On 03/08/2016 14:13, Rob Crittenden wrote: > Bob Hinton wrote: >> On 03/08/2016 07:15, Petr Spacek wrote: >>> On 3.8.2016 00:58, Bob Hinton wrote: >>>> Hi, >>>> >>>> Something went wrong when trying to restore some preserved users so I >>>> deleted them and then tried to recreate them. This failed with - >>>> >>>> ipa: ERROR: Unable to create private group. A group 'XXXXX' >>>> already exists. >>>> >>>> Trying to delete this group produces - >>>> >>>> ipa: ERROR: Unable to create private group. A group 'XXXXX' already >>>> exists. >>>> >>>> Trying to detach it with >>>> >>>> ipa group-detach XXXXX >>>> >>>> produces >>>> >>>> ipa: ERROR: XXXXX: group not found >>>> >>>> ipa group-show XXXXX >>> I would try >>> $ ipa group show XXXXX --all --raw >>> >>> that could show us if there is something interesting like >>> replication conflict >>> or so. >>> >>> Petr^2 Spacek >> Hi Petr, >> >> This produces ... >> >> ipa group-show XXXXX --all --raw >> dn: cn=XXXXX,cn=groups,cn=accounts,dc=local,dc=com >> cn: XXXXX >> description: User private group for XXXXX >> gidnumber: 799830053 >> ipaUniqueID: 3b8e0ec8-58c4-11e6-806d-005056015864 >> mepManagedBy: uid=XXXXX,cn=users,cn=accounts,dc=local,dc=com >> objectClass: posixgroup >> objectClass: ipaobject >> objectClass: mepManagedEntry >> objectClass: top >> >> We do have some replication problems at the moment - two recreated >> replicas currently have two RUVs so this could this be how the user >> delete completed without the corresponding group? > > Not sure. The 389-ds plugin should, by definition, remove the group > when a user is deleted. I'd be more inclined to believe that the group > was added and the user not in a replication event. > > Removing the group requires an ldapmodify: > > % kinit admin > % ldapmodify -Y GSSAPI > SASL/GSSAPI authentication started > SASL username: ad...@example.com > SASL SSF: 56 > SASL data security layer installed. > dn: cn=deleteme,cn=groups,cn=accounts,dc=example,dc=com > changetype: modify > delete: objectclass > objectclass: mepManagedEntry > - > delete: mepManagedBy > mepManagedBy: uid=deleteme,cn=users,cn=accounts,dc=example,dc=com > ^D > modifying entry "cn=deleteme,cn=groups,cn=accounts,dc=example,dc=com" > > % ipa group-del deleteme > ------------------------ > Deleted group "deleteme" > ------------------------ > > Makes me wonder if the managed entry plugin should allow deletion if > the other side of the link doesn't exist. I'll investigate this. > > rob > . > Hi Rob,
Your procedure detailed above allowed me to delete the old private groups and then recreate the user accounts. Many Thanks Bob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project