Bob Hinton wrote:
On 03/08/2016 07:15, Petr Spacek wrote:
On 3.8.2016 00:58, Bob Hinton wrote:
Hi,
Something went wrong when trying to restore some preserved users so I
deleted them and then tried to recreate them. This failed with -
ipa: ERROR: Unable to create private group. A group 'XXXXX' already exists.
Trying to delete this group produces -
ipa: ERROR: Unable to create private group. A group 'XXXXX' already exists.
Trying to detach it with
ipa group-detach XXXXX
produces
ipa: ERROR: XXXXX: group not found
ipa group-show XXXXX
I would try
$ ipa group show XXXXX --all --raw
that could show us if there is something interesting like replication conflict
or so.
Petr^2 Spacek
Hi Petr,
This produces ...
ipa group-show XXXXX --all --raw
dn: cn=XXXXX,cn=groups,cn=accounts,dc=local,dc=com
cn: XXXXX
description: User private group for XXXXX
gidnumber: 799830053
ipaUniqueID: 3b8e0ec8-58c4-11e6-806d-005056015864
mepManagedBy: uid=XXXXX,cn=users,cn=accounts,dc=local,dc=com
objectClass: posixgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: top
We do have some replication problems at the moment - two recreated
replicas currently have two RUVs so this could this be how the user
delete completed without the corresponding group?
Not sure. The 389-ds plugin should, by definition, remove the group when
a user is deleted. I'd be more inclined to believe that the group was
added and the user not in a replication event.
Removing the group requires an ldapmodify:
% kinit admin
% ldapmodify -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: ad...@example.com
SASL SSF: 56
SASL data security layer installed.
dn: cn=deleteme,cn=groups,cn=accounts,dc=example,dc=com
changetype: modify
delete: objectclass
objectclass: mepManagedEntry
-
delete: mepManagedBy
mepManagedBy: uid=deleteme,cn=users,cn=accounts,dc=example,dc=com
^D
modifying entry "cn=deleteme,cn=groups,cn=accounts,dc=example,dc=com"
% ipa group-del deleteme
------------------------
Deleted group "deleteme"
------------------------
Makes me wonder if the managed entry plugin should allow deletion if the
other side of the link doesn't exist. I'll investigate this.
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project