[Freeipa-users] Re: ipa-replica-manage: unable to decode: {replica 7} 58809c7c000300070000 58809c7c000300070000

Tue, 13 Mar 2018 06:40:52 -0700 


On 03/13/2018 09:07 AM, Harald Dunkel via FreeIPA-users wrote:

Hi Ludwig,

On 03/12/18 17:10, Ludwig Krispenz via FreeIPA-users wrote:

Hi,
to get rid of this ruv entry with replicaid 7 you could try to run the cleanallruv task directly. On any server (and onöy on one) run 

ldapmodify ..... -D "cn=directory manager"
|dn: cn=clean 7, cn=cleanallruv, cn=tasks, cn=config changetype: add objectclass: extensibleObject replica-base-dn: <your suffix > replica-id: 7 replica-force-cleaning: yes |
|But I would like to understand how you did get in|to this state, we have seen this occasionly, but have no reproducer. Unfortunately the csn for replicaid 7 is from Jan, 19th 2017 11:01:16 - so you will probably not remember 
||
Not sure if its related, but I wrote an EMail to freeipa-users on that day, 
reporting an internal error. See

https://www.redhat.com/archives/freeipa-users/2017-January/msg00286.html
the csn of the replicaid 7 is from Jan,19th, two days later. maybe you did ad a new replica, or removed one or ... 

Looks like you have three problems and I don't think they are related.
1] corrupt RUV element, as Thierry said, we believe to have an an explanation how it could occur before a specific fix, and since it is there for one year you didn't have that fix. To get rid of this you could apply cleanallruv as I suggested in a previous mail, if you do not want to do it, I think it was there for quite some time and doesn't do really any harm except raising errors in decoding it.
2] conflicts, looks like you have conflitcts remaining which are relate to managed entries, these are espcially bad and difficult to handle. if you delete the conflict of an original entry it will delete the real managed entry and not the conflict of the managed entry. And the managed entry plugin is trying to prevent you to modify these entries directly. So what you can do is: determine which entries should be there, then delete them or rename them, if managed enty plugin gets in the way, either disable the MEP plugin temporarily or modify teh entries by deleting the mep objectclasses and attributes, cleanup the conflicts and fix them again
3] Retro Changelog errors: An error occured while adding change number 14065299 ..... This looks like the retro changelog did mess up the counter to generate the next entry. a restart should hopefully reset it and let the RCL continue 



The conflict is still not resolved completely. There are 2 entries I
could not cleanup, see below. What would you suggest?
[root@ipa1 ~]# ldapsearch -o ldif-wrap=no -x -D "cn=directory manager" -w secret -b "dc=example,dc=de" "nsds5ReplConflict=*" \* nsds5ReplConflict 
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=de> with scope subtree
# filter: nsds5ReplConflict=*
# requesting: * nsds5ReplConflict
#
# ipaservers + 109be302-ccd911e6-a5b3d0c8-d8da17db, hostgroups, accounts, example.de dn: cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de memberOf: cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de 
mepManagedEntry: cn=ipaservers,cn=ng,cn=alt,dc=example,dc=de
objectClass: top
objectClass: ipahostgroup
objectClass: ipaobject
objectClass: groupOfNames
objectClass: nestedGroup
objectClass: mepOriginEntry
description: IPA server hosts
cn: ipaservers
ipaUniqueID: 14a4041e-ccd9-11e6-b194-fe4936c476ff
nsds5ReplConflict: namingConflict cn=ipaservers,cn=hostgroups,cn=accounts,dc=example,dc=de 

# ipaservers + 109be304-ccd911e6-a5b3d0c8-d8da17db, ng, alt, example.de
dn: cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de memberHost: cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de 
objectClass: ipanisnetgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: ipaAssociation
objectClass: top
nisDomainName: example.de
cn: ipaservers
description: ipaNetgroup ipaservers
mepManagedBy: cn=ipaservers,cn=hostgroups,cn=accounts,dc=example,dc=de
ipaUniqueID: 15699da0-ccd9-11e6-b194-fe4936c476ff
nsds5ReplConflict: namingConflict cn=ipaservers,cn=ng,cn=alt,dc=example,dc=de 

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2
[root@ipa1 ~]# ldapsearch -o ldif-wrap=no -x -D "cn=directory manager" -w secret -b "cn=hostgroups,cn=accounts,dc=example,dc=de" 
# extended LDIF
#
# LDAPv3
# base <cn=hostgroups,cn=accounts,dc=example,dc=de> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# hostgroups, accounts, example.de
dn: cn=hostgroups,cn=accounts,dc=example,dc=de
objectClass: top
objectClass: nsContainer
cn: hostgroups

# admin_hosts, hostgroups, accounts, example.de
dn: cn=admin_hosts,cn=hostgroups,cn=accounts,dc=example,dc=de
memberOf: ipaUniqueID=18c7ac56-c9a3-11e5-a675-00165cee60d7,cn=hbac,dc=example,dc=de 
memberOf: cn=admin_hosts,cn=ng,cn=alt,dc=example,dc=de
member: fqdn=srvl023.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de 
mepManagedEntry: cn=admin_hosts,cn=ng,cn=alt,dc=example,dc=de
objectClass: ipahostgroup
objectClass: ipaobject
objectClass: nestedGroup
objectClass: groupOfNames
objectClass: top
objectClass: mepOriginEntry
cn: admin_hosts
description: hosts with restricted access
ipaUniqueID: ecc0a97c-c9a3-11e5-bcd9-00165cee60d7

# ipaservers, hostgroups, accounts, example.de
dn: cn=ipaservers,cn=hostgroups,cn=accounts,dc=example,dc=de
memberOf: cn=Replication Administrators,cn=privileges,cn=pbac,dc=example,dc=de memberOf: cn=Add Replication Agreements,cn=permissions,cn=pbac,dc=example,dc=de memberOf: cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=example,dc=de memberOf: cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=example,dc=de 
memberOf: cn=Modify DNA Range,cn=permissions,cn=pbac,dc=example,dc=de
memberOf: cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,dc=example,dc=de memberOf: cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,dc=example,dc=de memberOf: cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,dc=example,dc=de memberOf: cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=example,dc=de 
memberOf: cn=Read DNA Range,cn=permissions,cn=pbac,dc=example,dc=de
memberOf: cn=Read Replication Agreements,cn=permissions,cn=pbac,dc=example,dc=de 
member: fqdn=ipa3.example.de,cn=computers,cn=accounts,dc=example,dc=de
member: fqdn=ipa2.example.de,cn=computers,cn=accounts,dc=example,dc=de
member: fqdn=ipa1.example.de,cn=computers,cn=accounts,dc=example,dc=de
member: fqdn=ipa4.example.de,cn=computers,cn=accounts,dc=example,dc=de
member: fqdn=ipa0.example.de,cn=computers,cn=accounts,dc=example,dc=de
member: fqdn=ipabak.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de 
mepManagedEntry: cn=ipaservers,cn=ng,cn=alt,dc=example,dc=de
objectClass: top
objectClass: ipahostgroup
objectClass: ipaobject
objectClass: groupOfNames
objectClass: nestedGroup
objectClass: mepOriginEntry
description: IPA server hosts
cn: ipaservers
ipaUniqueID: 115a2f2c-ccd9-11e6-93fa-fe49d2c33fca
# ipaservers + 109be302-ccd911e6-a5b3d0c8-d8da17db, hostgroups, accounts, example.de dn: cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de memberOf: cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de 
mepManagedEntry: cn=ipaservers,cn=ng,cn=alt,dc=example,dc=de
objectClass: top
objectClass: ipahostgroup
objectClass: ipaobject
objectClass: groupOfNames
objectClass: nestedGroup
objectClass: mepOriginEntry
description: IPA server hosts
cn: ipaservers
ipaUniqueID: 14a4041e-ccd9-11e6-b194-fe4936c476ff

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 4
[root@ipa1 ~]# ldapsearch -o ldif-wrap=no -x -D "cn=directory manager" -w secret -b "cn=ng,cn=alt,dc=example,dc=de" 
# extended LDIF
#
# LDAPv3
# base <cn=ng,cn=alt,dc=example,dc=de> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# ng, alt, example.de
dn: cn=ng,cn=alt,dc=example,dc=de
objectClass: nsContainer
objectClass: top
cn: ng

# admin_hosts, ng, alt, example.de
dn: cn=admin_hosts,cn=ng,cn=alt,dc=example,dc=de
objectClass: ipanisnetgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: ipaAssociation
objectClass: top
nisDomainName: example.de
cn: admin_hosts
memberHost: cn=admin_hosts,cn=hostgroups,cn=accounts,dc=example,dc=de
description: ipaNetgroup admin_hosts
mepManagedBy: cn=admin_hosts,cn=hostgroups,cn=accounts,dc=example,dc=de
ipaUniqueID: ecc27612-c9a3-11e5-bcd9-00165cee60d7

# ipaservers + 109be304-ccd911e6-a5b3d0c8-d8da17db, ng, alt, example.de
dn: cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de memberHost: cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de 
objectClass: ipanisnetgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: ipaAssociation
objectClass: top
nisDomainName: example.de
cn: ipaservers
description: ipaNetgroup ipaservers
mepManagedBy: cn=ipaservers,cn=hostgroups,cn=accounts,dc=example,dc=de
ipaUniqueID: 15699da0-ccd9-11e6-b194-fe4936c476ff

# search result
search: 2
result: 0 Success

# numResponses: 4
# numEntries: 3
Please note that there is no "cn=ipaservers,cn=ng,cn=alt,dc=example,dc=de" 

Every helpful comment is highly appreciated.
Harri
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org 

--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric 
Shander
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to