Many cases for service users the matching group was created by either error or mistake. Where those service users are mostly under some group collecting them, also assigned as GID. So the leftovers were detached and deleted, so there is less confusion. So far there were no issues like this. -- *Sándor Juhász* System Administrator *ChemAxon* *Kft*. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964
On Wed, Aug 7, 2019 at 4:10 PM Rob Crittenden <rcrit...@redhat.com> wrote: > Sandor Juhasz wrote: > > Was detached and deleted prior to the user's deletion. > > First modified by > > dn: cn=<USERID>,cn=groups,cn=accounts,dc=cxn > > changetype: modify > > delete: objectclass > > objectclass: mepManagedEntry > > - > > delete: mepManagedBy > > > > Then deleted. > > I don't know if this is the issue or not but the user still shows: > > objectClass: mepOriginEntry > mepManagedEntry: cn=<USERID>,cn=groups,cn=accounts,dc=cxn > > What led you to manually disconnect the group? > > rob > > > -- > > *Sándor Juhász* > > System Administrator > > *ChemAxon* *Kft*. > > Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 > > Cell: +36704258964 > > > > > > On Wed, Aug 7, 2019 at 3:58 PM Rob Crittenden <rcrit...@redhat.com > > <mailto:rcrit...@redhat.com>> wrote: > > > > Sandor Juhasz via FreeIPA-users wrote: > > > We have an entry, what after clicking delete on the UI got > partially > > > deleted. > > > The compat tree entry is gone. > > > The accounts tree entry is there. > > > ldapsearch finds the entry by uid, but does fail by dn. > > > ipa user-show <USERID> finds the user > > > ipa user-del <USERID> says no such user > > > ldapdelete fails to delete the entry by dn with err=32 > > > Web ui shows user > > > User content can be modified from ipa cli and web ui - like name, > > shell, > > > but cannot be deleted > > > Other entries can be created and deleted without issue. > > > We have 4way master-master replication. Tried cli on 3 and got same > > > result and issue. > > > The third is not touched and the entry is available there both > > accounts > > > and compat tree. > > > > > > > > > ipa-server-4.6.4-10.el7.centos.3.x86_64 > > > CentOS Linux release 7.6.1810 (Core) > > > > > > On full broken master: > > > # <USERID>, users, accounts, cxn > > > dn: uid=<USERID>,cn=users,cn=accounts,dc=cxn > > > gecos: FOO BAR > > > displayName: FOO BAR > > > krbLastAdminUnlock: 20190807124134Z > > > krbLoginFailedCount: 0 > > > memberOf: cn=ipausers,cn=groups,cn=accounts,dc=cxn > > > memberOf: cn=somegroup1,cn=groups,cn=accounts,dc=cxn > > > memberOf: cn=somegroupt2,cn=groups,cn=accounts,dc=cxn > > > gidNumber: <GID> > > > uidNumber: <UID> > > > ipaUniqueID: <RANDOMUNIQUEID> > > > cn: BAZ > > > givenName: FOO > > > krbPrincipalName: <USERID>@CXN > > > mail: <MAIL> > > > homeDirectory: /home/<USERID> > > > sn: BAR > > > initials: cU > > > loginShell: /bin/false > > > objectClass: ipaobject > > > objectClass: person > > > objectClass: top > > > objectClass: ipasshuser > > > objectClass: inetorgperson > > > objectClass: organizationalperson > > > objectClass: krbticketpolicyaux > > > objectClass: krbprincipalaux > > > objectClass: inetuser > > > objectClass: posixaccount > > > objectClass: ipaSshGroupOfPubKeys > > > objectClass: mepOriginEntry > > > krbCanonicalName: <USERID>@CXN > > > uid: <USERID> > > > mepManagedEntry: cn=<USERID>,cn=groups,cn=accounts,dc=cxn > > > krbPasswordExpiration: 20170615133527Z > > > krbLastPwdChange: 20170615133527Z > > > krbExtraData:: AAIfjUJZcm9vdC9hZG1pbkBDWE4A > > > > Can you check to see if the group entry exists, > > cn=<USERID>,cn=groups,cn=accounts,dc=cxn via ldapsearch? > > > > rob > > > >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org