Re: [Freeipa-users] deleting ipa user
On 04/30/2015 02:31 PM, Andy Thompson wrote: It appears that f82 is the user object and f87 is the group object. So you are right, I don't think f82 is what we were looking for, it just happened to have the username in it when I grepped without filtering the uniqueid. I'm not sure why it was having problems with the user group object, but I don't have individual group objects showing up for any local accounts I've created. You are right. I think the private group of a user is/should be deleted at the same time when you delete a user. Is it normal that private groups do not show up in the user group listing or with ipa group-find commands? I thought I remembered seeing them on a freeipa 3 installation but I've checked a couple 4 installs and they don't show up. User private groups should not show up in the results of ipa group-* commands. I'm not sure what you meant by "user group listing", but they should show up when running the "id" command. I just had a random issue a little bit ago with another account when I checked the user groups in the web interface it popped with an unknown error dialog. I have not been able to reproduce it again and don't see anything in the error logs or access log which would indicate any problems. All that being said, I put 389-ds-base-1.3.3.1-16.el7_1.x86_64 on the box yesterday and the error has not shown since. So I'm not sure if it was because of the minor upgrade or cycling the daemon. The logs gave a lot of information but without a test case it could be difficult to identify the RC. Now as I mentioned I hit (with a non systematic test case) an other bug when deleting a user. It was impossible to remove the entry/group. In this bug I tested on standalone instance but on replicated topology I wonder if it could have the same symptom. I've not been able to reproduce the issue in my sandbox environment so I'm not sure. It is also replicated. -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
> > It appears that f82 is the user object and f87 is the group object. So you > > are > right, I don't think f82 is what we were looking for, it just happened to have > the username in it when I grepped without filtering the uniqueid. I'm not > sure why it was having problems with the user group object, but I don't have > individual group objects showing up for any local accounts I've created. > You are right. I think the private group of a user is/should be deleted at the > same time when you delete a user. > > Is it normal that private groups do not show up in the user group listing or with ipa group-find commands? I thought I remembered seeing them on a freeipa 3 installation but I've checked a couple 4 installs and they don't show up. I just had a random issue a little bit ago with another account when I checked the user groups in the web interface it popped with an unknown error dialog. I have not been able to reproduce it again and don't see anything in the error logs or access log which would indicate any problems. > > All that being said, I put 389-ds-base-1.3.3.1-16.el7_1.x86_64 on the box > yesterday and the error has not shown since. So I'm not sure if it was > because of the minor upgrade or cycling the daemon. > The logs gave a lot of information but without a test case it could be > difficult > to identify the RC. > Now as I mentioned I hit (with a non systematic test case) an other bug when > deleting a user. It was impossible to remove the entry/group. In this bug I > tested on standalone instance but on replicated topology I wonder if it could > have the same symptom. > I've not been able to reproduce the issue in my sandbox environment so I'm not sure. It is also replicated. -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
On 04/30/2015 12:41 PM, Andy Thompson wrote: You got a first replica where you failed to delete the entry. You got a second replica where you succeeded to delete the entry. On first replica you can see messages like: [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! "nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=,cn=groups,cn=accounts,dc=domain,dc=com"; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 On the second replica you can see messages like: [29/Apr/2015:09:35:40 -0400] NSMMReplicationPlugin - agmt="cn=meTomdhixnpipa01.domain.com" (mdhixnpipa01:389): Consumer failed to replay change (uniqueid 7e1a1f87-e82611e4-99f1b343-f0abc1a8, CSN 5540deb800030003): Operations error (1). Will retry later. On the first replica, you had difficulties to retrieve the entry and finally had to remove 'nsuniqueid' from the filter to retrieve this entry dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin ... nscpentrywsi: objectClass;vucsn-5540deb80003: nsTombstone ... nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8 ... On the second replica you can the entry: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin ... nscpentrywsi: objectClass;vucsn-5540deb800030003: nsTombstone ... nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8 Note that the entry retrieved on the first replica has nsuniqueid=7e1a1f82.. while the entry retrieved on the second replica has nsuniqueid=7e1a1f87 ... It differs '2' instead of '7'. So this is not the same entry (from replication point of view). The error reported in the first replica was about Turning a tombstone into a tombstone! "nsuniqueid=7e1a1f87... The error reported in the second replica was also about Consumer failed to replay change (uniqueid 7e1a1f87... So I think the entry you dumped on the first replica is not (should not be) the one we are looking for. It appears that f82 is the user object and f87 is the group object. So you are right, I don't think f82 is what we were looking for, it just happened to have the username in it when I grepped without filtering the uniqueid. I'm not sure why it was having problems with the user group object, but I don't have individual group objects showing up for any local accounts I've created. You are right. I think the private group of a user is/should be deleted at the same time when you delete a user. All that being said, I put 389-ds-base-1.3.3.1-16.el7_1.x86_64 on the box yesterday and the error has not shown since. So I'm not sure if it was because of the minor upgrade or cycling the daemon. The logs gave a lot of information but without a test case it could be difficult to identify the RC. Now as I mentioned I hit (with a non systematic test case) an other bug when deleting a user. It was impossible to remove the entry/group. In this bug I tested on standalone instance but on replicated topology I wonder if it could have the same symptom. Is there any way to find the root cause of this? And is it normal that individual group objects are not created for users? I thought I remembered reading somewhere that they were derived and not static entries? The few accounts I have on there were created in the web interface, most of my users are all trust users. Although it could be two entries having the same DN but that was deleted, added and then deleted again. The difficulty is to retrieve it (on the first replica) as we cannot specify its 'nsuniqueid' to retrieve it. May be you can retrieve it with its (&(objectclass=nstombstone)(ipauniqueid=94dc1638-e826-11e4-878a- 005056a92af3)) thanks thierry dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: modifyTimestamp;adcsn- 5540be0c000200040002;vucsn-5540be0c000200040002: 20150429111607Z nscpentrywsi: modifiersName;adcsn-5540be0c000200040001;vucsn- 5540be0c000200040001: uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: nsAccountLock;adcsn-5540be0c00020004;vucsn- 5540be0c00020004: TRUE nscpentrywsi: krbLastSuccessfulAuth;adcsn- 5537c9b20003;vucsn-5537c9b20003: 20150422161526Z nscpentrywsi: memberOf;adcsn-5537c2f500040003;vucsn- 5537c2f500040003: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: memberOf;vucsn-5537c2f500040003: ipaUniqueID=3897c894-e764-11e4-b05b- 005056a92af3,cn=hbac,dc=mhbenp,dc=lin nscpentrywsi:
Re: [Freeipa-users] deleting ipa user
> You got a first replica where you failed to delete the entry. > You got a second replica where you succeeded to delete the entry. > > On first replica you can see messages like: > > [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a > tombstone into a tombstone! "nsuniqueid=7e1a1f87-e82611e4-99f1b343- > f0abc1a8,cn=,cn=groups,cn=accounts,dc=domain,dc=com"; e: > 0x7fcc84226070, cache_state: 0x0, refcnt: 1 > > On the second replica you can see messages like: > > [29/Apr/2015:09:35:40 -0400] NSMMReplicationPlugin - > agmt="cn=meTomdhixnpipa01.domain.com" (mdhixnpipa01:389): Consumer > failed to replay change (uniqueid 7e1a1f87-e82611e4-99f1b343-f0abc1a8, > CSN 5540deb800030003): Operations error (1). Will retry later. > > > On the first replica, you had difficulties to retrieve the entry and finally > had to > remove 'nsuniqueid' from the filter to retrieve this entry > > dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- > f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- > f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin > ... > nscpentrywsi: objectClass;vucsn-5540deb80003: nsTombstone ... > nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8 > ... > > > On the second replica you can the entry: > > dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- > f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- > f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin > ... > nscpentrywsi: objectClass;vucsn-5540deb800030003: nsTombstone ... > nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8 > > > Note that the entry retrieved on the first replica has nsuniqueid=7e1a1f82.. > while the entry retrieved on the second replica has nsuniqueid=7e1a1f87 ... > > It differs '2' instead of '7'. So this is not the same entry (from > replication point > of view). > > The error reported in the first replica was about Turning a tombstone into a > tombstone! "nsuniqueid=7e1a1f87... > > > The error reported in the second replica was also about > Consumer failed to replay change (uniqueid 7e1a1f87... > > > So I think the entry you dumped on the first replica is not (should not be) > the > one we are looking for. It appears that f82 is the user object and f87 is the group object. So you are right, I don't think f82 is what we were looking for, it just happened to have the username in it when I grepped without filtering the uniqueid. I'm not sure why it was having problems with the user group object, but I don't have individual group objects showing up for any local accounts I've created. All that being said, I put 389-ds-base-1.3.3.1-16.el7_1.x86_64 on the box yesterday and the error has not shown since. So I'm not sure if it was because of the minor upgrade or cycling the daemon. Is there any way to find the root cause of this? And is it normal that individual group objects are not created for users? I thought I remembered reading somewhere that they were derived and not static entries? The few accounts I have on there were created in the web interface, most of my users are all trust users. > Although it could be two entries having the same DN but that was deleted, > added and then deleted again. > > The difficulty is to retrieve it (on the first replica) as we cannot specify > its > 'nsuniqueid' to retrieve it. > May be you can retrieve it with its > (&(objectclass=nstombstone)(ipauniqueid=94dc1638-e826-11e4-878a- > 005056a92af3)) > > > thanks > thierry > > > > > dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- > f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- > f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: modifyTimestamp;adcsn- > 5540be0c000200040002;vucsn-5540be0c000200040002: 20150429111607Z > nscpentrywsi: modifiersName;adcsn-5540be0c000200040001;vucsn- > 5540be0c000200040001: uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: nsAccountLock;adcsn-5540be0c00020004;vucsn- > 5540be0c00020004: TRUE > nscpentrywsi: krbLastSuccessfulAuth;adcsn- > 5537c9b20003;vucsn-5537c9b20003: 20150422161526Z > nscpentrywsi: memberOf;adcsn-5537c2f500040003;vucsn- > 5537c2f500040003: > cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: memberOf;vucsn-5537c2f500040003: > ipaUniqueID=3897c894-e764-11e4-b05b- > 005056a92af3,cn=hbac,dc=mhbenp,dc=lin > nscpentrywsi: ipaNTSecurityIdentifier;adcsn- > 5537a1b1000300040001;vucsn-5537a1b1000300040001: S-1-5-21-1257946092- > 587846975-4124201916-1003 > nscpentrywsi: passwordGraceUserTime;adcsn- > 553692040004;vucsn-553692040004: 0 > nscpentrywsi: krbPasswordExpiration;adcsn- > 5536920200040005;vucsn-5536920200040005: 201507201
Re: [Freeipa-users] deleting ipa user
On 04/29/2015 07:15 PM, Andy Thompson wrote: -Original Message- From: thierry bordaz [mailto:tbor...@redhat.com] Sent: Wednesday, April 29, 2015 1:07 PM To: Andy Thompson Cc: Ludwig Krispenz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 06:45 PM, Andy Thompson wrote: -Original Message- From: thierry bordaz [mailto:tbor...@redhat.com] Sent: Wednesday, April 29, 2015 12:28 PM To: Andy Thompson Cc: Ludwig Krispenz; Martin Kosek; freeipa- us...@redhat.com <mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 05:58 PM, Andy Thompson wrote: dn: nsuniqueid=7e1a1f87-e82611e4- 99f1b343- f0abc1a8,cn=username,cn=groups,c n=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4- 99f1b343- f0abc1a8,cn=username,cn=groups,c n=accounts,dc=mhbenp,dc=lin nscpentrywsi: objectClass;vucsn- 55364a4200050004: posixgroup nscpentrywsi: objectClass;vucsn- 55364a4200050004: ipaobject nscpentrywsi: objectClass;vucsn- 55364a4200050004: mepManagedEntry nscpentrywsi: objectClass;vucsn- 55364a4200050004: top nscpentrywsi: objectClass;vucsn- 5540deb800030003: nsTombstone nscpentrywsi: cn;vucsn- 55364a4200050004;mdcsn- 55364a4200050004: gfeigh nscpentrywsi: gidNumber;vucsn- 55364a4200050004: 124903 nscpentrywsi: description;vucsn- 55364a4200050004: User private group for username nscpentrywsi: mepManagedBy;vucsn- 55364a4200050004: uid= username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: creatorsName;vucsn- 55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: modifiersName;vucsn- 55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: createTimestamp;vucsn- 55364a4200050004: 20150421130152Z nscpentrywsi: modifyTimestamp;vucsn- 55364a4200050004: 20150421130152Z nscpentrywsi: nsUniqueId: 7e1a1f87- e82611e4- 99f1b343-f0abc1a8 nscpentrywsi: ipaUniqueID;vucsn- 55364a4200050004: 94dc1638-e826-11e4-878a- 005056a92af3 nscpentrywsi: parentid: 4 nscpentrywsi: entryid: 385 nscpentrywsi: nsParentUniqueId: 3763f193- e76411e4-99f1b343-f0abc1a8 nscpentrywsi: nstombstonecsn: 5540deb800030003 nscpentrywsi: nscpEntryDN: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: entryusn: 52327 thought I tried that before, apparently not. ok, so we have the entry on one server, the csn of the objectclass: tombstone is : objectClass;vucsn-5540deb800030003: nsTombstone , which matches the csn in the error log: Consumer failed to replay change (uniqueid 7e1a1f87- e82611e4-99f1b343- f0abc1a8, CSN 5540deb800030003): Operations error (1) so the state of the entry is as expected. Now we nend to find it on the other server.
Re: [Freeipa-users] deleting ipa user
> -Original Message- > From: thierry bordaz [mailto:tbor...@redhat.com] > Sent: Wednesday, April 29, 2015 1:07 PM > To: Andy Thompson > Cc: Ludwig Krispenz; Martin Kosek; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] deleting ipa user > > On 04/29/2015 06:45 PM, Andy Thompson wrote: > > > -Original Message- > From: thierry bordaz [mailto:tbor...@redhat.com] > Sent: Wednesday, April 29, 2015 12:28 PM > To: Andy Thompson > Cc: Ludwig Krispenz; Martin Kosek; freeipa- > us...@redhat.com <mailto:freeipa-users@redhat.com> > Subject: Re: [Freeipa-users] deleting ipa user > > On 04/29/2015 05:58 PM, Andy Thompson wrote: > > > dn: > nsuniqueid=7e1a1f87-e82611e4- > 99f1b343- > > f0abc1a8,cn=username,cn=groups,c > > n=accounts,dc=mhbenp,dc=lin > nscpentrywsi: dn: > nsuniqueid=7e1a1f87-e82611e4- > 99f1b343- > > f0abc1a8,cn=username,cn=groups,c > > n=accounts,dc=mhbenp,dc=lin > nscpentrywsi: objectClass;vucsn- > 55364a4200050004: posixgroup > nscpentrywsi: objectClass;vucsn- > 55364a4200050004: ipaobject > nscpentrywsi: objectClass;vucsn- > 55364a4200050004: > > mepManagedEntry > > nscpentrywsi: objectClass;vucsn- > 55364a4200050004: top > nscpentrywsi: objectClass;vucsn- > 5540deb800030003: nsTombstone > nscpentrywsi: > cn;vucsn- > 55364a4200050004;mdcsn- > 55364a4200050004: gfeigh > nscpentrywsi: gidNumber;vucsn- > 55364a4200050004: 124903 > nscpentrywsi: description;vucsn- > 55364a4200050004: User private > group for username > nscpentrywsi: > mepManagedBy;vucsn- > 55364a4200050004: uid= > > username,cn=users,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: creatorsName;vucsn- > 55364a4200050004: cn=Managed > Entries,cn=plugins,cn=config > nscpentrywsi: modifiersName;vucsn- > 55364a4200050004: cn=Managed > Entries,cn=plugins,cn=config > nscpentrywsi: > createTimestamp;vucsn- > 55364a4200050004: > 20150421130152Z > nscpentrywsi: > modifyTimestamp;vucsn- > 55364a4200050004: > 20150421130152Z > nscpentrywsi: nsUniqueId: 7e1a1f87- > e82611e4- > 99f1b343-f0abc1a8 > nscpentrywsi: ipaUniqueID;vucsn- > 55364a4200050004: > 94dc1638-e826-11e4-878a- > 005056a92af3 > nscpentrywsi: parentid: 4 > nscpentrywsi: entryid: 385 > nscpentrywsi: nsParentUniqueId: > 3763f193- > e76411e4-99f1b343-f0abc1a8 > nscpentrywsi: nstombstonecsn: > 5540deb800030003 > nscpentrywsi: nscpEntryDN: > > > cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: entryusn: 52327 > > thought I tried that before, > apparently not. > > ok, so we have the entry on one server, the > csn of the > objectclass: > tombstone is : > > objectClass;vucsn-5540deb800030003: > nsTombstone > > , which matches the csn in the error log: > >
Re: [Freeipa-users] deleting ipa user
On 04/29/2015 06:45 PM, Andy Thompson wrote: -Original Message- From: thierry bordaz [mailto:tbor...@redhat.com] Sent: Wednesday, April 29, 2015 12:28 PM To: Andy Thompson Cc: Ludwig Krispenz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 05:58 PM, Andy Thompson wrote: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=groups,c n=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=groups,c n=accounts,dc=mhbenp,dc=lin nscpentrywsi: objectClass;vucsn- 55364a4200050004: posixgroup nscpentrywsi: objectClass;vucsn- 55364a4200050004: ipaobject nscpentrywsi: objectClass;vucsn- 55364a4200050004: mepManagedEntry nscpentrywsi: objectClass;vucsn- 55364a4200050004: top nscpentrywsi: objectClass;vucsn- 5540deb800030003: nsTombstone nscpentrywsi: cn;vucsn-55364a4200050004;mdcsn- 55364a4200050004: gfeigh nscpentrywsi: gidNumber;vucsn- 55364a4200050004: 124903 nscpentrywsi: description;vucsn- 55364a4200050004: User private group for username nscpentrywsi: mepManagedBy;vucsn- 55364a4200050004: uid= username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: creatorsName;vucsn- 55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: modifiersName;vucsn- 55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: createTimestamp;vucsn- 55364a4200050004: 20150421130152Z nscpentrywsi: modifyTimestamp;vucsn- 55364a4200050004: 20150421130152Z nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4- 99f1b343-f0abc1a8 nscpentrywsi: ipaUniqueID;vucsn- 55364a4200050004: 94dc1638-e826-11e4-878a-005056a92af3 nscpentrywsi: parentid: 4 nscpentrywsi: entryid: 385 nscpentrywsi: nsParentUniqueId: 3763f193- e76411e4-99f1b343-f0abc1a8 nscpentrywsi: nstombstonecsn: 5540deb800030003 nscpentrywsi: nscpEntryDN: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: entryusn: 52327 thought I tried that before, apparently not. ok, so we have the entry on one server, the csn of the objectclass: tombstone is : objectClass;vucsn-5540deb800030003: nsTombstone , which matches the csn in the error log: Consumer failed to replay change (uniqueid 7e1a1f87- e82611e4-99f1b343- f0abc1a8, CSN 5540deb800030003): Operations error (1) so the state of the entry is as expected. Now we nend to find it on the other server. If the search for the & filter with nstombstone does return nothing, could you try If I run ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa01 -x -D "cn=directory manager" -W -b "dc=mhbenp,dc=lin" "(&(objectclass=nstombstone))" I get below. If I add nsuniqueid to the filter it returns nothing on the primary server dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin memberOf: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin memberOf: ipaUniqueID=3897c894-e764-11e4-b05b- 005056a92af3,cn=hbac,dc=mhbenp,dc=lin ipaNTSecurityIdentifier: S-1-5-21-1257946092-587846975-4124201916- 1003 krbLastSuccessfulAuth: 20150421180533Z krbPasswordExpiration: 20150720180532Z userPassword:: e1NIQTUxMn1wekx2TytqSG9YQWkwL1RMWitXcE44dmFRRnFEWUJ3U3lrMTJ ab2ErNUdwakdWTVBnSzlJK0txdWF2b0pXdjZKbVZuZjdWb2txbG04NXpiWVh qTXQxUT09 krbExtraData:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA== krbPrincipalKey:: MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIB AKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5E P9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A 0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmd mZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/l bFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJT mdmZWlnaKFBMD +gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQs
Re: [Freeipa-users] deleting ipa user
> -Original Message- > From: thierry bordaz [mailto:tbor...@redhat.com] > Sent: Wednesday, April 29, 2015 12:28 PM > To: Andy Thompson > Cc: Ludwig Krispenz; Martin Kosek; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] deleting ipa user > > On 04/29/2015 05:58 PM, Andy Thompson wrote: > > > dn: > nsuniqueid=7e1a1f87-e82611e4-99f1b343- > > f0abc1a8,cn=username,cn=groups,c > > n=accounts,dc=mhbenp,dc=lin > nscpentrywsi: dn: > nsuniqueid=7e1a1f87-e82611e4-99f1b343- > > f0abc1a8,cn=username,cn=groups,c > > n=accounts,dc=mhbenp,dc=lin > nscpentrywsi: objectClass;vucsn- > 55364a4200050004: posixgroup > nscpentrywsi: objectClass;vucsn- > 55364a4200050004: ipaobject > nscpentrywsi: objectClass;vucsn- > 55364a4200050004: > > mepManagedEntry > > nscpentrywsi: objectClass;vucsn- > 55364a4200050004: top > nscpentrywsi: objectClass;vucsn- > 5540deb800030003: nsTombstone > nscpentrywsi: > cn;vucsn-55364a4200050004;mdcsn- > 55364a4200050004: gfeigh > nscpentrywsi: gidNumber;vucsn- > 55364a4200050004: 124903 > nscpentrywsi: description;vucsn- > 55364a4200050004: User private > group for username > nscpentrywsi: mepManagedBy;vucsn- > 55364a4200050004: uid= > username,cn=users,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: creatorsName;vucsn- > 55364a4200050004: cn=Managed > Entries,cn=plugins,cn=config > nscpentrywsi: modifiersName;vucsn- > 55364a4200050004: cn=Managed > Entries,cn=plugins,cn=config > nscpentrywsi: createTimestamp;vucsn- > 55364a4200050004: > 20150421130152Z > nscpentrywsi: modifyTimestamp;vucsn- > 55364a4200050004: > 20150421130152Z > nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4- > 99f1b343-f0abc1a8 > nscpentrywsi: ipaUniqueID;vucsn- > 55364a4200050004: > 94dc1638-e826-11e4-878a-005056a92af3 > nscpentrywsi: parentid: 4 > nscpentrywsi: entryid: 385 > nscpentrywsi: nsParentUniqueId: 3763f193- > e76411e4-99f1b343-f0abc1a8 > nscpentrywsi: nstombstonecsn: > 5540deb800030003 > nscpentrywsi: nscpEntryDN: > > cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: entryusn: 52327 > > thought I tried that before, apparently not. > > ok, so we have the entry on one server, the csn of the > objectclass: > tombstone is : > > objectClass;vucsn-5540deb800030003: nsTombstone > > , which matches the csn in the error log: > > Consumer failed to replay change (uniqueid 7e1a1f87- > e82611e4-99f1b343- > f0abc1a8, CSN 5540deb800030003): Operations error (1) > so the state of > the entry is as expected. > > Now we nend to find it on the other server. If the search for > the & filter with > nstombstone does return nothing, could you try > > > If I run ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa01 -x -D > "cn=directory manager" -W -b "dc=mhbenp,dc=lin" > "(&(objectclass=nstombstone))" I get below. If I add nsuniqueid to the filter > it returns nothing on the primary server > > dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- > f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin > memberOf: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin > memberOf: ipaUniqueID=3897c894-e764-11e4-b05b- > 005056a92af3,cn=hbac,dc=mhbenp,dc=lin > ipaNTSecurityIdentifier: S-1-5-21-1257946092-587846975-4124201916- > 1003 > krbLastSuccessfulAuth: 20150421180533Z > krbPasswordExpiration: 20150720180532Z > userPassword:: > e1NIQTUxMn1wekx2TytqSG9YQWkwL1RMWitXcE44dmFRRnFEWUJ3U3lrMTJ > ab2ErNUdwakdWTVBnSzlJK0txdWF2b0pXdjZKbVZuZjdWb2txbG04NXpiWVh > qTXQxUT09 > krbExtraData:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA== > krbPrincipa
Re: [Freeipa-users] deleting ipa user
On 04/29/2015 05:58 PM, Andy Thompson wrote: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=groups,c n=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=groups,c n=accounts,dc=mhbenp,dc=lin nscpentrywsi: objectClass;vucsn-55364a4200050004: posixgroup nscpentrywsi: objectClass;vucsn-55364a4200050004: ipaobject nscpentrywsi: objectClass;vucsn-55364a4200050004: mepManagedEntry nscpentrywsi: objectClass;vucsn-55364a4200050004: top nscpentrywsi: objectClass;vucsn-5540deb800030003: nsTombstone nscpentrywsi: cn;vucsn-55364a4200050004;mdcsn-55364a4200050004: gfeigh nscpentrywsi: gidNumber;vucsn-55364a4200050004: 124903 nscpentrywsi: description;vucsn-55364a4200050004: User private group for username nscpentrywsi: mepManagedBy;vucsn-55364a4200050004: uid= username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: creatorsName;vucsn-55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: modifiersName;vucsn-55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: createTimestamp;vucsn-55364a4200050004: 20150421130152Z nscpentrywsi: modifyTimestamp;vucsn-55364a4200050004: 20150421130152Z nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8 nscpentrywsi: ipaUniqueID;vucsn-55364a4200050004: 94dc1638-e826-11e4-878a-005056a92af3 nscpentrywsi: parentid: 4 nscpentrywsi: entryid: 385 nscpentrywsi: nsParentUniqueId: 3763f193-e76411e4-99f1b343-f0abc1a8 nscpentrywsi: nstombstonecsn: 5540deb800030003 nscpentrywsi: nscpEntryDN: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: entryusn: 52327 thought I tried that before, apparently not. ok, so we have the entry on one server, the csn of the objectclass: tombstone is : objectClass;vucsn-5540deb800030003: nsTombstone , which matches the csn in the error log: Consumer failed to replay change (uniqueid 7e1a1f87-e82611e4-99f1b343- f0abc1a8, CSN 5540deb800030003): Operations error (1) so the state of the entry is as expected. Now we nend to find it on the other server. If the search for the & filter with nstombstone does return nothing, could you try If I run ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa01 -x -D "cn=directory manager" -W -b "dc=mhbenp,dc=lin" "(&(objectclass=nstombstone))" I get below. If I add nsuniqueid to the filter it returns nothing on the primary server dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin memberOf: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin memberOf: ipaUniqueID=3897c894-e764-11e4-b05b-005056a92af3,cn=hbac,dc=mhbenp,dc=lin ipaNTSecurityIdentifier: S-1-5-21-1257946092-587846975-4124201916-1003 krbLastSuccessfulAuth: 20150421180533Z krbPasswordExpiration: 20150720180532Z userPassword:: e1NIQTUxMn1wekx2TytqSG9YQWkwL1RMWitXcE44dmFRRnFEWUJ3U3lrMTJab2ErNUdwakdWTVBnSzlJK0txdWF2b0pXdjZKbVZuZjdWb2txbG04NXpiWVhqTXQxUT09 krbExtraData:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA== krbPrincipalKey:: MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5EP9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A 0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/lbFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKFBMD +gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCzxInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooTkwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZjwMj1cTwzD1FH6/IbmDSvRMUVw8wE= krbLoginFailedCount: 0 krbTicketFlags: 128 krbLastPwdChange: 20150421180532Z krbLastFailedAuth: 20150421180457Z mepManagedEntry: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin displayName: user name cn: User Name objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry objectClass: ipantuserattrs objectClass: nsTombstone loginShell: /bin/bash initials: GF gecos: User Name homeDirectory: /home/username uid: username mail: usern...@mhbenp.lin krbPrincipalName: usern...@mhbenp.lin givenName: User sn: name ipaUniqueID: 94d31f06-e826-11e4-878a-005056a92af3 uidNumber: 124903 gidNumber: 124903 nsParentUniqueId: 3763f192-e76411e4-99f1b343-f0abc1a8 In fact, nsuniqueid does not appear in this entry. It is a distinguished RDN but is missing. Did you run the command with 'nscpentrywsi' requested attribute. May be nsuniqueid was hidden for that reason but I would be surprised. nsuniqueid is a key element of replication. I wonder how replication can find the entry itself. nsuniqueid could be in the index but then the entry is corrupted. -- Manage your subscription
Re: [Freeipa-users] deleting ipa user
> This is looking like that on the replica where the errors are logged. > The entry is a tombstone but can not be find with the nsuniqueid. > If on that server you do > > ldapsearch -LLL -o ldif-wrap=no -Hldap://mdhixnpipa02 -x -D "cn=directory > manager" -W -b "dc=..." > "(&(objectclass=nstombstone)(ipaUniqueID=94dc1638-e826-11e4-878a- > 005056a92af3))" > > This one returns nothing on either server. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
> > dn: > > nsuniqueid=7e1a1f87-e82611e4-99f1b343- > f0abc1a8,cn=username,cn=groups,c > > n=accounts,dc=mhbenp,dc=lin > > nscpentrywsi: dn: > > nsuniqueid=7e1a1f87-e82611e4-99f1b343- > f0abc1a8,cn=username,cn=groups,c > > n=accounts,dc=mhbenp,dc=lin > > nscpentrywsi: objectClass;vucsn-55364a4200050004: posixgroup > > nscpentrywsi: objectClass;vucsn-55364a4200050004: ipaobject > > nscpentrywsi: objectClass;vucsn-55364a4200050004: > mepManagedEntry > > nscpentrywsi: objectClass;vucsn-55364a4200050004: top > > nscpentrywsi: objectClass;vucsn-5540deb800030003: nsTombstone > > nscpentrywsi: > > cn;vucsn-55364a4200050004;mdcsn-55364a4200050004: gfeigh > > nscpentrywsi: gidNumber;vucsn-55364a4200050004: 124903 > > nscpentrywsi: description;vucsn-55364a4200050004: User private > > group for username > > nscpentrywsi: mepManagedBy;vucsn-55364a4200050004: uid= > > username,cn=users,cn=accounts,dc=mhbenp,dc=lin > > nscpentrywsi: creatorsName;vucsn-55364a4200050004: cn=Managed > > Entries,cn=plugins,cn=config > > nscpentrywsi: modifiersName;vucsn-55364a4200050004: cn=Managed > > Entries,cn=plugins,cn=config > > nscpentrywsi: createTimestamp;vucsn-55364a4200050004: > > 20150421130152Z > > nscpentrywsi: modifyTimestamp;vucsn-55364a4200050004: > > 20150421130152Z > > nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8 > > nscpentrywsi: ipaUniqueID;vucsn-55364a4200050004: > > 94dc1638-e826-11e4-878a-005056a92af3 > > nscpentrywsi: parentid: 4 > > nscpentrywsi: entryid: 385 > > nscpentrywsi: nsParentUniqueId: 3763f193-e76411e4-99f1b343-f0abc1a8 > > nscpentrywsi: nstombstonecsn: 5540deb800030003 > > nscpentrywsi: nscpEntryDN: > > cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin > > nscpentrywsi: entryusn: 52327 > > > > thought I tried that before, apparently not. > ok, so we have the entry on one server, the csn of the objectclass: > tombstone is : > > objectClass;vucsn-5540deb800030003: nsTombstone > > , which matches the csn in the error log: > > Consumer failed to replay change (uniqueid 7e1a1f87-e82611e4-99f1b343- > f0abc1a8, CSN 5540deb800030003): Operations error (1) so the state of > the entry is as expected. > > Now we nend to find it on the other server. If the search for the & filter > with > nstombstone does return nothing, could you try If I run ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa01 -x -D "cn=directory manager" -W -b "dc=mhbenp,dc=lin" "(&(objectclass=nstombstone))" I get below. If I add nsuniqueid to the filter it returns nothing on the primary server dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin memberOf: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin memberOf: ipaUniqueID=3897c894-e764-11e4-b05b-005056a92af3,cn=hbac,dc=mhbenp,dc=lin ipaNTSecurityIdentifier: S-1-5-21-1257946092-587846975-4124201916-1003 krbLastSuccessfulAuth: 20150421180533Z krbPasswordExpiration: 20150720180532Z userPassword:: e1NIQTUxMn1wekx2TytqSG9YQWkwL1RMWitXcE44dmFRRnFEWUJ3U3lrMTJab2ErNUdwakdWTVBnSzlJK0txdWF2b0pXdjZKbVZuZjdWb2txbG04NXpiWVhqTXQxUT09 krbExtraData:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA== krbPrincipalKey:: MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5EP9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A 0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/lbFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKFBMD +gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCzxInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooTkwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZjwMj1cTwzD1FH6/IbmDSvRMUVw8wE= krbLoginFailedCount: 0 krbTicketFlags: 128 krbLastPwdChange: 20150421180532Z krbLastFailedAuth: 20150421180457Z mepManagedEntry: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin displayName: user name cn: User Name objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry objectClass: ipantuserattrs objectClass: nsTombstone loginShell: /bin/bash initials: GF gecos: User Name homeDirectory: /home/username uid: username mail: usern...@mhbenp.lin krbPrincipalName: usern...@mhbenp.lin givenName: User sn: name ipaUniqueID: 94d31f06-e826-11e4-878a-005056a92af3 uidNumber: 124903 gidNumber: 124903 nsParentUniqueId: 3763f192-e76411e4-99f1b343-f0abc1a8 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
On 04/29/2015 05:35 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 11:28 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 05:08 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:59 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 04:49 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:51 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user did you run the searches as directory manager ? Yep sure did that's weird, as directory manager you should be able to see the nscpentrywsi attribute, could you paste your full search request ? This returns the object ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D "cn=directory manager" -W -b "dc=..." "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0a bc1a8))" | grep -i objectClass This returns nothing ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D "cn=directory manager" -W -b "dc=..." "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0a bc1a8))" nscpentrywsi | grep -i objectClass and if you omit the grep ? still puzzled. Ah if I omit the grep on the second server I get dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: objectClass;vucsn-55364a4200050004: posixgroup nscpentrywsi: objectClass;vucsn-55364a4200050004: ipaobject nscpentrywsi: objectClass;vucsn-55364a4200050004: mepManagedEntry nscpentrywsi: objectClass;vucsn-55364a4200050004: top nscpentrywsi: objectClass;vucsn-5540deb800030003: nsTombstone nscpentrywsi: cn;vucsn-55364a4200050004;mdcsn-55364a4200050004: gfeigh nscpentrywsi: gidNumber;vucsn-55364a4200050004: 124903 nscpentrywsi: description;vucsn-55364a4200050004: User private group for username nscpentrywsi: mepManagedBy;vucsn-55364a4200050004: uid= username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: creatorsName;vucsn-55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: modifiersName;vucsn-55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: createTimestamp;vucsn-55364a4200050004: 20150421130152Z nscpentrywsi: modifyTimestamp;vucsn-55364a4200050004: 20150421130152Z nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8 nscpentrywsi: ipaUniqueID;vucsn-55364a4200050004: 94dc1638-e826-11e4-878a-005056a92af3 nscpentrywsi: parentid: 4 nscpentrywsi: entryid: 385 nscpentrywsi: nsParentUniqueId: 3763f193-e76411e4-99f1b343-f0abc1a8 nscpentrywsi: nstombstonecsn: 5540deb800030003 nscpentrywsi: nscpEntryDN: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: entryusn: 52327 thought I tried that before, apparently not. This is looking like that on the replica where the errors are logged. The entry is a tombstone but can not be find with the nsuniqueid. If on that server you do ldapsearch -LLL -o ldif-wrap=no -Hldap://mdhixnpipa02 -x -D "cn=directory manager" -W -b "dc=..." "(&(objectclass=nstombstone)(ipaUniqueID=94dc1638-e826-11e4-878a-005056a92af3))" what is logged in the access log for these two searches? On 04/29/2015 04:34 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:28 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user can you do the followin search on both servers ? ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D "cn=directory manager" - w xxx -b "dc=xxx" "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4- 99f1b343- f0abc1a8))" nscpentrywsi | grep -i objectClass The server that I initially attempted the deletion on returns nothing. The second server (the one currently throwing the consumer failed replay error) returns this if I remove the nscpentrywsi attribute filter. If I leave the attribute filter I don't get anything objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top objectClass: nsTombstone -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
On 04/29/2015 05:35 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 11:28 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 05:08 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:59 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 04:49 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:51 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user did you run the searches as directory manager ? Yep sure did that's weird, as directory manager you should be able to see the nscpentrywsi attribute, could you paste your full search request ? This returns the object ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D "cn=directory manager" -W -b "dc=..." "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0a bc1a8))" | grep -i objectClass This returns nothing ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D "cn=directory manager" -W -b "dc=..." "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0a bc1a8))" nscpentrywsi | grep -i objectClass and if you omit the grep ? still puzzled. Ah if I omit the grep on the second server I get dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: objectClass;vucsn-55364a4200050004: posixgroup nscpentrywsi: objectClass;vucsn-55364a4200050004: ipaobject nscpentrywsi: objectClass;vucsn-55364a4200050004: mepManagedEntry nscpentrywsi: objectClass;vucsn-55364a4200050004: top nscpentrywsi: objectClass;vucsn-5540deb800030003: nsTombstone nscpentrywsi: cn;vucsn-55364a4200050004;mdcsn-55364a4200050004: gfeigh nscpentrywsi: gidNumber;vucsn-55364a4200050004: 124903 nscpentrywsi: description;vucsn-55364a4200050004: User private group for username nscpentrywsi: mepManagedBy;vucsn-55364a4200050004: uid= username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: creatorsName;vucsn-55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: modifiersName;vucsn-55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: createTimestamp;vucsn-55364a4200050004: 20150421130152Z nscpentrywsi: modifyTimestamp;vucsn-55364a4200050004: 20150421130152Z nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8 nscpentrywsi: ipaUniqueID;vucsn-55364a4200050004: 94dc1638-e826-11e4-878a-005056a92af3 nscpentrywsi: parentid: 4 nscpentrywsi: entryid: 385 nscpentrywsi: nsParentUniqueId: 3763f193-e76411e4-99f1b343-f0abc1a8 nscpentrywsi: nstombstonecsn: 5540deb800030003 nscpentrywsi: nscpEntryDN: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: entryusn: 52327 thought I tried that before, apparently not. ok, so we have the entry on one server, the csn of the objectclass: tombstone is : objectClass;vucsn-5540deb800030003: nsTombstone , which matches the csn in the error log: Consumer failed to replay change (uniqueid 7e1a1f87-e82611e4-99f1b343-f0abc1a8, CSN 5540deb800030003): Operations error (1) so the state of the entry is as expected. Now we nend to find it on the other server. If the search for the & filter with nstombstone does return nothing, could you try - a plain search (nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8) (also with nscpentrywsi) or if this doesn't return anything: - (objectclass=nstombstone) and grep for your what is logged in the access log for these two searches? On 04/29/2015 04:34 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:28 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user can you do the followin search on both servers ? ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D "cn=directory manager" - w xxx -b "dc=xxx" "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4- 99f1b343- f0abc1a8))" nscpentrywsi | grep -i objectClass The server that I initially attempted the deletion on returns nothing. The second server (the one currently throwing the consumer failed replay error) returns this if I remove the nscpentrywsi attribute filter. If I leave the attribute filter I don'
Re: [Freeipa-users] deleting ipa user
> -Original Message- > From: Ludwig Krispenz [mailto:lkris...@redhat.com] > Sent: Wednesday, April 29, 2015 11:28 AM > To: Andy Thompson > Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] deleting ipa user > > > On 04/29/2015 05:08 PM, Andy Thompson wrote: > > > >> -Original Message- > >> From: Ludwig Krispenz [mailto:lkris...@redhat.com] > >> Sent: Wednesday, April 29, 2015 10:59 AM > >> To: Andy Thompson > >> Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com > >> Subject: Re: [Freeipa-users] deleting ipa user > >> > >> > >> On 04/29/2015 04:49 PM, Andy Thompson wrote: > >>>> -Original Message- > >>>> From: Ludwig Krispenz [mailto:lkris...@redhat.com] > >>>> Sent: Wednesday, April 29, 2015 10:51 AM > >>>> To: Andy Thompson > >>>> Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com > >>>> Subject: Re: [Freeipa-users] deleting ipa user > >>>> > >>>> did you run the searches as directory manager ? > >>>> > >>> Yep sure did > >> that's weird, as directory manager you should be able to see the > >> nscpentrywsi attribute, could you paste your full search request ? > > This returns the object > > > > ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D > > "cn=directory manager" -W -b "dc=..." > > "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343- > f0a > > bc1a8))" | grep -i objectClass > > > > This returns nothing > > > > ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D > > "cn=directory manager" -W -b "dc=..." > > "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343- > f0a > > bc1a8))" nscpentrywsi | grep -i objectClass > and if you omit the grep ? still puzzled. Ah if I omit the grep on the second server I get dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: objectClass;vucsn-55364a4200050004: posixgroup nscpentrywsi: objectClass;vucsn-55364a4200050004: ipaobject nscpentrywsi: objectClass;vucsn-55364a4200050004: mepManagedEntry nscpentrywsi: objectClass;vucsn-55364a4200050004: top nscpentrywsi: objectClass;vucsn-5540deb800030003: nsTombstone nscpentrywsi: cn;vucsn-55364a4200050004;mdcsn-55364a4200050004: gfeigh nscpentrywsi: gidNumber;vucsn-55364a4200050004: 124903 nscpentrywsi: description;vucsn-55364a4200050004: User private group for username nscpentrywsi: mepManagedBy;vucsn-55364a4200050004: uid= username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: creatorsName;vucsn-55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: modifiersName;vucsn-55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: createTimestamp;vucsn-55364a4200050004: 20150421130152Z nscpentrywsi: modifyTimestamp;vucsn-55364a4200050004: 20150421130152Z nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8 nscpentrywsi: ipaUniqueID;vucsn-55364a4200050004: 94dc1638-e826-11e4-878a-005056a92af3 nscpentrywsi: parentid: 4 nscpentrywsi: entryid: 385 nscpentrywsi: nsParentUniqueId: 3763f193-e76411e4-99f1b343-f0abc1a8 nscpentrywsi: nstombstonecsn: 5540deb800030003 nscpentrywsi: nscpEntryDN: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: entryusn: 52327 thought I tried that before, apparently not. > what is logged in the access log for these two searches? > > > > > >>> > >>>> On 04/29/2015 04:34 PM, Andy Thompson wrote: > >>>>>> -Original Message- > >>>>>> From: Ludwig Krispenz [mailto:lkris...@redhat.com] > >>>>>> Sent: Wednesday, April 29, 2015 10:28 AM > >>>>>> To: Andy Thompson > >>>>>> Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com > >>>>>> Subject: Re: [Freeipa-users] deleting ipa user > >>>>>> > >>>>>> can you do the followin search on both servers ? > >>>>>> > >>>>>> ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D > >>>>>> "cn=directory manager" - w xxx -b "dc=xxx" > >>>>>> "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4- > >>>> 99f1b343- > >>>>>> f0abc1a8))" > >>>>>> nscpentrywsi | grep -i objectClass > >>>>> The server that I initially attempted the deletion on returns nothing. > >>>>> The second server (the one currently throwing the consumer failed > >>>>> replay error) returns this if I remove the nscpentrywsi attribute > >>>>> filter. If I leave the attribute filter I don't get anything > >>>>> > >>>>> objectClass: posixgroup > >>>>> objectClass: ipaobject > >>>>> objectClass: mepManagedEntry > >>>>> objectClass: top > >>>>> objectClass: nsTombstone > >>>>> > >>>>> -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
On 04/29/2015 05:08 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:59 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 04:49 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:51 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user did you run the searches as directory manager ? Yep sure did that's weird, as directory manager you should be able to see the nscpentrywsi attribute, could you paste your full search request ? This returns the object ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D "cn=directory manager" -W -b "dc=..." "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8))" | grep -i objectClass This returns nothing ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D "cn=directory manager" -W -b "dc=..." "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8))" nscpentrywsi | grep -i objectClass and if you omit the grep ? still puzzled. what is logged in the access log for these two searches? On 04/29/2015 04:34 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:28 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user can you do the followin search on both servers ? ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D "cn=directory manager" - w xxx -b "dc=xxx" "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4- 99f1b343- f0abc1a8))" nscpentrywsi | grep -i objectClass The server that I initially attempted the deletion on returns nothing. The second server (the one currently throwing the consumer failed replay error) returns this if I remove the nscpentrywsi attribute filter. If I leave the attribute filter I don't get anything objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top objectClass: nsTombstone -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
> -Original Message- > From: Ludwig Krispenz [mailto:lkris...@redhat.com] > Sent: Wednesday, April 29, 2015 10:59 AM > To: Andy Thompson > Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] deleting ipa user > > > On 04/29/2015 04:49 PM, Andy Thompson wrote: > >> -Original Message- > >> From: Ludwig Krispenz [mailto:lkris...@redhat.com] > >> Sent: Wednesday, April 29, 2015 10:51 AM > >> To: Andy Thompson > >> Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com > >> Subject: Re: [Freeipa-users] deleting ipa user > >> > >> did you run the searches as directory manager ? > >> > > Yep sure did > that's weird, as directory manager you should be able to see the > nscpentrywsi attribute, could you paste your full search request ? > > This returns the object ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D "cn=directory manager" -W -b "dc=..." "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8))" | grep -i objectClass This returns nothing ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D "cn=directory manager" -W -b "dc=..." "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8))" nscpentrywsi | grep -i objectClass > > > > > >> On 04/29/2015 04:34 PM, Andy Thompson wrote: > >>>> -Original Message----- > >>>> From: Ludwig Krispenz [mailto:lkris...@redhat.com] > >>>> Sent: Wednesday, April 29, 2015 10:28 AM > >>>> To: Andy Thompson > >>>> Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com > >>>> Subject: Re: [Freeipa-users] deleting ipa user > >>>> > >>>> can you do the followin search on both servers ? > >>>> > >>>> ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D > >>>> "cn=directory manager" - w xxx -b "dc=xxx " > >>>> "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4- > >> 99f1b343- > >>>> f0abc1a8))" > >>>> nscpentrywsi | grep -i objectClass > >>> The server that I initially attempted the deletion on returns nothing. > >>> The second server (the one currently throwing the consumer failed > >>> replay error) returns this if I remove the nscpentrywsi attribute > >>> filter. If I leave the attribute filter I don't get anything > >>> > >>> objectClass: posixgroup > >>> objectClass: ipaobject > >>> objectClass: mepManagedEntry > >>> objectClass: top > >>> objectClass: nsTombstone > >>> > >>> -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
On 04/29/2015 04:49 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:51 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user did you run the searches as directory manager ? Yep sure did that's weird, as directory manager you should be able to see the nscpentrywsi attribute, could you paste your full search request ? On 04/29/2015 04:34 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:28 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user can you do the followin search on both servers ? ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D "cn=directory manager" - w xxx -b "dc=xxx " "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4- 99f1b343- f0abc1a8))" nscpentrywsi | grep -i objectClass The server that I initially attempted the deletion on returns nothing. The second server (the one currently throwing the consumer failed replay error) returns this if I remove the nscpentrywsi attribute filter. If I leave the attribute filter I don't get anything objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top objectClass: nsTombstone -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
did you run the searches as directory manager ? On 04/29/2015 04:34 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:28 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user can you do the followin search on both servers ? ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D "cn=directory manager" - w xxx -b "dc=xxx " "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8))" nscpentrywsi | grep -i objectClass The server that I initially attempted the deletion on returns nothing. The second server (the one currently throwing the consumer failed replay error) returns this if I remove the nscpentrywsi attribute filter. If I leave the attribute filter I don't get anything objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top objectClass: nsTombstone -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
> -Original Message- > From: Ludwig Krispenz [mailto:lkris...@redhat.com] > Sent: Wednesday, April 29, 2015 10:51 AM > To: Andy Thompson > Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] deleting ipa user > > did you run the searches as directory manager ? > Yep sure did > On 04/29/2015 04:34 PM, Andy Thompson wrote: > >> -Original Message- > >> From: Ludwig Krispenz [mailto:lkris...@redhat.com] > >> Sent: Wednesday, April 29, 2015 10:28 AM > >> To: Andy Thompson > >> Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com > >> Subject: Re: [Freeipa-users] deleting ipa user > >> > >> can you do the followin search on both servers ? > >> > >>ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D "cn=directory > >> manager" - w xxx -b "dc=xxx " > >> "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4- > 99f1b343- > >> f0abc1a8))" > >> nscpentrywsi | grep -i objectClass > > The server that I initially attempted the deletion on returns nothing. > > The second server (the one currently throwing the consumer failed > > replay error) returns this if I remove the nscpentrywsi attribute > > filter. If I leave the attribute filter I don't get anything > > > > objectClass: posixgroup > > objectClass: ipaobject > > objectClass: mepManagedEntry > > objectClass: top > > objectClass: nsTombstone > > > > -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
> -Original Message- > From: Ludwig Krispenz [mailto:lkris...@redhat.com] > Sent: Wednesday, April 29, 2015 10:28 AM > To: Andy Thompson > Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] deleting ipa user > > can you do the followin search on both servers ? > > ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D "cn=directory manager" - > w xxx -b "dc=xxx " > "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343- > f0abc1a8))" > nscpentrywsi | grep -i objectClass > > The server that I initially attempted the deletion on returns nothing. The second server (the one currently throwing the consumer failed replay error) returns this if I remove the nscpentrywsi attribute filter. If I leave the attribute filter I don't get anything objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top objectClass: nsTombstone -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
can you do the followin search on both servers ? ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D "cn=directory manager" -w xxx -b "dc=xxx " "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8))" nscpentrywsi | grep -i objectClass -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:07 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 03:40 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 9:22 AM To: thierry bordaz Cc: Andy Thompson; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 03:14 PM, thierry bordaz wrote: On 04/29/2015 02:43 PM, Andy Thompson wrote: -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, April 29, 2015 8:31 AM To: Andy Thompson; freeipa-users@redhat.com <mailto:freeipa-users@redhat.com> ; Ludwig Krispenz; Thierry Bordaz Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 01:26 PM, Andy Thompson wrote: I'm trying to delete an IPA account and I get a generic "operations error" when trying to remove it. It looks like something is messed up with the group object. The user doesn't show up in the ipausers group and there also isn't a group object for the user in question. Here is the error from the attempt. [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting "member: uid=,cn=users,cn=accounts,dc=domain,dc=com" failed (16) [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry ipaUniqueID=3897c894-e764-11e4-b05b- 005056a92af3,cn=hbac,dc=domain,dc= com: deleting "memberUser: uid=,cn=users,cn=accounts,dc=domain,dc=com" failed (16) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! "nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=,cn=group s,cn=accounts,dc=domain,dc=com"; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed- entries-plugin - mep_del_post_op: failed to delete managed entry (cn=,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! "nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=,cn=group s,cn=accounts,dc=domain,dc=com"; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed- entries-plugin - mep_del_post_op: failed to delete managed entry (cn=,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) This is the first time I see this error. CCing Ludwig or Thierry to advise. Andy, please also include FreeIPA and 389-ds-base packages versions so that Thierry and Ludwig know what to look at. Here you go ipa-server-4.1.0-18.el7_1.3.x86_64 389-ds-base-1.3.3.1-15.el7_1.x86_64 Thanks much -andy Hello, I wonder it is not a similar issue I hit https://fedorahosted.org/389/ticket/48165. What differs is '_update_all_per_mod' logs but could be a consequence of the same bug. I think what differs taht in the ticket there is an attempt to delete an existng entry, but in the log snippet provided it attempts to delete a tombstone entry (an entry which was already deleted). So the errors logged by DS seem to be ok, but why does IPA want to delete an already deleted user ? but mybe only
Re: [Freeipa-users] deleting ipa user
> -Original Message- > From: Ludwig Krispenz [mailto:lkris...@redhat.com] > Sent: Wednesday, April 29, 2015 10:07 AM > To: Andy Thompson > Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] deleting ipa user > > > On 04/29/2015 03:40 PM, Andy Thompson wrote: > >> -Original Message- > >> From: Ludwig Krispenz [mailto:lkris...@redhat.com] > >> Sent: Wednesday, April 29, 2015 9:22 AM > >> To: thierry bordaz > >> Cc: Andy Thompson; Martin Kosek; freeipa-users@redhat.com > >> Subject: Re: [Freeipa-users] deleting ipa user > >> > >> > >> On 04/29/2015 03:14 PM, thierry bordaz wrote: > >> > >> > >>On 04/29/2015 02:43 PM, Andy Thompson wrote: > >> > >> > >>-Original Message- > >>From: Martin Kosek [mailto:mko...@redhat.com] > >>Sent: Wednesday, April 29, 2015 8:31 AM > >> To: Andy Thompson; freeipa-users@redhat.com > >> <mailto:freeipa-users@redhat.com> ; Ludwig Krispenz; Thierry > >>Bordaz > >>Subject: Re: [Freeipa-users] deleting ipa user > >> > >>On 04/29/2015 01:26 PM, Andy Thompson wrote: > >> > >>I'm trying to delete an IPA account and I get a > generic > >> "operations error" > >> > >>when trying to remove it. It looks like something is > messed up > >> with the > >>group object. The user doesn't show up in the > ipausers group and > >> there also > >>isn't a group object for the user in question. Here is > the error > >> from the > >>attempt. > >> > >>[29/Apr/2015:07:21:32 -0400] referint-plugin - > >> _update_all_per_mod: > >>entry > >> cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting > >>"member: > >> uid=,cn=users,cn=accounts,dc=domain,dc=com" > >> > >>failed > >> > >>(16) > >>[29/Apr/2015:07:21:32 -0400] referint-plugin - > >> _update_all_per_mod: > >>entry > >>ipaUniqueID=3897c894-e764-11e4-b05b- > >> > >>005056a92af3,cn=hbac,dc=domain,dc= > >> > >>com: deleting "memberUser: > >> > >>uid=,cn=users,cn=accounts,dc=domain,dc=com" failed > >> (16) > >>[29/Apr/2015:07:21:32 -0400] > >> ldbm_back_delete - conn=0 op=0 Turning a > >>tombstone into a tombstone! > >>"nsuniqueid=7e1a1f87-e82611e4-99f1b343- > >> > >>f0abc1a8,cn=,cn=group > >> > >>s,cn=accounts,dc=domain,dc=com"; e: > >> 0x7fcc84226070, cache_state: 0x0, > >>refcnt: 1 > >>[29/Apr/2015:07:21:32 -0400] managed- > entries-plugin - > >> mep_del_post_op: > >>failed to delete managed entry > >> > >>(cn=,cn=groups,cn=accounts,dc=domain,dc=com) - > error (1) > >>[29/Apr/2015:07:21:32 -0400] > >> ldbm_back_delete - conn=0 op=0 Turning a > >>tombstone into a tombstone! > >>"nsuniqueid=7e1a1f87-e82611e4-99f1b343- > >> > >>f0abc1a8,cn=,cn=group > >> > >>s,cn=accounts,dc=domain,dc=com"; e: > >> 0x7fcc84226070, cache_state: 0x0, > >>refcnt: 1 > >>[29/Apr/2015:07:21:32 -0400] managed- > entries-plugin - > >> mep_del_post_op: > >>failed to delete managed entry > >> > >>(cn=,cn=groups,cn=accounts,dc=domain,dc=com) - > error (1) > >> > >>This is the first time I see this error. CCing Ludwig or > Thierry > >> to advise. > >> > >>Andy, please also include FreeIPA and 389
Re: [Freeipa-users] deleting ipa user
On 04/29/2015 03:40 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 9:22 AM To: thierry bordaz Cc: Andy Thompson; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 03:14 PM, thierry bordaz wrote: On 04/29/2015 02:43 PM, Andy Thompson wrote: -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, April 29, 2015 8:31 AM To: Andy Thompson; freeipa-users@redhat.com <mailto:freeipa-users@redhat.com> ; Ludwig Krispenz; Thierry Bordaz Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 01:26 PM, Andy Thompson wrote: I'm trying to delete an IPA account and I get a generic "operations error" when trying to remove it. It looks like something is messed up with the group object. The user doesn't show up in the ipausers group and there also isn't a group object for the user in question. Here is the error from the attempt. [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting "member: uid=,cn=users,cn=accounts,dc=domain,dc=com" failed (16) [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry ipaUniqueID=3897c894-e764-11e4-b05b- 005056a92af3,cn=hbac,dc=domain,dc= com: deleting "memberUser: uid=,cn=users,cn=accounts,dc=domain,dc=com" failed (16) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! "nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=,cn=group s,cn=accounts,dc=domain,dc=com"; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed- entries-plugin - mep_del_post_op: failed to delete managed entry (cn=,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! "nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=,cn=group s,cn=accounts,dc=domain,dc=com"; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed- entries-plugin - mep_del_post_op: failed to delete managed entry (cn=,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) This is the first time I see this error. CCing Ludwig or Thierry to advise. Andy, please also include FreeIPA and 389-ds-base packages versions so that Thierry and Ludwig know what to look at. Here you go ipa-server-4.1.0-18.el7_1.3.x86_64 389-ds-base-1.3.3.1-15.el7_1.x86_64 Thanks much -andy Hello, I wonder it is not a similar issue I hit https://fedorahosted.org/389/ticket/48165. What differs is '_update_all_per_mod' logs but could be a consequence of the same bug. I think what differs taht in the ticket there is an attempt to delete an existng entry, but in the log snippet provided it attempts to delete a tombstone entry (an entry which was already deleted). So the errors logged by DS seem to be ok, but why does IPA want to delete an already deleted user ? but mybe only the mep plugin finds a tombstone and tries to delete it. What was the command executed, is the result the same if repeated ? I attempted using the web interface initially and then tried using ipa user-del to see if it gave any more detail. were both attempts at 2015:07:21:32 ? or do you have more errors in the error log ? More info though, this is a replicated environment and I just tried deleting it on the replica server and it completed successfully so it appears I might have a replication issue going on? Hopefully I didn't mess somethin
Re: [Freeipa-users] deleting ipa user
> -Original Message- > From: Ludwig Krispenz [mailto:lkris...@redhat.com] > Sent: Wednesday, April 29, 2015 9:22 AM > To: thierry bordaz > Cc: Andy Thompson; Martin Kosek; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] deleting ipa user > > > On 04/29/2015 03:14 PM, thierry bordaz wrote: > > > On 04/29/2015 02:43 PM, Andy Thompson wrote: > > > -Original Message- > From: Martin Kosek [mailto:mko...@redhat.com] > Sent: Wednesday, April 29, 2015 8:31 AM > To: Andy Thompson; freeipa-users@redhat.com > <mailto:freeipa-users@redhat.com> ; Ludwig Krispenz; Thierry > Bordaz > Subject: Re: [Freeipa-users] deleting ipa user > > On 04/29/2015 01:26 PM, Andy Thompson wrote: > > I'm trying to delete an IPA account and I get a > generic "operations error" > > when trying to remove it. It looks like something is > messed up with the > group object. The user doesn't show up in the > ipausers group and there also > isn't a group object for the user in question. Here is > the error from the > attempt. > > [29/Apr/2015:07:21:32 -0400] referint-plugin - > _update_all_per_mod: > entry > cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting > "member: > uid=,cn=users,cn=accounts,dc=domain,dc=com" > > failed > > (16) > [29/Apr/2015:07:21:32 -0400] referint-plugin - > _update_all_per_mod: > entry > ipaUniqueID=3897c894-e764-11e4-b05b- > > 005056a92af3,cn=hbac,dc=domain,dc= > > com: deleting "memberUser: > > uid=,cn=users,cn=accounts,dc=domain,dc=com" failed > (16) > [29/Apr/2015:07:21:32 -0400] > ldbm_back_delete - conn=0 op=0 Turning a > tombstone into a tombstone! > "nsuniqueid=7e1a1f87-e82611e4-99f1b343- > > f0abc1a8,cn=,cn=group > > s,cn=accounts,dc=domain,dc=com"; e: > 0x7fcc84226070, cache_state: 0x0, > refcnt: 1 > [29/Apr/2015:07:21:32 -0400] managed- > entries-plugin - mep_del_post_op: > failed to delete managed entry > > (cn=,cn=groups,cn=accounts,dc=domain,dc=com) - > error (1) > [29/Apr/2015:07:21:32 -0400] > ldbm_back_delete - conn=0 op=0 Turning a > tombstone into a tombstone! > "nsuniqueid=7e1a1f87-e82611e4-99f1b343- > > f0abc1a8,cn=,cn=group > > s,cn=accounts,dc=domain,dc=com"; e: > 0x7fcc84226070, cache_state: 0x0, > refcnt: 1 > [29/Apr/2015:07:21:32 -0400] managed- > entries-plugin - mep_del_post_op: > failed to delete managed entry > > (cn=,cn=groups,cn=accounts,dc=domain,dc=com) - > error (1) > > This is the first time I see this error. CCing Ludwig or > Thierry to advise. > > Andy, please also include FreeIPA and 389-ds-base > packages versions so that > Thierry and Ludwig know what to look at. > > > Here you go > > ipa-server-4.1.0-18.el7_1.3.x86_64 > 389-ds-base-1.3.3.1-15.el7_1.x86_64 > > Thanks much > > -andy > > > > Hello, > > I wonder it is not a similar issue I hit > https://fedorahosted.org/389/ticket/48165. What differs is > '_update_all_per_mod' logs but could be a consequence of the same bug. > > > I think what differs taht in the ticket there is an attempt to delete an > existng > entry, but in the log snippet provided it attempts to delete a tombstone > entry (an entry which was already deleted). > So the errors logged by DS seem to be ok, but why does IPA want to delete > an already deleted user ? but mybe only the mep plugin finds a tombstone > and tries to delete it. > > What was the command executed, is the r
Re: [Freeipa-users] deleting ipa user
On 04/29/2015 03:14 PM, thierry bordaz wrote: On 04/29/2015 02:43 PM, Andy Thompson wrote: -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, April 29, 2015 8:31 AM To: Andy Thompson;freeipa-users@redhat.com; Ludwig Krispenz; Thierry Bordaz Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 01:26 PM, Andy Thompson wrote: I'm trying to delete an IPA account and I get a generic "operations error" when trying to remove it. It looks like something is messed up with the group object. The user doesn't show up in the ipausers group and there also isn't a group object for the user in question. Here is the error from the attempt. [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting "member: uid=,cn=users,cn=accounts,dc=domain,dc=com" failed (16) [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry ipaUniqueID=3897c894-e764-11e4-b05b- 005056a92af3,cn=hbac,dc=domain,dc= com: deleting "memberUser: uid=,cn=users,cn=accounts,dc=domain,dc=com" failed (16) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! "nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=,cn=group s,cn=accounts,dc=domain,dc=com"; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: failed to delete managed entry (cn=,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! "nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=,cn=group s,cn=accounts,dc=domain,dc=com"; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: failed to delete managed entry (cn=,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) This is the first time I see this error. CCing Ludwig or Thierry to advise. Andy, please also include FreeIPA and 389-ds-base packages versions so that Thierry and Ludwig know what to look at. Here you go ipa-server-4.1.0-18.el7_1.3.x86_64 389-ds-base-1.3.3.1-15.el7_1.x86_64 Thanks much -andy Hello, I wonder it is not a similar issue I hit https://fedorahosted.org/389/ticket/48165. What differs is '_update_all_per_mod' logs but could be a consequence of the same bug. I think what differs taht in the ticket there is an attempt to delete an existng entry, but in the log snippet provided it attempts to delete a tombstone entry (an entry which was already deleted). So the errors logged by DS seem to be ok, but why does IPA want to delete an already deleted user ? but mybe only the mep plugin finds a tombstone and tries to delete it. What was the command executed, is the result the same if repeated ? ? I have a non systematic test case for 48165. Is it happening systematically in your case ? thanks thierry -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
On 04/29/2015 02:43 PM, Andy Thompson wrote: -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, April 29, 2015 8:31 AM To: Andy Thompson; freeipa-users@redhat.com; Ludwig Krispenz; Thierry Bordaz Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 01:26 PM, Andy Thompson wrote: I'm trying to delete an IPA account and I get a generic "operations error" when trying to remove it. It looks like something is messed up with the group object. The user doesn't show up in the ipausers group and there also isn't a group object for the user in question. Here is the error from the attempt. [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting "member: uid=,cn=users,cn=accounts,dc=domain,dc=com" failed (16) [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry ipaUniqueID=3897c894-e764-11e4-b05b- 005056a92af3,cn=hbac,dc=domain,dc= com: deleting "memberUser: uid=,cn=users,cn=accounts,dc=domain,dc=com" failed (16) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! "nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=,cn=group s,cn=accounts,dc=domain,dc=com"; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: failed to delete managed entry (cn=,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! "nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=,cn=group s,cn=accounts,dc=domain,dc=com"; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: failed to delete managed entry (cn=,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) This is the first time I see this error. CCing Ludwig or Thierry to advise. Andy, please also include FreeIPA and 389-ds-base packages versions so that Thierry and Ludwig know what to look at. Here you go ipa-server-4.1.0-18.el7_1.3.x86_64 389-ds-base-1.3.3.1-15.el7_1.x86_64 Thanks much -andy Hello, I wonder it is not a similar issue I hit https://fedorahosted.org/389/ticket/48165. What differs is '_update_all_per_mod' logs but could be a consequence of the same bug. I have a non systematic test case for 48165. Is it happening systematically in your case ? thanks thierry -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
> -Original Message- > From: Martin Kosek [mailto:mko...@redhat.com] > Sent: Wednesday, April 29, 2015 8:31 AM > To: Andy Thompson; freeipa-users@redhat.com; Ludwig Krispenz; Thierry > Bordaz > Subject: Re: [Freeipa-users] deleting ipa user > > On 04/29/2015 01:26 PM, Andy Thompson wrote: > > I'm trying to delete an IPA account and I get a generic "operations error" > when trying to remove it. It looks like something is messed up with the > group object. The user doesn't show up in the ipausers group and there also > isn't a group object for the user in question. Here is the error from the > attempt. > > > > [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: > > entry cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting > > "member: uid=,cn=users,cn=accounts,dc=domain,dc=com" > failed > > (16) > > [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: > > entry > > ipaUniqueID=3897c894-e764-11e4-b05b- > 005056a92af3,cn=hbac,dc=domain,dc= > > com: deleting "memberUser: > > uid=,cn=users,cn=accounts,dc=domain,dc=com" failed (16) > > [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a > > tombstone into a tombstone! > > "nsuniqueid=7e1a1f87-e82611e4-99f1b343- > f0abc1a8,cn=,cn=group > > s,cn=accounts,dc=domain,dc=com"; e: 0x7fcc84226070, cache_state: 0x0, > > refcnt: 1 > > [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: > > failed to delete managed entry > > (cn=,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) > > [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a > > tombstone into a tombstone! > > "nsuniqueid=7e1a1f87-e82611e4-99f1b343- > f0abc1a8,cn=,cn=group > > s,cn=accounts,dc=domain,dc=com"; e: 0x7fcc84226070, cache_state: 0x0, > > refcnt: 1 > > [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: > > failed to delete managed entry > > (cn=,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) > > This is the first time I see this error. CCing Ludwig or Thierry to advise. > > Andy, please also include FreeIPA and 389-ds-base packages versions so that > Thierry and Ludwig know what to look at. > Here you go ipa-server-4.1.0-18.el7_1.3.x86_64 389-ds-base-1.3.3.1-15.el7_1.x86_64 Thanks much -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
On 04/29/2015 01:26 PM, Andy Thompson wrote: > I'm trying to delete an IPA account and I get a generic "operations error" > when trying to remove it. It looks like something is messed up with the > group object. The user doesn't show up in the ipausers group and there also > isn't a group object for the user in question. Here is the error from the > attempt. > > [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry > cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting "member: > uid=,cn=users,cn=accounts,dc=domain,dc=com" failed (16) > [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry > ipaUniqueID=3897c894-e764-11e4-b05b-005056a92af3,cn=hbac,dc=domain,dc=com: > deleting "memberUser: uid=,cn=users,cn=accounts,dc=domain,dc=com" > failed (16) > [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a > tombstone into a tombstone! > "nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=,cn=groups,cn=accounts,dc=domain,dc=com"; > e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 > [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: failed > to delete managed entry > (cn=,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) > [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a > tombstone into a tombstone! > "nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=,cn=groups,cn=accounts,dc=domain,dc=com"; > e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 > [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: failed > to delete managed entry > (cn=,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) This is the first time I see this error. CCing Ludwig or Thierry to advise. Andy, please also include FreeIPA and 389-ds-base packages versions so that Thierry and Ludwig know what to look at. Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project