<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 04/29/2015 07:15 PM, Andy Thompson wrote: </div> <blockquote cite="mid:d47f12654b1547c0b61f047b0f10c470@TCCCORPEXCH02.TCC.local" type="cite"> <pre wrap=""> </pre> <blockquote type="cite"> <pre wrap="">-----Original Message----- From: thierry bordaz [<a class="moz-txt-link-freetext" href="mailto:tbordaz@redhat.com">mailto:tbordaz@redhat.com</a>] Sent: Wednesday, April 29, 2015 1:07 PM To: Andy Thompson Cc: Ludwig Krispenz; Martin Kosek; <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 06:45 PM, Andy Thompson wrote: -----Original Message----- From: thierry bordaz [<a class="moz-txt-link-freetext" href="mailto:tbordaz@redhat.com">mailto:tbordaz@redhat.com</a>] Sent: Wednesday, April 29, 2015 12:28 PM To: Andy Thompson Cc: Ludwig Krispenz; Martin Kosek; freeipa- <a class="moz-txt-link-abbreviated" href="mailto:users@redhat.com">users@redhat.com</a> <a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users@redhat.com"><mailto:freeipa-users@redhat.com></a> Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 05:58 PM, Andy Thompson wrote: dn: nsuniqueid=7e1a1f87-e82611e4- 99f1b343- f0abc1a8,cn=username,cn=groups,c n=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4- 99f1b343- f0abc1a8,cn=username,cn=groups,c n=accounts,dc=mhbenp,dc=lin nscpentrywsi: objectClass;vucsn- 55364a42000500040000: posixgroup nscpentrywsi: objectClass;vucsn- 55364a42000500040000: ipaobject nscpentrywsi: objectClass;vucsn- 55364a42000500040000: mepManagedEntry nscpentrywsi: objectClass;vucsn- 55364a42000500040000: top nscpentrywsi: objectClass;vucsn- 5540deb8000300030000: nsTombstone nscpentrywsi: cn;vucsn- 55364a42000500040000;mdcsn- 55364a42000500040000: gfeigh nscpentrywsi: gidNumber;vucsn- 55364a42000500040000: 1249000003 nscpentrywsi: description;vucsn- 55364a42000500040000: User private group for username nscpentrywsi: mepManagedBy;vucsn- 55364a42000500040000: uid= username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: creatorsName;vucsn- 55364a42000500040000: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: modifiersName;vucsn- 55364a42000500040000: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: createTimestamp;vucsn- 55364a42000500040000: 20150421130152Z nscpentrywsi: modifyTimestamp;vucsn- 55364a42000500040000: 20150421130152Z nscpentrywsi: nsUniqueId: 7e1a1f87- e82611e4- 99f1b343-f0abc1a8 nscpentrywsi: ipaUniqueID;vucsn- 55364a42000500040000: 94dc1638-e826-11e4-878a- 005056a92af3 nscpentrywsi: parentid: 4 nscpentrywsi: entryid: 385 nscpentrywsi: nsParentUniqueId: 3763f193- e76411e4-99f1b343-f0abc1a8 nscpentrywsi: nstombstonecsn: 5540deb8000300030000 nscpentrywsi: nscpEntryDN: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: entryusn: 52327 thought I tried that before, apparently not. ok, so we have the entry on one server, the csn of the objectclass: tombstone is : objectClass;vucsn-5540deb8000300030000: nsTombstone , which matches the csn in the error log: Consumer failed to replay change (uniqueid 7e1a1f87- e82611e4-99f1b343- f0abc1a8, CSN 5540deb8000300030000): Operations error (1) so the state of the entry is as expected. Now we nend to find it on the other server. If the search for the & filter with nstombstone does return nothing, could you try If I run ldapsearch -LLL -o ldif-wrap=no -H <a class="moz-txt-link-freetext" href="ldap://mdhixnpipa01">ldap://mdhixnpipa01</a> -x -D "cn=directory manager" -W -b "dc=mhbenp,dc=lin" "(&(objectclass=nstombstone))" I get below. If I add nsuniqueid to the filter it returns nothing on the primary server dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin memberOf: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin memberOf: ipaUniqueID=3897c894-e764-11e4-b05b- 005056a92af3,cn=hbac,dc=mhbenp,dc=lin ipaNTSecurityIdentifier: S-1-5-21-1257946092- 587846975-4124201916- 1003 krbLastSuccessfulAuth: 20150421180533Z krbPasswordExpiration: 20150720180532Z userPassword:: e1NIQTUxMn1wekx2TytqSG9YQWkwL1RMWitXcE44dmFRRnFEWUJ3 U3lrMTJ ab2ErNUdwakdWTVBnSzlJK0txdWF2b0pXdjZKbVZuZjdWb2txbG04NX piWVh qTXQxUT09 krbExtraData:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA== krbPrincipalKey:: MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMB mgAwIB AKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF 2hLTC5E P9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A 0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmd mZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQ WTt++y/l bFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5 QLkxJT mdmZWlnaKFBMD +gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCz xInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJ FTlAuTEl OZ2ZlaWdooTkwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7 CFCi4qZ jwMj1cTwzD1FH6/IbmDSvRMUVw8wE= krbLoginFailedCount: 0 krbTicketFlags: 128 krbLastPwdChange: 20150421180532Z krbLastFailedAuth: 20150421180457Z mepManagedEntry: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin displayName: user name cn: User Name objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry objectClass: ipantuserattrs objectClass: nsTombstone loginShell: /bin/bash initials: GF gecos: User Name homeDirectory: /home/username uid: username mail: <a class="moz-txt-link-abbreviated" href="mailto:username@mhbenp.lin">username@mhbenp.lin</a> <a class="moz-txt-link-rfc2396E" href="mailto:username@mhbenp.lin"><mailto:username@mhbenp.lin></a> <a class="moz-txt-link-rfc2396E" href="mailto:username@mhbenp.lin"><mailto:username@mhbenp.lin></a> <a class="moz-txt-link-rfc2396E" href="mailto:username@mhbenp.lin"><mailto:username@mhbenp.lin></a> krbPrincipalName: <a class="moz-txt-link-abbreviated" href="mailto:username@MHBENP.LIN">username@MHBENP.LIN</a> <a class="moz-txt-link-rfc2396E" href="mailto:username@MHBENP.LIN"><mailto:username@MHBENP.LIN></a> <a class="moz-txt-link-rfc2396E" href="mailto:username@MHBENP.LIN"><mailto:username@MHBENP.LIN></a> <a class="moz-txt-link-rfc2396E" href="mailto:username@MHBENP.LIN"><mailto:username@MHBENP.LIN></a> givenName: User sn: name ipaUniqueID: 94d31f06-e826-11e4-878a-005056a92af3 uidNumber: 1249000003 gidNumber: 1249000003 nsParentUniqueId: 3763f192-e76411e4-99f1b343- f0abc1a8 In fact, nsuniqueid does not appear in this entry. It is a distinguished RDN but is missing. Did you run the command with 'nscpentrywsi' requested attribute. May be nsuniqueid was hidden for that reason but I would be surprised. nsuniqueid is a key element of replication. I wonder how replication can find the entry itself. nsuniqueid could be in the index but then the entry is corrupted. If I request the nscpentrywsi attribute I get dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: modifyTimestamp;adcsn- 5540be0c000200040002;vucsn-5540be0c000200040002: 20150429111607Z nscpentrywsi: modifiersName;adcsn-5540be0c000200040001;vucsn- 5540be0c000200040001: uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: nsAccountLock;adcsn-5540be0c000200040000;vucsn- 5540be0c000200040000: TRUE nscpentrywsi: memberOf;adcsn-5537c2f5000200040000;vucsn- 5537c2f5000200040000: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: memberOf;vucsn-5537c2f5000200040000: ipaUniqueID=3897c894-e764-11e4-b05b- 005056a92af3,cn=hbac,dc=mhbenp,dc=lin nscpentrywsi: ipaNTSecurityIdentifier;adcsn- 5537a1b1000300040001;vucsn-5537a1b1000300040001: S-1-5-21-1257946092- 587846975-4124201916-1003 nscpentrywsi: krbLastSuccessfulAuth;adcsn- 55369202000100040000;vucsn-55369202000100040000: 20150421180533Z nscpentrywsi: passwordGraceUserTime;adcsn- 55369200000400040000;vucsn-55369200000400040000: 0 nscpentrywsi: krbPasswordExpiration;adcsn- 55369200000200040006;vucsn-55369200000200040006: 20150720180532Z nscpentrywsi: userPassword;adcsn-55369200000200040005;vucsn- 55369200000200040005: {SHA512}pzLvO+jHoXAi0/TLZ+WpN8vaQFqDYBwSyk12Zoa+5GpjGVMPgK9I+ KquavoJWv6JmVnf7Vokqlm85zbYXjMt1Q== nscpentrywsi: krbExtraData;adcsn-55369200000200040004;vucsn- 55369200000200040004:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA== nscpentrywsi: krbPrincipalKey;adcsn-55369200000200040003;vucsn- 55369200000200040003:: MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIB AKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5E P9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A0miart7lTDnRh 89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKE5MDegAwIB EaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/lbFKDbSkZYSJpFnzSRaaI WW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKFBMD+gAw IBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCzxInn+33pOsEX PlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooT kwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZjwMj1cTwzD1 FH6/IbmDSvRMUVw8wE= nscpentrywsi: krbLoginFailedCount;adcsn- 55369200000200040002;vucsn-55369200000200040002: 0 nscpentrywsi: krbTicketFlags;adcsn-55369200000200040001;vucsn- 55369200000200040001: 128 nscpentrywsi: krbLastPwdChange;adcsn- 55369200000200040000;vucsn-55369200000200040000: 20150421180532Z nscpentrywsi: krbLastFailedAuth;adcsn- 553691dd000000040000;vucsn-553691dd000200040003: 20150421180457Z nscpentrywsi: mepManagedEntry;vucsn-55364a42000700040000: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: displayName;vucsn-55364a42000100040000: UserName nscpentrywsi: cn;vucsn-55364a42000100040000: UserName nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaobject nscpentrywsi: objectClass;vucsn-55364a42000100040000: person nscpentrywsi: objectClass;vucsn-55364a42000100040000: top nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipasshuser nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetorgperson nscpentrywsi: objectClass;vucsn-55364a42000100040000: organizationalperson nscpentrywsi: objectClass;vucsn-55364a42000100040000: krbticketpolicyaux nscpentrywsi: objectClass;vucsn-55364a42000100040000: krbprincipalaux nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetuser nscpentrywsi: objectClass;vucsn-55364a42000100040000: posixaccount nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaSshGroupOfPubKeys nscpentrywsi: objectClass;vucsn-55364a42000600040000: mepOriginEntry nscpentrywsi: objectClass;vucsn-5537a1b1000300040000: ipantuserattrs nscpentrywsi: objectClass;vucsn-5540deb8000000030000: nsTombstone nscpentrywsi: loginShell;vucsn-55364a42000100040000: /bin/bash nscpentrywsi: initials;vucsn-55364a42000100040000: GF nscpentrywsi: gecos;vucsn-55364a42000100040000: UserName nscpentrywsi: homeDirectory;vucsn-55364a42000100040000: /home/username nscpentrywsi: uid;vucsn-55364a42000100040000;mdcsn- 55364a42000100040000: username nscpentrywsi: mail;vucsn-55364a42000100040000: <a class="moz-txt-link-abbreviated" href="mailto:username@mhbenp.lin">username@mhbenp.lin</a> <a class="moz-txt-link-rfc2396E" href="mailto:username@mhbenp.lin"><mailto:username@mhbenp.lin></a> nscpentrywsi: krbPrincipalName;vucsn-55364a42000100040000: <a class="moz-txt-link-abbreviated" href="mailto:username@MHBENP.LIN">username@MHBENP.LIN</a> <a class="moz-txt-link-rfc2396E" href="mailto:username@MHBENP.LIN"><mailto:username@MHBENP.LIN></a> nscpentrywsi: givenName;vucsn-55364a42000100040000: Gregg nscpentrywsi: sn;vucsn-55364a42000100040000: Name nscpentrywsi: creatorsName;vucsn-55364a42000100040000: uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: createTimestamp;vucsn-55364a42000100040000: 20150421130152Z nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8 nscpentrywsi: ipaUniqueID;vucsn-55364a42000100040000: 94d31f06- e826-11e4-878a-005056a92af3 nscpentrywsi: parentid: 3 nscpentrywsi: entryid: 385 nscpentrywsi: uidNumber: 1249000003 nscpentrywsi: gidNumber: 1249000003 nscpentrywsi: nsParentUniqueId: 3763f192-e76411e4-99f1b343- f0abc1a8 nscpentrywsi: nstombstonecsn: 5540deb8000000030000 nscpentrywsi: nscpEntryDN: uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: entryusn: 57524 nscpentrywsi: passwordHistory;adcsn-55369200000500040000;vdcsn- 55369200000500040000;deletedattribute;deleted: Ok, so here is my understanding: on the second replica (where you succeed to do 'ipa user-del <username>' ) the entry is looking: </pre> </blockquote> <pre wrap=""> Sorry that was from the replica where I tried to do the delete and failed. This is from the second replica where I successfully deleted the entry but now has the "failed to replay change" error being logged. I've run so many queries I'm starting to lose track :) </pre> </blockquote> difficult to keep following track with replication :-) You got a first replica where you failed to delete the entry. You got a second replica where you succeeded to delete the entry. On first replica you can see messages like: <pre wrap="">[29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! "nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=<username>,cn=groups,cn=accounts,dc=domain,dc=com"; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1</pre> On the second replica you can see messages like: <pre wrap="">[29/Apr/2015:09:35:40 -0400] NSMMReplicationPlugin - agmt="cn=meTomdhixnpipa01.domain.com" (mdhixnpipa01:389): Consumer failed to replay change (uniqueid 7e1a1f87-e82611e4-99f1b343-f0abc1a8, CSN 5540deb8000300030000): Operations error (1). Will retry later. </pre> On the first replica, you had difficulties to retrieve the entry and finally had to remove 'nsuniqueid' from the filter to retrieve this entry <pre wrap="">dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin ... nscpentrywsi: objectClass;vucsn-5540deb8000000030000: nsTombstone ... nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8 ... </pre> On the second replica you can the entry: <pre wrap="">dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin ... nscpentrywsi: objectClass;vucsn-5540deb8000300030000: nsTombstone ... nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8 </pre> Note that the entry retrieved on the first replica has <tt>nsuniqueid=7e1a1f82..</tt> while the entry retrieved on the second replica has <tt>nsuniqueid=7e1a1f87 ...</tt> <pre wrap="">It differs '2' instead of '7'. So this is not the same entry (from replication point of view). The error reported in the first replica was about Turning a tombstone into a tombstone! "nsuniqueid=7e1a1f87... The error reported in the second replica was also about Consumer failed to replay change (uniqueid 7e1a1f87... So I think the entry you dumped on the first replica is not (should not be) the one we are looking for. Although it could be two entries having the same DN but that was deleted, added and then deleted again. The difficulty is to retrieve it (on the first replica) as we cannot specify its 'nsuniqueid' to retrieve it. May be you can retrieve it with its (&(objectclass=nstombstone)(ipauniqueid=94dc1638-e826-11e4-878a-005056a92af3)) thanks thierry </pre> <blockquote cite="mid:d47f12654b1547c0b61f047b0f10c470@TCCCORPEXCH02.TCC.local" type="cite"> <pre wrap=""> dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: modifyTimestamp;adcsn-5540be0c000200040002;vucsn-5540be0c000200040002: 20150429111607Z nscpentrywsi: modifiersName;adcsn-5540be0c000200040001;vucsn-5540be0c000200040001: uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: nsAccountLock;adcsn-5540be0c000200040000;vucsn-5540be0c000200040000: TRUE nscpentrywsi: krbLastSuccessfulAuth;adcsn-5537c9b2000000030000;vucsn-5537c9b2000000030000: 20150422161526Z nscpentrywsi: memberOf;adcsn-5537c2f5000400030000;vucsn-5537c2f5000400030000: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: memberOf;vucsn-5537c2f5000400030000: ipaUniqueID=3897c894-e764-11e4-b05b-005056a92af3,cn=hbac,dc=mhbenp,dc=lin nscpentrywsi: ipaNTSecurityIdentifier;adcsn-5537a1b1000300040001;vucsn-5537a1b1000300040001: S-1-5-21-1257946092-587846975-4124201916-1003 nscpentrywsi: passwordGraceUserTime;adcsn-55369200000400040000;vucsn-55369200000400040000: 0 nscpentrywsi: krbPasswordExpiration;adcsn-55369200000200040005;vucsn-55369200000200040005: 20150720180532Z nscpentrywsi: userPassword;adcsn-55369200000200040004;vucsn-55369200000200040004: {SHA512}pzLvO+jHoXAi0/TLZ+WpN8vaQFqDYBwSyk12Zoa+5GpjGVMPgK9I+KquavoJWv6JmVnf7Vokqlm85zbYXjMt1Q== nscpentrywsi: krbExtraData;adcsn-55369200000200040003;vucsn-55369200000200040003:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA== nscpentrywsi: krbPrincipalKey;adcsn-55369200000200040002;vucsn-55369200000200040002:: MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5EP9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/lbFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKFBMD+gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCzxInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooTkwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZjwMj1cTwzD1FH6/IbmDSvRMUVw8wE= nscpentrywsi: krbTicketFlags;adcsn-55369200000200040001;vucsn-55369200000200040001: 128 nscpentrywsi: krbLastPwdChange;adcsn-55369200000200040000;vucsn-55369200000200040000: 20150421180532Z nscpentrywsi: mepManagedEntry;vucsn-55364a42000700040000: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: displayName;vucsn-55364a42000100040000: UserName nscpentrywsi: cn;vucsn-55364a42000100040000: UserName nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaobject nscpentrywsi: objectClass;vucsn-55364a42000100040000: person nscpentrywsi: objectClass;vucsn-55364a42000100040000: top nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipasshuser nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetorgperson nscpentrywsi: objectClass;vucsn-55364a42000100040000: organizationalperson nscpentrywsi: objectClass;vucsn-55364a42000100040000: krbticketpolicyaux nscpentrywsi: objectClass;vucsn-55364a42000100040000: krbprincipalaux nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetuser nscpentrywsi: objectClass;vucsn-55364a42000100040000: posixaccount nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaSshGroupOfPubKeys nscpentrywsi: objectClass;vucsn-55364a42000600040000: mepOriginEntry nscpentrywsi: objectClass;vucsn-5537a1b1000300040000: ipantuserattrs nscpentrywsi: objectClass;vucsn-5540deb8000000030000: nsTombstone nscpentrywsi: loginShell;vucsn-55364a42000100040000: /bin/bash nscpentrywsi: initials;vucsn-55364a42000100040000: GF nscpentrywsi: gecos;vucsn-55364a42000100040000: UserName nscpentrywsi: homeDirectory;vucsn-55364a42000100040000: /home/username nscpentrywsi: uid;vucsn-55364a42000100040000;mdcsn-55364a42000100040000: username nscpentrywsi: mail;vucsn-55364a42000100040000: <a class="moz-txt-link-abbreviated" href="mailto:username@mhbenp.lin">username@mhbenp.lin</a> nscpentrywsi: krbPrincipalName;vucsn-55364a42000100040000: <a class="moz-txt-link-abbreviated" href="mailto:username@MHBENP.LIN">username@MHBENP.LIN</a> nscpentrywsi: givenName;vucsn-55364a42000100040000: Gregg nscpentrywsi: sn;vucsn-55364a42000100040000: Name nscpentrywsi: creatorsName;vucsn-55364a42000100040000: uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: createTimestamp;vucsn-55364a42000100040000: 20150421130152Z nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8 nscpentrywsi: ipaUniqueID;vucsn-55364a42000100040000: 94d31f06-e826-11e4-878a-005056a92af3 nscpentrywsi: parentid: 3 nscpentrywsi: entryid: 384 nscpentrywsi: uidNumber;vucsn-55364a42000100040000: 1249000003 nscpentrywsi: gidNumber;vucsn-55364a42000100040000: 1249000003 nscpentrywsi: nsParentUniqueId: 3763f192-e76411e4-99f1b343-f0abc1a8 nscpentrywsi: nstombstonecsn: 5540deb8000000030000 nscpentrywsi: nscpEntryDN: uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: entryusn: 52322 nscpentrywsi: passwordHistory;adcsn-55369200000500040000;vdcsn-55369200000500040000;deletedattribute;deleted: </pre> <blockquote type="cite"> <pre wrap=""> dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin ... nscpentrywsi: objectClass;vucsn-5540deb8000300030000: nsTombstone ... nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8 On the first replica (where you failed to delete the entry and where you can see the replication errors) dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin ... nscpentrywsi: objectClass;vucsn-5540deb8000000030000: nsTombstone ... nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8 This is not the same entry. It is like two entries with the same 'uid' were created. Also note that those two entries were deleted on the same replica (replica ID=3: likely the second replica) almost at the same time. The errors is logged on the first replica about " nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=<username>,cn=groups,cn=accounts,dc=domain,dc=com". So I think the entry you dumped on the first replica, is not the one we were looking at. The entry (nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8) should exists, but was not returned by the search. </pre> </blockquote> <pre wrap=""> </pre> </blockquote> </body> </html>