On 04/29/2015 07:15 PM, Andy Thompson wrote:
-----Original Message-----
From: thierry bordaz [mailto:tbor...@redhat.com]
Sent: Wednesday, April 29, 2015 1:07 PM
To: Andy Thompson
Cc: Ludwig Krispenz; Martin Kosek; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] deleting ipa user
On 04/29/2015 06:45 PM, Andy Thompson wrote:
-----Original Message-----
From: thierry bordaz [mailto:tbor...@redhat.com]
Sent: Wednesday, April 29, 2015 12:28 PM
To: Andy Thompson
Cc: Ludwig Krispenz; Martin Kosek; freeipa-
us...@redhat.com <mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] deleting ipa user
On 04/29/2015 05:58 PM, Andy Thompson wrote:
dn:
nsuniqueid=7e1a1f87-e82611e4-
99f1b343-
f0abc1a8,cn=username,cn=groups,c
n=accounts,dc=mhbenp,dc=lin
nscpentrywsi: dn:
nsuniqueid=7e1a1f87-e82611e4-
99f1b343-
f0abc1a8,cn=username,cn=groups,c
n=accounts,dc=mhbenp,dc=lin
nscpentrywsi: objectClass;vucsn-
55364a42000500040000: posixgroup
nscpentrywsi: objectClass;vucsn-
55364a42000500040000: ipaobject
nscpentrywsi: objectClass;vucsn-
55364a42000500040000:
mepManagedEntry
nscpentrywsi: objectClass;vucsn-
55364a42000500040000: top
nscpentrywsi: objectClass;vucsn-
5540deb8000300030000: nsTombstone
nscpentrywsi:
cn;vucsn-
55364a42000500040000;mdcsn-
55364a42000500040000: gfeigh
nscpentrywsi: gidNumber;vucsn-
55364a42000500040000: 1249000003
nscpentrywsi: description;vucsn-
55364a42000500040000: User private
group for username
nscpentrywsi:
mepManagedBy;vucsn-
55364a42000500040000: uid=
username,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: creatorsName;vucsn-
55364a42000500040000: cn=Managed
Entries,cn=plugins,cn=config
nscpentrywsi: modifiersName;vucsn-
55364a42000500040000: cn=Managed
Entries,cn=plugins,cn=config
nscpentrywsi:
createTimestamp;vucsn-
55364a42000500040000:
20150421130152Z
nscpentrywsi:
modifyTimestamp;vucsn-
55364a42000500040000:
20150421130152Z
nscpentrywsi: nsUniqueId: 7e1a1f87-
e82611e4-
99f1b343-f0abc1a8
nscpentrywsi: ipaUniqueID;vucsn-
55364a42000500040000:
94dc1638-e826-11e4-878a-
005056a92af3
nscpentrywsi: parentid: 4
nscpentrywsi: entryid: 385
nscpentrywsi: nsParentUniqueId:
3763f193-
e76411e4-99f1b343-f0abc1a8
nscpentrywsi: nstombstonecsn:
5540deb8000300030000
nscpentrywsi: nscpEntryDN:
cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: entryusn: 52327
thought I tried that before,
apparently not.
ok, so we have the entry on one server, the
csn of the
objectclass:
tombstone is :
objectClass;vucsn-5540deb8000300030000:
nsTombstone
, which matches the csn in the error log:
Consumer failed to replay change (uniqueid
7e1a1f87-
e82611e4-99f1b343-
f0abc1a8, CSN 5540deb8000300030000):
Operations error (1)
so the state of
the entry is as expected.
Now we nend to find it on the other server. If
the search for
the & filter with
nstombstone does return nothing, could you
try
If I run ldapsearch -LLL -o ldif-wrap=no -H
ldap://mdhixnpipa01 -x -D
"cn=directory manager" -W -b "dc=mhbenp,dc=lin"
"(&(objectclass=nstombstone))" I get below. If I add
nsuniqueid to the filter
it returns nothing on the primary server
dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-
f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
memberOf:
cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin
memberOf: ipaUniqueID=3897c894-e764-11e4-b05b-
005056a92af3,cn=hbac,dc=mhbenp,dc=lin
ipaNTSecurityIdentifier: S-1-5-21-1257946092-
587846975-4124201916-
1003
krbLastSuccessfulAuth: 20150421180533Z
krbPasswordExpiration: 20150720180532Z
userPassword::
e1NIQTUxMn1wekx2TytqSG9YQWkwL1RMWitXcE44dmFRRnFEWUJ3
U3lrMTJ
ab2ErNUdwakdWTVBnSzlJK0txdWF2b0pXdjZKbVZuZjdWb2txbG04NX
piWVh
qTXQxUT09
krbExtraData::
AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA==
krbPrincipalKey::
MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMB
mgAwIB
AKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF
2hLTC5E
P9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A
0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmd
mZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQ
WTt++y/l
bFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5
QLkxJT
mdmZWlnaKFBMD
+gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCz
xInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJ
FTlAuTEl
OZ2ZlaWdooTkwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7
CFCi4qZ
jwMj1cTwzD1FH6/IbmDSvRMUVw8wE=
krbLoginFailedCount: 0
krbTicketFlags: 128
krbLastPwdChange: 20150421180532Z
krbLastFailedAuth: 20150421180457Z
mepManagedEntry:
cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
displayName: user name
cn: User Name
objectClass: ipaobject
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: posixaccount
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
objectClass: ipantuserattrs
objectClass: nsTombstone
loginShell: /bin/bash
initials: GF
gecos: User Name
homeDirectory: /home/username
uid: username
mail: usern...@mhbenp.lin
<mailto:usern...@mhbenp.lin> <mailto:usern...@mhbenp.lin>
<mailto:usern...@mhbenp.lin>
krbPrincipalName: usern...@mhbenp.lin
<mailto:usern...@mhbenp.lin>
<mailto:usern...@mhbenp.lin>
<mailto:usern...@mhbenp.lin>
givenName: User
sn: name
ipaUniqueID: 94d31f06-e826-11e4-878a-005056a92af3
uidNumber: 1249000003
gidNumber: 1249000003
nsParentUniqueId: 3763f192-e76411e4-99f1b343-
f0abc1a8
In fact, nsuniqueid does not appear in this entry. It is a
distinguished RDN but
is missing. Did you run the command with 'nscpentrywsi'
requested attribute.
May be nsuniqueid was hidden for that reason but I would
be surprised.
nsuniqueid is a key element of replication. I wonder how
replication can find
the entry itself. nsuniqueid could be in the index but then
the entry is
corrupted.
If I request the nscpentrywsi attribute I get
dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-
f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-
f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: modifyTimestamp;adcsn-
5540be0c000200040002;vucsn-5540be0c000200040002: 20150429111607Z
nscpentrywsi: modifiersName;adcsn-5540be0c000200040001;vucsn-
5540be0c000200040001: uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: nsAccountLock;adcsn-5540be0c000200040000;vucsn-
5540be0c000200040000: TRUE
nscpentrywsi: memberOf;adcsn-5537c2f5000200040000;vucsn-
5537c2f5000200040000:
cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: memberOf;vucsn-5537c2f5000200040000:
ipaUniqueID=3897c894-e764-11e4-b05b-
005056a92af3,cn=hbac,dc=mhbenp,dc=lin
nscpentrywsi: ipaNTSecurityIdentifier;adcsn-
5537a1b1000300040001;vucsn-5537a1b1000300040001: S-1-5-21-1257946092-
587846975-4124201916-1003
nscpentrywsi: krbLastSuccessfulAuth;adcsn-
55369202000100040000;vucsn-55369202000100040000: 20150421180533Z
nscpentrywsi: passwordGraceUserTime;adcsn-
55369200000400040000;vucsn-55369200000400040000: 0
nscpentrywsi: krbPasswordExpiration;adcsn-
55369200000200040006;vucsn-55369200000200040006: 20150720180532Z
nscpentrywsi: userPassword;adcsn-55369200000200040005;vucsn-
55369200000200040005:
{SHA512}pzLvO+jHoXAi0/TLZ+WpN8vaQFqDYBwSyk12Zoa+5GpjGVMPgK9I+
KquavoJWv6JmVnf7Vokqlm85zbYXjMt1Q==
nscpentrywsi: krbExtraData;adcsn-55369200000200040004;vucsn-
55369200000200040004:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA==
nscpentrywsi: krbPrincipalKey;adcsn-55369200000200040003;vucsn-
55369200000200040003::
MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIB
AKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5E
P9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A0miart7lTDnRh
89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKE5MDegAwIB
EaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/lbFKDbSkZYSJpFnzSRaaI
WW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKFBMD+gAw
IBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCzxInn+33pOsEX
PlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooT
kwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZjwMj1cTwzD1
FH6/IbmDSvRMUVw8wE=
nscpentrywsi: krbLoginFailedCount;adcsn-
55369200000200040002;vucsn-55369200000200040002: 0
nscpentrywsi: krbTicketFlags;adcsn-55369200000200040001;vucsn-
55369200000200040001: 128
nscpentrywsi: krbLastPwdChange;adcsn-
55369200000200040000;vucsn-55369200000200040000: 20150421180532Z
nscpentrywsi: krbLastFailedAuth;adcsn-
553691dd000000040000;vucsn-553691dd000200040003: 20150421180457Z
nscpentrywsi: mepManagedEntry;vucsn-55364a42000700040000:
cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: displayName;vucsn-55364a42000100040000:
UserName
nscpentrywsi: cn;vucsn-55364a42000100040000: UserName
nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaobject
nscpentrywsi: objectClass;vucsn-55364a42000100040000: person
nscpentrywsi: objectClass;vucsn-55364a42000100040000: top
nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipasshuser
nscpentrywsi: objectClass;vucsn-55364a42000100040000:
inetorgperson
nscpentrywsi: objectClass;vucsn-55364a42000100040000:
organizationalperson
nscpentrywsi: objectClass;vucsn-55364a42000100040000:
krbticketpolicyaux
nscpentrywsi: objectClass;vucsn-55364a42000100040000:
krbprincipalaux
nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetuser
nscpentrywsi: objectClass;vucsn-55364a42000100040000:
posixaccount
nscpentrywsi: objectClass;vucsn-55364a42000100040000:
ipaSshGroupOfPubKeys
nscpentrywsi: objectClass;vucsn-55364a42000600040000:
mepOriginEntry
nscpentrywsi: objectClass;vucsn-5537a1b1000300040000:
ipantuserattrs
nscpentrywsi: objectClass;vucsn-5540deb8000000030000:
nsTombstone
nscpentrywsi: loginShell;vucsn-55364a42000100040000: /bin/bash
nscpentrywsi: initials;vucsn-55364a42000100040000: GF
nscpentrywsi: gecos;vucsn-55364a42000100040000: UserName
nscpentrywsi: homeDirectory;vucsn-55364a42000100040000:
/home/username
nscpentrywsi: uid;vucsn-55364a42000100040000;mdcsn-
55364a42000100040000: username
nscpentrywsi: mail;vucsn-55364a42000100040000:
usern...@mhbenp.lin <mailto:usern...@mhbenp.lin>
nscpentrywsi: krbPrincipalName;vucsn-55364a42000100040000:
usern...@mhbenp.lin <mailto:usern...@mhbenp.lin>
nscpentrywsi: givenName;vucsn-55364a42000100040000: Gregg
nscpentrywsi: sn;vucsn-55364a42000100040000: Name
nscpentrywsi: creatorsName;vucsn-55364a42000100040000:
uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: createTimestamp;vucsn-55364a42000100040000:
20150421130152Z
nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8
nscpentrywsi: ipaUniqueID;vucsn-55364a42000100040000: 94d31f06-
e826-11e4-878a-005056a92af3
nscpentrywsi: parentid: 3
nscpentrywsi: entryid: 385
nscpentrywsi: uidNumber: 1249000003
nscpentrywsi: gidNumber: 1249000003
nscpentrywsi: nsParentUniqueId: 3763f192-e76411e4-99f1b343-
f0abc1a8
nscpentrywsi: nstombstonecsn: 5540deb8000000030000
nscpentrywsi: nscpEntryDN:
uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: entryusn: 57524
nscpentrywsi: passwordHistory;adcsn-55369200000500040000;vdcsn-
55369200000500040000;deletedattribute;deleted:
Ok, so here is my understanding:
on the second replica (where you succeed to do 'ipa user-del <username>' )
the entry is looking:
Sorry that was from the replica where I tried to do the delete and failed. This is from
the second replica where I successfully deleted the entry but now has the "failed to
replay change" error being logged. I've run so many queries I'm starting to lose
track :)
difficult to keep following track with replication :-)
You got a first replica where you failed to delete the entry.
You got a second replica where you succeeded to delete the entry.
On first replica you can see messages like:
[29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a
tombstone!
"nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=<username>,cn=groups,cn=accounts,dc=domain,dc=com";
e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1
On the second replica you can see messages like:
[29/Apr/2015:09:35:40 -0400] NSMMReplicationPlugin -
agmt="cn=meTomdhixnpipa01.domain.com" (mdhixnpipa01:389): Consumer failed to
replay change (uniqueid 7e1a1f87-e82611e4-99f1b343-f0abc1a8, CSN 5540deb8000300030000):
Operations error (1). Will retry later.
On the first replica, you had difficulties to retrieve the entry and
finally had to remove 'nsuniqueid' from the filter to retrieve this entry
dn:
nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: dn:
nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
...
nscpentrywsi: objectClass;vucsn-5540deb8000000030000: nsTombstone
...
nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8
...
On the second replica you can the entry:
dn:
nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: dn:
nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
...
nscpentrywsi: objectClass;vucsn-5540deb8000300030000: nsTombstone
...
nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8
Note that the entry retrieved on the first replica has
nsuniqueid=7e1a1f82..
while the entry retrieved on the second replica has nsuniqueid=7e1a1f87 ...
It differs '2' instead of '7'. So this is not the same entry (from replication
point of view).
The error reported in the first replica was about
Turning a tombstone into a tombstone! "nsuniqueid=7e1a1f87...
The error reported in the second replica was also about
Consumer failed to replay change (uniqueid 7e1a1f87...
So I think the entry you dumped on the first replica is not (should not be) the
one we are looking for.
Although it could be two entries having the same DN but that was deleted, added
and then deleted again.
The difficulty is to retrieve it (on the first replica) as we cannot specify
its 'nsuniqueid' to retrieve it.
May be you can retrieve it with its
(&(objectclass=nstombstone)(ipauniqueid=94dc1638-e826-11e4-878a-005056a92af3))
thanks
thierry
dn:
nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: dn:
nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi:
modifyTimestamp;adcsn-5540be0c000200040002;vucsn-5540be0c000200040002:
20150429111607Z
nscpentrywsi:
modifiersName;adcsn-5540be0c000200040001;vucsn-5540be0c000200040001:
uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi:
nsAccountLock;adcsn-5540be0c000200040000;vucsn-5540be0c000200040000: TRUE
nscpentrywsi:
krbLastSuccessfulAuth;adcsn-5537c9b2000000030000;vucsn-5537c9b2000000030000:
20150422161526Z
nscpentrywsi: memberOf;adcsn-5537c2f5000400030000;vucsn-5537c2f5000400030000:
cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: memberOf;vucsn-5537c2f5000400030000:
ipaUniqueID=3897c894-e764-11e4-b05b-005056a92af3,cn=hbac,dc=mhbenp,dc=lin
nscpentrywsi:
ipaNTSecurityIdentifier;adcsn-5537a1b1000300040001;vucsn-5537a1b1000300040001:
S-1-5-21-1257946092-587846975-4124201916-1003
nscpentrywsi:
passwordGraceUserTime;adcsn-55369200000400040000;vucsn-55369200000400040000: 0
nscpentrywsi:
krbPasswordExpiration;adcsn-55369200000200040005;vucsn-55369200000200040005:
20150720180532Z
nscpentrywsi:
userPassword;adcsn-55369200000200040004;vucsn-55369200000200040004:
{SHA512}pzLvO+jHoXAi0/TLZ+WpN8vaQFqDYBwSyk12Zoa+5GpjGVMPgK9I+KquavoJWv6JmVnf7Vokqlm85zbYXjMt1Q==
nscpentrywsi:
krbExtraData;adcsn-55369200000200040003;vucsn-55369200000200040003::
AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA==
nscpentrywsi:
krbPrincipalKey;adcsn-55369200000200040002;vucsn-55369200000200040002::
MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5EP9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/lbFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKFBMD+gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCzxInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooTkwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZjwMj1cTwzD1FH6/IbmDSvRMUVw8wE=
nscpentrywsi:
krbTicketFlags;adcsn-55369200000200040001;vucsn-55369200000200040001: 128
nscpentrywsi:
krbLastPwdChange;adcsn-55369200000200040000;vucsn-55369200000200040000:
20150421180532Z
nscpentrywsi: mepManagedEntry;vucsn-55364a42000700040000:
cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: displayName;vucsn-55364a42000100040000: UserName
nscpentrywsi: cn;vucsn-55364a42000100040000: UserName
nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaobject
nscpentrywsi: objectClass;vucsn-55364a42000100040000: person
nscpentrywsi: objectClass;vucsn-55364a42000100040000: top
nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipasshuser
nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetorgperson
nscpentrywsi: objectClass;vucsn-55364a42000100040000: organizationalperson
nscpentrywsi: objectClass;vucsn-55364a42000100040000: krbticketpolicyaux
nscpentrywsi: objectClass;vucsn-55364a42000100040000: krbprincipalaux
nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetuser
nscpentrywsi: objectClass;vucsn-55364a42000100040000: posixaccount
nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaSshGroupOfPubKeys
nscpentrywsi: objectClass;vucsn-55364a42000600040000: mepOriginEntry
nscpentrywsi: objectClass;vucsn-5537a1b1000300040000: ipantuserattrs
nscpentrywsi: objectClass;vucsn-5540deb8000000030000: nsTombstone
nscpentrywsi: loginShell;vucsn-55364a42000100040000: /bin/bash
nscpentrywsi: initials;vucsn-55364a42000100040000: GF
nscpentrywsi: gecos;vucsn-55364a42000100040000: UserName
nscpentrywsi: homeDirectory;vucsn-55364a42000100040000: /home/username
nscpentrywsi: uid;vucsn-55364a42000100040000;mdcsn-55364a42000100040000:
username
nscpentrywsi: mail;vucsn-55364a42000100040000: usern...@mhbenp.lin
nscpentrywsi: krbPrincipalName;vucsn-55364a42000100040000: usern...@mhbenp.lin
nscpentrywsi: givenName;vucsn-55364a42000100040000: Gregg
nscpentrywsi: sn;vucsn-55364a42000100040000: Name
nscpentrywsi: creatorsName;vucsn-55364a42000100040000:
uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: createTimestamp;vucsn-55364a42000100040000: 20150421130152Z
nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8
nscpentrywsi: ipaUniqueID;vucsn-55364a42000100040000:
94d31f06-e826-11e4-878a-005056a92af3
nscpentrywsi: parentid: 3
nscpentrywsi: entryid: 384
nscpentrywsi: uidNumber;vucsn-55364a42000100040000: 1249000003
nscpentrywsi: gidNumber;vucsn-55364a42000100040000: 1249000003
nscpentrywsi: nsParentUniqueId: 3763f192-e76411e4-99f1b343-f0abc1a8
nscpentrywsi: nstombstonecsn: 5540deb8000000030000
nscpentrywsi: nscpEntryDN: uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: entryusn: 52322
nscpentrywsi:
passwordHistory;adcsn-55369200000500040000;vdcsn-55369200000500040000;deletedattribute;deleted:
dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-
f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-
f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
...
nscpentrywsi: objectClass;vucsn-5540deb8000300030000: nsTombstone ...
nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8
On the first replica (where you failed to delete the entry and where you can
see the replication errors)
dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-
f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-
f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
...
nscpentrywsi: objectClass;vucsn-5540deb8000000030000: nsTombstone ...
nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8
This is not the same entry. It is like two entries with the same 'uid' were
created.
Also note that those two entries were deleted on the same replica (replica
ID=3: likely the second replica) almost at the same time.
The errors is logged on the first replica about "
nsuniqueid=7e1a1f87-e82611e4-99f1b343-
f0abc1a8,cn=<username>,cn=groups,cn=accounts,dc=domain,dc=com".
So I think the entry you dumped on the first replica, is not the one we were
looking at.
The entry (nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8) should
exists, but was not returned by the search.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project