now we nend to find it on the other server. If the search for the filter with nstombstone does return nothing, could you try If I run ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa01 -x -D cn=directory manager -W -b dc=mhbenp,dc=lin ((objectclass=nstombstone)) I get below. If I add nsuniqueid to the filter it returns nothing on the primary server dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin memberOf: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin memberOf: ipaUniqueID=3897c894-e764-11e4-b05b-005056a92af3,cn=hbac,dc=mhbenp,dc=lin ipaNTSecurityIdentifier: S-1-5-21-1257946092-587846975-4124201916-1003 krbLastSuccessfulAuth: 20150421180533Z krbPasswordExpiration: 20150720180532Z userPassword:: e1NIQTUxMn1wekx2TytqSG9YQWkwL1RMWitXcE44dmFRRnFEWUJ3U3lrMTJab2ErNUdwakdWTVBnSzlJK0txdWF2b0pXdjZKbVZuZjdWb2txbG04NXpiWVhqTXQxUT09 krbExtraData:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA== krbPrincipalKey:: MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5EP9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A 0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/lbFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKFBMD +gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCzxInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooTkwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZjwMj1cTwzD1FH6/IbmDSvRMUVw8wE= krbLoginFailedCount: 0 krbTicketFlags: 128 krbLastPwdChange: 20150421180532Z krbLastFailedAuth: 20150421180457Z mepManagedEntry: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin displayName: user name cn: User Name objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry objectClass: ipantuserattrs objectClass: nsTombstone loginShell: /bin/bash initials: GF gecos: User Name homeDirectory: /home/username uid: username mail: usern...@mhbenp.lin krbPrincipalName: usern...@mhbenp.lin givenName: User sn: name ipaUniqueID: 94d31f06-e826-11e4-878a-005056a92af3 uidNumber: 124903 gidNumber: 124903 nsParentUniqueId: 3763f192-e76411e4-99f1b343-f0abc1a8 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
On 04/29/2015 05:08 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:59 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 04:49 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:51 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user did you run the searches as directory manager ? Yep sure did that's weird, as directory manager you should be able to see the nscpentrywsi attribute, could you paste your full search request ? This returns the object ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D cn=directory manager -W -b dc=... ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8)) | grep -i objectClass This returns nothing ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D cn=directory manager -W -b dc=... ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8)) nscpentrywsi | grep -i objectClass and if you omit the grep ? still puzzled. what is logged in the access log for these two searches? On 04/29/2015 04:34 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:28 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user can you do the followin search on both servers ? ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D cn=directory manager - w xxx -b dc=xxx ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4- 99f1b343- f0abc1a8)) nscpentrywsi | grep -i objectClass The server that I initially attempted the deletion on returns nothing. The second server (the one currently throwing the consumer failed replay error) returns this if I remove the nscpentrywsi attribute filter. If I leave the attribute filter I don't get anything objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top objectClass: nsTombstone -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
-Original Message- From: thierry bordaz [mailto:tbor...@redhat.com] Sent: Wednesday, April 29, 2015 1:07 PM To: Andy Thompson Cc: Ludwig Krispenz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 06:45 PM, Andy Thompson wrote: -Original Message- From: thierry bordaz [mailto:tbor...@redhat.com] Sent: Wednesday, April 29, 2015 12:28 PM To: Andy Thompson Cc: Ludwig Krispenz; Martin Kosek; freeipa- us...@redhat.com mailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 05:58 PM, Andy Thompson wrote: dn: nsuniqueid=7e1a1f87-e82611e4- 99f1b343- f0abc1a8,cn=username,cn=groups,c n=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4- 99f1b343- f0abc1a8,cn=username,cn=groups,c n=accounts,dc=mhbenp,dc=lin nscpentrywsi: objectClass;vucsn- 55364a4200050004: posixgroup nscpentrywsi: objectClass;vucsn- 55364a4200050004: ipaobject nscpentrywsi: objectClass;vucsn- 55364a4200050004: mepManagedEntry nscpentrywsi: objectClass;vucsn- 55364a4200050004: top nscpentrywsi: objectClass;vucsn- 5540deb800030003: nsTombstone nscpentrywsi: cn;vucsn- 55364a4200050004;mdcsn- 55364a4200050004: gfeigh nscpentrywsi: gidNumber;vucsn- 55364a4200050004: 124903 nscpentrywsi: description;vucsn- 55364a4200050004: User private group for username nscpentrywsi: mepManagedBy;vucsn- 55364a4200050004: uid= username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: creatorsName;vucsn- 55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: modifiersName;vucsn- 55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: createTimestamp;vucsn- 55364a4200050004: 20150421130152Z nscpentrywsi: modifyTimestamp;vucsn- 55364a4200050004: 20150421130152Z nscpentrywsi: nsUniqueId: 7e1a1f87- e82611e4- 99f1b343-f0abc1a8 nscpentrywsi: ipaUniqueID;vucsn- 55364a4200050004: 94dc1638-e826-11e4-878a- 005056a92af3 nscpentrywsi: parentid: 4 nscpentrywsi: entryid: 385 nscpentrywsi: nsParentUniqueId: 3763f193- e76411e4-99f1b343-f0abc1a8 nscpentrywsi: nstombstonecsn: 5540deb800030003 nscpentrywsi: nscpEntryDN: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: entryusn: 52327 thought I tried that before, apparently not. ok, so we have the entry on one server, the csn of the objectclass: tombstone is : objectClass;vucsn-5540deb800030003: nsTombstone , which matches the csn in the error log: Consumer failed to replay change (uniqueid 7e1a1f87- e82611e4-99f1b343- f0abc1a8, CSN 5540deb800030003): Operations error (1) so the state of the entry is as expected. Now we nend to find it on the other server. If the search for the filter
Re: [Freeipa-users] deleting ipa user
On 04/29/2015 02:43 PM, Andy Thompson wrote: -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, April 29, 2015 8:31 AM To: Andy Thompson; freeipa-users@redhat.com; Ludwig Krispenz; Thierry Bordaz Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 01:26 PM, Andy Thompson wrote: I'm trying to delete an IPA account and I get a generic operations error when trying to remove it. It looks like something is messed up with the group object. The user doesn't show up in the ipausers group and there also isn't a group object for the user in question. Here is the error from the attempt. [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting member: uid=username,cn=users,cn=accounts,dc=domain,dc=com failed (16) [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry ipaUniqueID=3897c894-e764-11e4-b05b- 005056a92af3,cn=hbac,dc=domain,dc= com: deleting memberUser: uid=username,cn=users,cn=accounts,dc=domain,dc=com failed (16) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=group s,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: failed to delete managed entry (cn=username,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=group s,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: failed to delete managed entry (cn=username,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) This is the first time I see this error. CCing Ludwig or Thierry to advise. Andy, please also include FreeIPA and 389-ds-base packages versions so that Thierry and Ludwig know what to look at. Here you go ipa-server-4.1.0-18.el7_1.3.x86_64 389-ds-base-1.3.3.1-15.el7_1.x86_64 Thanks much -andy Hello, I wonder it is not a similar issue I hit https://fedorahosted.org/389/ticket/48165. What differs is '_update_all_per_mod' logs but could be a consequence of the same bug. I have a non systematic test case for 48165. Is it happening systematically in your case ? thanks thierry -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
-Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 9:22 AM To: thierry bordaz Cc: Andy Thompson; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 03:14 PM, thierry bordaz wrote: On 04/29/2015 02:43 PM, Andy Thompson wrote: -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, April 29, 2015 8:31 AM To: Andy Thompson; freeipa-users@redhat.com mailto:freeipa-users@redhat.com ; Ludwig Krispenz; Thierry Bordaz Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 01:26 PM, Andy Thompson wrote: I'm trying to delete an IPA account and I get a generic operations error when trying to remove it. It looks like something is messed up with the group object. The user doesn't show up in the ipausers group and there also isn't a group object for the user in question. Here is the error from the attempt. [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting member: uid=username,cn=users,cn=accounts,dc=domain,dc=com failed (16) [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry ipaUniqueID=3897c894-e764-11e4-b05b- 005056a92af3,cn=hbac,dc=domain,dc= com: deleting memberUser: uid=username,cn=users,cn=accounts,dc=domain,dc=com failed (16) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=group s,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed- entries-plugin - mep_del_post_op: failed to delete managed entry (cn=username,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=group s,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed- entries-plugin - mep_del_post_op: failed to delete managed entry (cn=username,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) This is the first time I see this error. CCing Ludwig or Thierry to advise. Andy, please also include FreeIPA and 389-ds-base packages versions so that Thierry and Ludwig know what to look at. Here you go ipa-server-4.1.0-18.el7_1.3.x86_64 389-ds-base-1.3.3.1-15.el7_1.x86_64 Thanks much -andy Hello, I wonder it is not a similar issue I hit https://fedorahosted.org/389/ticket/48165. What differs is '_update_all_per_mod' logs but could be a consequence of the same bug. I think what differs taht in the ticket there is an attempt to delete an existng entry, but in the log snippet provided it attempts to delete a tombstone entry (an entry which was already deleted). So the errors logged by DS seem to be ok, but why does IPA want to delete an already deleted user ? but mybe only the mep plugin finds a tombstone and tries to delete it. What was the command executed, is the result the same if repeated ? I attempted using the web interface initially and then tried using ipa user-del username to see if it gave any more detail. More info though, this is a replicated environment and I just tried deleting it on the replica server and it completed successfully so it appears I might have a replication issue going on? Hopefully I didn't mess something up doing that, should have checked the logs there first. I see this in the logs on the replica [29/Apr/2015:09:35:40 -0400] NSMMReplicationPlugin
Re: [Freeipa-users] deleting ipa user
On 04/29/2015 03:14 PM, thierry bordaz wrote: On 04/29/2015 02:43 PM, Andy Thompson wrote: -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, April 29, 2015 8:31 AM To: Andy Thompson;freeipa-users@redhat.com; Ludwig Krispenz; Thierry Bordaz Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 01:26 PM, Andy Thompson wrote: I'm trying to delete an IPA account and I get a generic operations error when trying to remove it. It looks like something is messed up with the group object. The user doesn't show up in the ipausers group and there also isn't a group object for the user in question. Here is the error from the attempt. [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting member: uid=username,cn=users,cn=accounts,dc=domain,dc=com failed (16) [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry ipaUniqueID=3897c894-e764-11e4-b05b- 005056a92af3,cn=hbac,dc=domain,dc= com: deleting memberUser: uid=username,cn=users,cn=accounts,dc=domain,dc=com failed (16) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=group s,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: failed to delete managed entry (cn=username,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=group s,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: failed to delete managed entry (cn=username,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) This is the first time I see this error. CCing Ludwig or Thierry to advise. Andy, please also include FreeIPA and 389-ds-base packages versions so that Thierry and Ludwig know what to look at. Here you go ipa-server-4.1.0-18.el7_1.3.x86_64 389-ds-base-1.3.3.1-15.el7_1.x86_64 Thanks much -andy Hello, I wonder it is not a similar issue I hit https://fedorahosted.org/389/ticket/48165. What differs is '_update_all_per_mod' logs but could be a consequence of the same bug. I think what differs taht in the ticket there is an attempt to delete an existng entry, but in the log snippet provided it attempts to delete a tombstone entry (an entry which was already deleted). So the errors logged by DS seem to be ok, but why does IPA want to delete an already deleted user ? but mybe only the mep plugin finds a tombstone and tries to delete it. What was the command executed, is the result the same if repeated ? ? I have a non systematic test case for 48165. Is it happening systematically in your case ? thanks thierry -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
On 04/29/2015 03:40 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 9:22 AM To: thierry bordaz Cc: Andy Thompson; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 03:14 PM, thierry bordaz wrote: On 04/29/2015 02:43 PM, Andy Thompson wrote: -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, April 29, 2015 8:31 AM To: Andy Thompson; freeipa-users@redhat.com mailto:freeipa-users@redhat.com ; Ludwig Krispenz; Thierry Bordaz Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 01:26 PM, Andy Thompson wrote: I'm trying to delete an IPA account and I get a generic operations error when trying to remove it. It looks like something is messed up with the group object. The user doesn't show up in the ipausers group and there also isn't a group object for the user in question. Here is the error from the attempt. [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting member: uid=username,cn=users,cn=accounts,dc=domain,dc=com failed (16) [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry ipaUniqueID=3897c894-e764-11e4-b05b- 005056a92af3,cn=hbac,dc=domain,dc= com: deleting memberUser: uid=username,cn=users,cn=accounts,dc=domain,dc=com failed (16) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=group s,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed- entries-plugin - mep_del_post_op: failed to delete managed entry (cn=username,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=group s,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed- entries-plugin - mep_del_post_op: failed to delete managed entry (cn=username,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) This is the first time I see this error. CCing Ludwig or Thierry to advise. Andy, please also include FreeIPA and 389-ds-base packages versions so that Thierry and Ludwig know what to look at. Here you go ipa-server-4.1.0-18.el7_1.3.x86_64 389-ds-base-1.3.3.1-15.el7_1.x86_64 Thanks much -andy Hello, I wonder it is not a similar issue I hit https://fedorahosted.org/389/ticket/48165. What differs is '_update_all_per_mod' logs but could be a consequence of the same bug. I think what differs taht in the ticket there is an attempt to delete an existng entry, but in the log snippet provided it attempts to delete a tombstone entry (an entry which was already deleted). So the errors logged by DS seem to be ok, but why does IPA want to delete an already deleted user ? but mybe only the mep plugin finds a tombstone and tries to delete it. What was the command executed, is the result the same if repeated ? I attempted using the web interface initially and then tried using ipa user-del username to see if it gave any more detail. were both attempts at 2015:07:21:32 ? or do you have more errors in the error log ? More info though, this is a replicated environment and I just tried deleting it on the replica server and it completed successfully so it appears I might have a replication issue going on? Hopefully I didn't mess something up doing that, should have checked
Re: [Freeipa-users] deleting ipa user
-Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:51 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user did you run the searches as directory manager ? Yep sure did On 04/29/2015 04:34 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:28 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user can you do the followin search on both servers ? ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D cn=directory manager - w xxx -b dc=xxx ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4- 99f1b343- f0abc1a8)) nscpentrywsi | grep -i objectClass The server that I initially attempted the deletion on returns nothing. The second server (the one currently throwing the consumer failed replay error) returns this if I remove the nscpentrywsi attribute filter. If I leave the attribute filter I don't get anything objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top objectClass: nsTombstone -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
-Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:07 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 03:40 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 9:22 AM To: thierry bordaz Cc: Andy Thompson; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 03:14 PM, thierry bordaz wrote: On 04/29/2015 02:43 PM, Andy Thompson wrote: -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, April 29, 2015 8:31 AM To: Andy Thompson; freeipa-users@redhat.com mailto:freeipa-users@redhat.com ; Ludwig Krispenz; Thierry Bordaz Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 01:26 PM, Andy Thompson wrote: I'm trying to delete an IPA account and I get a generic operations error when trying to remove it. It looks like something is messed up with the group object. The user doesn't show up in the ipausers group and there also isn't a group object for the user in question. Here is the error from the attempt. [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting member: uid=username,cn=users,cn=accounts,dc=domain,dc=com failed (16) [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry ipaUniqueID=3897c894-e764-11e4-b05b- 005056a92af3,cn=hbac,dc=domain,dc= com: deleting memberUser: uid=username,cn=users,cn=accounts,dc=domain,dc=com failed (16) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=group s,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed- entries-plugin - mep_del_post_op: failed to delete managed entry (cn=username,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=group s,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed- entries-plugin - mep_del_post_op: failed to delete managed entry (cn=username,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) This is the first time I see this error. CCing Ludwig or Thierry to advise. Andy, please also include FreeIPA and 389-ds-base packages versions so that Thierry and Ludwig know what to look at. Here you go ipa-server-4.1.0-18.el7_1.3.x86_64 389-ds-base-1.3.3.1-15.el7_1.x86_64 Thanks much -andy Hello, I wonder it is not a similar issue I hit https://fedorahosted.org/389/ticket/48165. What differs is '_update_all_per_mod' logs but could be a consequence of the same bug. I think what differs taht in the ticket there is an attempt to delete an existng entry, but in the log snippet provided it attempts to delete a tombstone entry (an entry which was already deleted). So the errors logged by DS seem to be ok, but why does IPA want to delete an already deleted user ? but mybe only the mep plugin finds a tombstone and tries to delete it. What was the command executed, is the result the same if repeated ? I attempted using the web interface initially and then tried using ipa user-del username to see if it gave any more detail. were both attempts at 2015:07:21:32 ? or do you have more errors in the error log ? I had errors from the other delete attempts
Re: [Freeipa-users] deleting ipa user
can you do the followin search on both servers ? ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D cn=directory manager -w xxx -b dc=xxx ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8)) nscpentrywsi | grep -i objectClass -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:07 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 03:40 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 9:22 AM To: thierry bordaz Cc: Andy Thompson; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 03:14 PM, thierry bordaz wrote: On 04/29/2015 02:43 PM, Andy Thompson wrote: -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, April 29, 2015 8:31 AM To: Andy Thompson; freeipa-users@redhat.com mailto:freeipa-users@redhat.com ; Ludwig Krispenz; Thierry Bordaz Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 01:26 PM, Andy Thompson wrote: I'm trying to delete an IPA account and I get a generic operations error when trying to remove it. It looks like something is messed up with the group object. The user doesn't show up in the ipausers group and there also isn't a group object for the user in question. Here is the error from the attempt. [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting member: uid=username,cn=users,cn=accounts,dc=domain,dc=com failed (16) [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry ipaUniqueID=3897c894-e764-11e4-b05b- 005056a92af3,cn=hbac,dc=domain,dc= com: deleting memberUser: uid=username,cn=users,cn=accounts,dc=domain,dc=com failed (16) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=group s,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed- entries-plugin - mep_del_post_op: failed to delete managed entry (cn=username,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=group s,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed- entries-plugin - mep_del_post_op: failed to delete managed entry (cn=username,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) This is the first time I see this error. CCing Ludwig or Thierry to advise. Andy, please also include FreeIPA and 389-ds-base packages versions so that Thierry and Ludwig know what to look at. Here you go ipa-server-4.1.0-18.el7_1.3.x86_64 389-ds-base-1.3.3.1-15.el7_1.x86_64 Thanks much -andy Hello, I wonder it is not a similar issue I hit https://fedorahosted.org/389/ticket/48165. What differs is '_update_all_per_mod' logs but could be a consequence of the same bug. I think what differs taht in the ticket there is an attempt to delete an existng entry, but in the log snippet provided it attempts to delete a tombstone entry (an entry which was already deleted). So the errors logged by DS seem to be ok, but why does IPA want to delete an already deleted user ? but mybe only the mep plugin finds a tombstone and tries to delete it. What was the command
Re: [Freeipa-users] deleting ipa user
-Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:28 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user can you do the followin search on both servers ? ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D cn=directory manager - w xxx -b dc=xxx ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8)) nscpentrywsi | grep -i objectClass The server that I initially attempted the deletion on returns nothing. The second server (the one currently throwing the consumer failed replay error) returns this if I remove the nscpentrywsi attribute filter. If I leave the attribute filter I don't get anything objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top objectClass: nsTombstone -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
did you run the searches as directory manager ? On 04/29/2015 04:34 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:28 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user can you do the followin search on both servers ? ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D cn=directory manager - w xxx -b dc=xxx ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8)) nscpentrywsi | grep -i objectClass The server that I initially attempted the deletion on returns nothing. The second server (the one currently throwing the consumer failed replay error) returns this if I remove the nscpentrywsi attribute filter. If I leave the attribute filter I don't get anything objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top objectClass: nsTombstone -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
On 04/29/2015 05:35 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 11:28 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 05:08 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:59 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 04:49 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:51 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user did you run the searches as directory manager ? Yep sure did that's weird, as directory manager you should be able to see the nscpentrywsi attribute, could you paste your full search request ? This returns the object ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D cn=directory manager -W -b dc=... ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0a bc1a8)) | grep -i objectClass This returns nothing ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D cn=directory manager -W -b dc=... ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0a bc1a8)) nscpentrywsi | grep -i objectClass and if you omit the grep ? still puzzled. Ah if I omit the grep on the second server I get dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: objectClass;vucsn-55364a4200050004: posixgroup nscpentrywsi: objectClass;vucsn-55364a4200050004: ipaobject nscpentrywsi: objectClass;vucsn-55364a4200050004: mepManagedEntry nscpentrywsi: objectClass;vucsn-55364a4200050004: top nscpentrywsi: objectClass;vucsn-5540deb800030003: nsTombstone nscpentrywsi: cn;vucsn-55364a4200050004;mdcsn-55364a4200050004: gfeigh nscpentrywsi: gidNumber;vucsn-55364a4200050004: 124903 nscpentrywsi: description;vucsn-55364a4200050004: User private group for username nscpentrywsi: mepManagedBy;vucsn-55364a4200050004: uid= username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: creatorsName;vucsn-55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: modifiersName;vucsn-55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: createTimestamp;vucsn-55364a4200050004: 20150421130152Z nscpentrywsi: modifyTimestamp;vucsn-55364a4200050004: 20150421130152Z nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8 nscpentrywsi: ipaUniqueID;vucsn-55364a4200050004: 94dc1638-e826-11e4-878a-005056a92af3 nscpentrywsi: parentid: 4 nscpentrywsi: entryid: 385 nscpentrywsi: nsParentUniqueId: 3763f193-e76411e4-99f1b343-f0abc1a8 nscpentrywsi: nstombstonecsn: 5540deb800030003 nscpentrywsi: nscpEntryDN: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: entryusn: 52327 thought I tried that before, apparently not. This is looking like that on the replica where the errors are logged. The entry is a tombstone but can not be find with the nsuniqueid. If on that server you do ldapsearch -LLL -o ldif-wrap=no -Hldap://mdhixnpipa02 -x -D cn=directory manager -W -b dc=... ((objectclass=nstombstone)(ipaUniqueID=94dc1638-e826-11e4-878a-005056a92af3)) what is logged in the access log for these two searches? On 04/29/2015 04:34 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:28 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user can you do the followin search on both servers ? ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D cn=directory manager - w xxx -b dc=xxx ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4- 99f1b343- f0abc1a8)) nscpentrywsi | grep -i objectClass The server that I initially attempted the deletion on returns nothing. The second server (the one currently throwing the consumer failed replay error) returns this if I remove the nscpentrywsi attribute filter. If I leave the attribute filter I don't get anything objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top objectClass: nsTombstone -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
-Original Message- From: thierry bordaz [mailto:tbor...@redhat.com] Sent: Wednesday, April 29, 2015 12:28 PM To: Andy Thompson Cc: Ludwig Krispenz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 05:58 PM, Andy Thompson wrote: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=groups,c n=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=groups,c n=accounts,dc=mhbenp,dc=lin nscpentrywsi: objectClass;vucsn- 55364a4200050004: posixgroup nscpentrywsi: objectClass;vucsn- 55364a4200050004: ipaobject nscpentrywsi: objectClass;vucsn- 55364a4200050004: mepManagedEntry nscpentrywsi: objectClass;vucsn- 55364a4200050004: top nscpentrywsi: objectClass;vucsn- 5540deb800030003: nsTombstone nscpentrywsi: cn;vucsn-55364a4200050004;mdcsn- 55364a4200050004: gfeigh nscpentrywsi: gidNumber;vucsn- 55364a4200050004: 124903 nscpentrywsi: description;vucsn- 55364a4200050004: User private group for username nscpentrywsi: mepManagedBy;vucsn- 55364a4200050004: uid= username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: creatorsName;vucsn- 55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: modifiersName;vucsn- 55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: createTimestamp;vucsn- 55364a4200050004: 20150421130152Z nscpentrywsi: modifyTimestamp;vucsn- 55364a4200050004: 20150421130152Z nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4- 99f1b343-f0abc1a8 nscpentrywsi: ipaUniqueID;vucsn- 55364a4200050004: 94dc1638-e826-11e4-878a-005056a92af3 nscpentrywsi: parentid: 4 nscpentrywsi: entryid: 385 nscpentrywsi: nsParentUniqueId: 3763f193- e76411e4-99f1b343-f0abc1a8 nscpentrywsi: nstombstonecsn: 5540deb800030003 nscpentrywsi: nscpEntryDN: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: entryusn: 52327 thought I tried that before, apparently not. ok, so we have the entry on one server, the csn of the objectclass: tombstone is : objectClass;vucsn-5540deb800030003: nsTombstone , which matches the csn in the error log: Consumer failed to replay change (uniqueid 7e1a1f87- e82611e4-99f1b343- f0abc1a8, CSN 5540deb800030003): Operations error (1) so the state of the entry is as expected. Now we nend to find it on the other server. If the search for the filter with nstombstone does return nothing, could you try If I run ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa01 -x -D cn=directory manager -W -b dc=mhbenp,dc=lin ((objectclass=nstombstone)) I get below. If I add nsuniqueid to the filter it returns nothing on the primary server dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin memberOf: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin memberOf: ipaUniqueID=3897c894-e764-11e4-b05b- 005056a92af3,cn=hbac,dc=mhbenp,dc=lin ipaNTSecurityIdentifier: S-1-5-21-1257946092-587846975-4124201916- 1003 krbLastSuccessfulAuth: 20150421180533Z krbPasswordExpiration: 20150720180532Z userPassword:: e1NIQTUxMn1wekx2TytqSG9YQWkwL1RMWitXcE44dmFRRnFEWUJ3U3lrMTJ ab2ErNUdwakdWTVBnSzlJK0txdWF2b0pXdjZKbVZuZjdWb2txbG04NXpiWVh qTXQxUT09 krbExtraData:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA== krbPrincipalKey:: MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIB AKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5E P9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A 0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmd mZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/l bFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJT mdmZWlnaKFBMD +gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCz xInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTEl
Re: [Freeipa-users] deleting ipa user
On 04/29/2015 04:49 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:51 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user did you run the searches as directory manager ? Yep sure did that's weird, as directory manager you should be able to see the nscpentrywsi attribute, could you paste your full search request ? On 04/29/2015 04:34 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:28 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user can you do the followin search on both servers ? ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D cn=directory manager - w xxx -b dc=xxx ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4- 99f1b343- f0abc1a8)) nscpentrywsi | grep -i objectClass The server that I initially attempted the deletion on returns nothing. The second server (the one currently throwing the consumer failed replay error) returns this if I remove the nscpentrywsi attribute filter. If I leave the attribute filter I don't get anything objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top objectClass: nsTombstone -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
-Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:59 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 04:49 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:51 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user did you run the searches as directory manager ? Yep sure did that's weird, as directory manager you should be able to see the nscpentrywsi attribute, could you paste your full search request ? This returns the object ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D cn=directory manager -W -b dc=... ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8)) | grep -i objectClass This returns nothing ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D cn=directory manager -W -b dc=... ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8)) nscpentrywsi | grep -i objectClass On 04/29/2015 04:34 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:28 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user can you do the followin search on both servers ? ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D cn=directory manager - w xxx -b dc=xxx ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4- 99f1b343- f0abc1a8)) nscpentrywsi | grep -i objectClass The server that I initially attempted the deletion on returns nothing. The second server (the one currently throwing the consumer failed replay error) returns this if I remove the nscpentrywsi attribute filter. If I leave the attribute filter I don't get anything objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top objectClass: nsTombstone -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
