Re: [Freeipa-users] How to delete a managed group [SOLVED]
On 03/08/2016 14:13, Rob Crittenden wrote: > Bob Hinton wrote: >> On 03/08/2016 07:15, Petr Spacek wrote: >>> On 3.8.2016 00:58, Bob Hinton wrote: Hi, Something went wrong when trying to restore some preserved users so I deleted them and then tried to recreate them. This failed with - ipa: ERROR: Unable to create private group. A group 'X' already exists. Trying to delete this group produces - ipa: ERROR: Unable to create private group. A group 'X' already exists. Trying to detach it with ipa group-detach X produces ipa: ERROR: X: group not found ipa group-show X >>> I would try >>> $ ipa group show X --all --raw >>> >>> that could show us if there is something interesting like >>> replication conflict >>> or so. >>> >>> Petr^2 Spacek >> Hi Petr, >> >> This produces ... >> >> ipa group-show X --all --raw >>dn: cn=X,cn=groups,cn=accounts,dc=local,dc=com >>cn: X >>description: User private group for X >>gidnumber: 799830053 >>ipaUniqueID: 3b8e0ec8-58c4-11e6-806d-005056015864 >>mepManagedBy: uid=X,cn=users,cn=accounts,dc=local,dc=com >>objectClass: posixgroup >>objectClass: ipaobject >>objectClass: mepManagedEntry >>objectClass: top >> >> We do have some replication problems at the moment - two recreated >> replicas currently have two RUVs so this could this be how the user >> delete completed without the corresponding group? > > Not sure. The 389-ds plugin should, by definition, remove the group > when a user is deleted. I'd be more inclined to believe that the group > was added and the user not in a replication event. > > Removing the group requires an ldapmodify: > > % kinit admin > % ldapmodify -Y GSSAPI > SASL/GSSAPI authentication started > SASL username: ad...@example.com > SASL SSF: 56 > SASL data security layer installed. > dn: cn=deleteme,cn=groups,cn=accounts,dc=example,dc=com > changetype: modify > delete: objectclass > objectclass: mepManagedEntry > - > delete: mepManagedBy > mepManagedBy: uid=deleteme,cn=users,cn=accounts,dc=example,dc=com > ^D > modifying entry "cn=deleteme,cn=groups,cn=accounts,dc=example,dc=com" > > % ipa group-del deleteme > > Deleted group "deleteme" > > > Makes me wonder if the managed entry plugin should allow deletion if > the other side of the link doesn't exist. I'll investigate this. > > rob > . > Hi Rob, Your procedure detailed above allowed me to delete the old private groups and then recreate the user accounts. Many Thanks Bob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How to delete a managed group
Bob Hinton wrote: On 03/08/2016 07:15, Petr Spacek wrote: On 3.8.2016 00:58, Bob Hinton wrote: Hi, Something went wrong when trying to restore some preserved users so I deleted them and then tried to recreate them. This failed with - ipa: ERROR: Unable to create private group. A group 'X' already exists. Trying to delete this group produces - ipa: ERROR: Unable to create private group. A group 'X' already exists. Trying to detach it with ipa group-detach X produces ipa: ERROR: X: group not found ipa group-show X I would try $ ipa group show X --all --raw that could show us if there is something interesting like replication conflict or so. Petr^2 Spacek Hi Petr, This produces ... ipa group-show X --all --raw dn: cn=X,cn=groups,cn=accounts,dc=local,dc=com cn: X description: User private group for X gidnumber: 799830053 ipaUniqueID: 3b8e0ec8-58c4-11e6-806d-005056015864 mepManagedBy: uid=X,cn=users,cn=accounts,dc=local,dc=com objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top We do have some replication problems at the moment - two recreated replicas currently have two RUVs so this could this be how the user delete completed without the corresponding group? Not sure. The 389-ds plugin should, by definition, remove the group when a user is deleted. I'd be more inclined to believe that the group was added and the user not in a replication event. Removing the group requires an ldapmodify: % kinit admin % ldapmodify -Y GSSAPI SASL/GSSAPI authentication started SASL username: ad...@example.com SASL SSF: 56 SASL data security layer installed. dn: cn=deleteme,cn=groups,cn=accounts,dc=example,dc=com changetype: modify delete: objectclass objectclass: mepManagedEntry - delete: mepManagedBy mepManagedBy: uid=deleteme,cn=users,cn=accounts,dc=example,dc=com ^D modifying entry "cn=deleteme,cn=groups,cn=accounts,dc=example,dc=com" % ipa group-del deleteme Deleted group "deleteme" Makes me wonder if the managed entry plugin should allow deletion if the other side of the link doesn't exist. I'll investigate this. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How to delete a managed group
On 03/08/2016 07:15, Petr Spacek wrote: > On 3.8.2016 00:58, Bob Hinton wrote: >> Hi, >> >> Something went wrong when trying to restore some preserved users so I >> deleted them and then tried to recreate them. This failed with - >> >> ipa: ERROR: Unable to create private group. A group 'X' already exists. >> >> Trying to delete this group produces - >> >> ipa: ERROR: Unable to create private group. A group 'X' already exists. >> >> Trying to detach it with >> >> ipa group-detach X >> >> produces >> >> ipa: ERROR: X: group not found >> >> ipa group-show X > I would try > $ ipa group show X --all --raw > > that could show us if there is something interesting like replication conflict > or so. > > Petr^2 Spacek Hi Petr, This produces ... ipa group-show X --all --raw dn: cn=X,cn=groups,cn=accounts,dc=local,dc=com cn: X description: User private group for X gidnumber: 799830053 ipaUniqueID: 3b8e0ec8-58c4-11e6-806d-005056015864 mepManagedBy: uid=X,cn=users,cn=accounts,dc=local,dc=com objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top We do have some replication problems at the moment - two recreated replicas currently have two RUVs so this could this be how the user delete completed without the corresponding group? Thanks Bob > >> displays the group, but "ipa group-find X" doesn't >> >> How can get rid of the group so I can recreate the user ? >> >> Many thanks >> >> Bob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How to delete a managed group
On 3.8.2016 00:58, Bob Hinton wrote: > Hi, > > Something went wrong when trying to restore some preserved users so I > deleted them and then tried to recreate them. This failed with - > > ipa: ERROR: Unable to create private group. A group 'X' already exists. > > Trying to delete this group produces - > > ipa: ERROR: Unable to create private group. A group 'X' already exists. > > Trying to detach it with > > ipa group-detach X > > produces > > ipa: ERROR: X: group not found > > ipa group-show X I would try $ ipa group show X --all --raw that could show us if there is something interesting like replication conflict or so. Petr^2 Spacek > > displays the group, but "ipa group-find X" doesn't > > How can get rid of the group so I can recreate the user ? > > Many thanks > > Bob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project