On 04/29/2015 06:45 PM, Andy Thompson wrote:
-----Original Message-----
From: thierry bordaz [mailto:tbor...@redhat.com]
Sent: Wednesday, April 29, 2015 12:28 PM
To: Andy Thompson
Cc: Ludwig Krispenz; Martin Kosek; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] deleting ipa user
On 04/29/2015 05:58 PM, Andy Thompson wrote:
dn:
nsuniqueid=7e1a1f87-e82611e4-99f1b343-
f0abc1a8,cn=username,cn=groups,c
n=accounts,dc=mhbenp,dc=lin
nscpentrywsi: dn:
nsuniqueid=7e1a1f87-e82611e4-99f1b343-
f0abc1a8,cn=username,cn=groups,c
n=accounts,dc=mhbenp,dc=lin
nscpentrywsi: objectClass;vucsn-
55364a42000500040000: posixgroup
nscpentrywsi: objectClass;vucsn-
55364a42000500040000: ipaobject
nscpentrywsi: objectClass;vucsn-
55364a42000500040000:
mepManagedEntry
nscpentrywsi: objectClass;vucsn-
55364a42000500040000: top
nscpentrywsi: objectClass;vucsn-
5540deb8000300030000: nsTombstone
nscpentrywsi:
cn;vucsn-55364a42000500040000;mdcsn-
55364a42000500040000: gfeigh
nscpentrywsi: gidNumber;vucsn-
55364a42000500040000: 1249000003
nscpentrywsi: description;vucsn-
55364a42000500040000: User private
group for username
nscpentrywsi: mepManagedBy;vucsn-
55364a42000500040000: uid=
username,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: creatorsName;vucsn-
55364a42000500040000: cn=Managed
Entries,cn=plugins,cn=config
nscpentrywsi: modifiersName;vucsn-
55364a42000500040000: cn=Managed
Entries,cn=plugins,cn=config
nscpentrywsi: createTimestamp;vucsn-
55364a42000500040000:
20150421130152Z
nscpentrywsi: modifyTimestamp;vucsn-
55364a42000500040000:
20150421130152Z
nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-
99f1b343-f0abc1a8
nscpentrywsi: ipaUniqueID;vucsn-
55364a42000500040000:
94dc1638-e826-11e4-878a-005056a92af3
nscpentrywsi: parentid: 4
nscpentrywsi: entryid: 385
nscpentrywsi: nsParentUniqueId: 3763f193-
e76411e4-99f1b343-f0abc1a8
nscpentrywsi: nstombstonecsn:
5540deb8000300030000
nscpentrywsi: nscpEntryDN:
cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: entryusn: 52327
thought I tried that before, apparently not.
ok, so we have the entry on one server, the csn of the
objectclass:
tombstone is :
objectClass;vucsn-5540deb8000300030000: nsTombstone
, which matches the csn in the error log:
Consumer failed to replay change (uniqueid 7e1a1f87-
e82611e4-99f1b343-
f0abc1a8, CSN 5540deb8000300030000): Operations error (1)
so the state of
the entry is as expected.
Now we nend to find it on the other server. If the search for
the & filter with
nstombstone does return nothing, could you try
If I run ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa01 -x -D
"cn=directory manager" -W -b "dc=mhbenp,dc=lin"
"(&(objectclass=nstombstone))" I get below. If I add nsuniqueid to the filter
it returns nothing on the primary server
dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-
f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin
memberOf: ipaUniqueID=3897c894-e764-11e4-b05b-
005056a92af3,cn=hbac,dc=mhbenp,dc=lin
ipaNTSecurityIdentifier: S-1-5-21-1257946092-587846975-4124201916-
1003
krbLastSuccessfulAuth: 20150421180533Z
krbPasswordExpiration: 20150720180532Z
userPassword::
e1NIQTUxMn1wekx2TytqSG9YQWkwL1RMWitXcE44dmFRRnFEWUJ3U3lrMTJ
ab2ErNUdwakdWTVBnSzlJK0txdWF2b0pXdjZKbVZuZjdWb2txbG04NXpiWVh
qTXQxUT09
krbExtraData:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA==
krbPrincipalKey::
MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIB
AKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5E
P9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A
0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmd
mZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/l
bFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJT
mdmZWlnaKFBMD
+gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCz
xInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTEl
OZ2ZlaWdooTkwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZ
jwMj1cTwzD1FH6/IbmDSvRMUVw8wE=
krbLoginFailedCount: 0
krbTicketFlags: 128
krbLastPwdChange: 20150421180532Z
krbLastFailedAuth: 20150421180457Z
mepManagedEntry:
cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
displayName: user name
cn: User Name
objectClass: ipaobject
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: posixaccount
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
objectClass: ipantuserattrs
objectClass: nsTombstone
loginShell: /bin/bash
initials: GF
gecos: User Name
homeDirectory: /home/username
uid: username
mail: usern...@mhbenp.lin <mailto:usern...@mhbenp.lin>
krbPrincipalName: usern...@mhbenp.lin
<mailto:usern...@mhbenp.lin>
givenName: User
sn: name
ipaUniqueID: 94d31f06-e826-11e4-878a-005056a92af3
uidNumber: 1249000003
gidNumber: 1249000003
nsParentUniqueId: 3763f192-e76411e4-99f1b343-f0abc1a8
In fact, nsuniqueid does not appear in this entry. It is a distinguished RDN but
is missing. Did you run the command with 'nscpentrywsi' requested attribute.
May be nsuniqueid was hidden for that reason but I would be surprised.
nsuniqueid is a key element of replication. I wonder how replication can find
the entry itself. nsuniqueid could be in the index but then the entry is
corrupted.
If I request the nscpentrywsi attribute I get
dn:
nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: dn:
nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi:
modifyTimestamp;adcsn-5540be0c000200040002;vucsn-5540be0c000200040002:
20150429111607Z
nscpentrywsi:
modifiersName;adcsn-5540be0c000200040001;vucsn-5540be0c000200040001:
uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi:
nsAccountLock;adcsn-5540be0c000200040000;vucsn-5540be0c000200040000: TRUE
nscpentrywsi: memberOf;adcsn-5537c2f5000200040000;vucsn-5537c2f5000200040000:
cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: memberOf;vucsn-5537c2f5000200040000:
ipaUniqueID=3897c894-e764-11e4-b05b-005056a92af3,cn=hbac,dc=mhbenp,dc=lin
nscpentrywsi:
ipaNTSecurityIdentifier;adcsn-5537a1b1000300040001;vucsn-5537a1b1000300040001:
S-1-5-21-1257946092-587846975-4124201916-1003
nscpentrywsi:
krbLastSuccessfulAuth;adcsn-55369202000100040000;vucsn-55369202000100040000:
20150421180533Z
nscpentrywsi:
passwordGraceUserTime;adcsn-55369200000400040000;vucsn-55369200000400040000: 0
nscpentrywsi:
krbPasswordExpiration;adcsn-55369200000200040006;vucsn-55369200000200040006:
20150720180532Z
nscpentrywsi:
userPassword;adcsn-55369200000200040005;vucsn-55369200000200040005:
{SHA512}pzLvO+jHoXAi0/TLZ+WpN8vaQFqDYBwSyk12Zoa+5GpjGVMPgK9I+KquavoJWv6JmVnf7Vokqlm85zbYXjMt1Q==
nscpentrywsi:
krbExtraData;adcsn-55369200000200040004;vucsn-55369200000200040004::
AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA==
nscpentrywsi:
krbPrincipalKey;adcsn-55369200000200040003;vucsn-55369200000200040003::
MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5EP9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/lbFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKFBMD+gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCzxInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooTkwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZjwMj1cTwzD1FH6/IbmDSvRMUVw8wE=
nscpentrywsi:
krbLoginFailedCount;adcsn-55369200000200040002;vucsn-55369200000200040002: 0
nscpentrywsi:
krbTicketFlags;adcsn-55369200000200040001;vucsn-55369200000200040001: 128
nscpentrywsi:
krbLastPwdChange;adcsn-55369200000200040000;vucsn-55369200000200040000:
20150421180532Z
nscpentrywsi:
krbLastFailedAuth;adcsn-553691dd000000040000;vucsn-553691dd000200040003:
20150421180457Z
nscpentrywsi: mepManagedEntry;vucsn-55364a42000700040000:
cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: displayName;vucsn-55364a42000100040000: UserName
nscpentrywsi: cn;vucsn-55364a42000100040000: UserName
nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaobject
nscpentrywsi: objectClass;vucsn-55364a42000100040000: person
nscpentrywsi: objectClass;vucsn-55364a42000100040000: top
nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipasshuser
nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetorgperson
nscpentrywsi: objectClass;vucsn-55364a42000100040000: organizationalperson
nscpentrywsi: objectClass;vucsn-55364a42000100040000: krbticketpolicyaux
nscpentrywsi: objectClass;vucsn-55364a42000100040000: krbprincipalaux
nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetuser
nscpentrywsi: objectClass;vucsn-55364a42000100040000: posixaccount
nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaSshGroupOfPubKeys
nscpentrywsi: objectClass;vucsn-55364a42000600040000: mepOriginEntry
nscpentrywsi: objectClass;vucsn-5537a1b1000300040000: ipantuserattrs
nscpentrywsi: objectClass;vucsn-5540deb8000000030000: nsTombstone
nscpentrywsi: loginShell;vucsn-55364a42000100040000: /bin/bash
nscpentrywsi: initials;vucsn-55364a42000100040000: GF
nscpentrywsi: gecos;vucsn-55364a42000100040000: UserName
nscpentrywsi: homeDirectory;vucsn-55364a42000100040000: /home/username
nscpentrywsi: uid;vucsn-55364a42000100040000;mdcsn-55364a42000100040000:
username
nscpentrywsi: mail;vucsn-55364a42000100040000: usern...@mhbenp.lin
nscpentrywsi: krbPrincipalName;vucsn-55364a42000100040000: usern...@mhbenp.lin
nscpentrywsi: givenName;vucsn-55364a42000100040000: Gregg
nscpentrywsi: sn;vucsn-55364a42000100040000: Name
nscpentrywsi: creatorsName;vucsn-55364a42000100040000:
uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: createTimestamp;vucsn-55364a42000100040000: 20150421130152Z
nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8
nscpentrywsi: ipaUniqueID;vucsn-55364a42000100040000:
94d31f06-e826-11e4-878a-005056a92af3
nscpentrywsi: parentid: 3
nscpentrywsi: entryid: 385
nscpentrywsi: uidNumber: 1249000003
nscpentrywsi: gidNumber: 1249000003
nscpentrywsi: nsParentUniqueId: 3763f192-e76411e4-99f1b343-f0abc1a8
nscpentrywsi: nstombstonecsn: 5540deb8000000030000
nscpentrywsi: nscpEntryDN: uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: entryusn: 57524
nscpentrywsi:
passwordHistory;adcsn-55369200000500040000;vdcsn-55369200000500040000;deletedattribute;deleted:
Ok, so here is my understanding:
on the second replica (where you succeed to do 'ipa user-del <username>'
) the entry is looking:
dn:
nsuniqueid=7e1a1f8*7*-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: dn:
nsuniqueid=7e1a1f8*7*-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
...
nscpentrywsi: objectClass;vucsn-*5540deb8000300030000*: nsTombstone
...
nscpentrywsi: nsUniqueId: 7e1a1f8*7*-e82611e4-99f1b343-f0abc1a8
On the first replica (where you failed to delete the entry and where you can
see the replication errors)
dn:
nsuniqueid=7e1a1f8*2*-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: dn:
nsuniqueid=7e1a1f8*2*-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
...
nscpentrywsi: objectClass;vucsn-*5540deb8000000030000*: nsTombstone
...
nscpentrywsi: nsUniqueId: 7e1a1f8*2*-e82611e4-99f1b343-f0abc1a8
This is not the same entry. It is like two entries with the same 'uid' were
created.
Also note that those two entries were deleted on the same replica (replica
ID=3: likely the second replica) almost at the same time.
The errors is logged on the first replica about "
nsuniqueid=7e1a1f8*7*-e82611e4-99f1b343-f0abc1a8,cn=<username>,cn=groups,cn=accounts,dc=domain,dc=com".
So I think the entry you dumped on the first replica, is not the one we were
looking at.
The entry (nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8) should exists, but
was not returned by the search.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project