Re: [Freeipa-users] How to delete a managed group

Wed, 03 Aug 2016 06:19:26 -0700 

Bob Hinton wrote:

On 03/08/2016 07:15, Petr Spacek wrote:

On 3.8.2016 00:58, Bob Hinton wrote:

Hi,

Something went wrong when trying to restore some preserved users so I
deleted them and then tried to recreate them. This failed with -

ipa: ERROR: Unable to create private group. A group 'XXXXX'  already exists.

Trying to delete this group produces -

ipa: ERROR: Unable to create private group. A group 'XXXXX' already exists.

Trying to detach it with

ipa group-detach XXXXX

produces

ipa: ERROR: XXXXX: group not found

ipa group-show XXXXX

I would try
$ ipa group show XXXXX --all --raw

that could show us if there is something interesting like replication conflict
or so.

Petr^2 Spacek

Hi Petr,

This produces ...

ipa group-show XXXXX --all --raw
   dn: cn=XXXXX,cn=groups,cn=accounts,dc=local,dc=com
   cn: XXXXX
   description: User private group for XXXXX
   gidnumber: 799830053
   ipaUniqueID: 3b8e0ec8-58c4-11e6-806d-005056015864
   mepManagedBy: uid=XXXXX,cn=users,cn=accounts,dc=local,dc=com
   objectClass: posixgroup
   objectClass: ipaobject
   objectClass: mepManagedEntry
   objectClass: top

We do have some replication problems at the moment - two recreated
replicas currently have two RUVs so this could this be how the user
delete completed without the corresponding group?
Not sure. The 389-ds plugin should, by definition, remove the group when a user is deleted. I'd be more inclined to believe that the group was added and the user not in a replication event. 

Removing the group requires an ldapmodify:

% kinit admin
% ldapmodify -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: ad...@example.com
SASL SSF: 56
SASL data security layer installed.
dn: cn=deleteme,cn=groups,cn=accounts,dc=example,dc=com
changetype: modify
delete: objectclass
objectclass: mepManagedEntry
-
delete: mepManagedBy
mepManagedBy: uid=deleteme,cn=users,cn=accounts,dc=example,dc=com
^D
modifying entry "cn=deleteme,cn=groups,cn=accounts,dc=example,dc=com"

% ipa group-del deleteme
------------------------
Deleted group "deleteme"
------------------------
Makes me wonder if the managed entry plugin should allow deletion if the other side of the link doesn't exist. I'll investigate this. 

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to