[Freeipa-users] ipa user-find finds user but ipa user-del fails

Ron rap at phas.ubc.ca
Wed Sep 3 19:16:35 UTC 2014 

Here is what is in the /var/log/dirsrv/slapd-YOUR-REALM/access... logfile:

conn=17342 fd=86 slot=86 connection from 142.103.xxx.xx to 142.103.xxx.xx
conn=17342 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
conn=17342 op=0 RESULT err=14 tag=97 nentries=0 etime=1, SASL bind in
progress
conn=17342 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
conn=17342 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in
progress
conn=17342 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
conn=17342 op=2 RESULT err=0 tag=97 nentries=0 etime=0
dn="uid=admin,cn=users,cn=accounts,dc=pxxx,dc=abc,dc=ca"
conn=17342 op=3 SRCH base="cn=ipaconfig,cn=etc,dc=pxxx,dc=abc,dc=ca"
scope=0 filter="(objectClass=*)" attrs=ALL
conn=17342 op=3 RESULT err=0 tag=101 nentries=1 etime=0
conn=17342 op=4 SRCH base="cn=users,cn=accounts,dc=pxxx,dc=abc,dc=ca"
scope=1
filter="(&(objectClass=posixaccount)(memberOf=cn=admins,cn=groups,cn=accounts,dc=pxxx,dc=abc,dc=ca))"
attrs="telephoneNumber sshpubkeyfp uid title loginShell uidNumber
gidNumber sn homeDirectory mail givenName nsAccountLock"
conn=17342 op=4 RESULT err=0 tag=101 nentries=1 etime=0
conn=17342 op=5 SRCH
base="uid=admin,cn=users,cn=accounts,dc=pxxx,dc=abc,dc=ca" scope=0
filter="(userPassword=*)" attrs="userPassword"
conn=17342 op=5 RESULT err=0 tag=101 nentries=1 etime=0
conn=17342 op=6 SRCH
base="uid=admin,cn=users,cn=accounts,dc=pxxx,dc=abc,dc=ca" scope=0
filter="(krbPrincipalKey=*)" attrs="krbPrincipalKey"
conn=17342 op=6 RESULT err=0 tag=101 nentries=1 etime=0
conn=17342 op=7 SRCH
base="uid=admin,cn=users,cn=accounts,dc=pxxx,dc=abc,dc=ca" scope=0
filter="(objectClass=*)" attrs="ipaSshPubKey"
conn=17342 op=7 RESULT err=0 tag=101 nentries=1 etime=0
conn=17342 op=8 DEL
dn="uid=phys210e,cn=users,cn=accounts,dc=pxxx,dc=abc,dc=ca"
conn=17342 op=8 RESULT err=32 tag=107 nentries=0 etime=0
conn=17342 op=9 UNBIND
conn=17342 op=9 fd=86 closed - U1

And here is the result of the user-show command:

[root at ipa slapd-pxxx-abc-CA]# ipa user-find --login phys210e
--------------
1 user matched
--------------
  User login: phys210e
  First name: Testing
  Last name: Phys210
  Home directory: /home2/phys210e
  Login shell: /bin/bash
  Email address: phys210e at pxxx.abc.ca
  UID: 15010
  GID: 15010
  Account disabled: False
  Password: True
  Kerberos keys available: False
----------------------------
Number of entries returned 1
----------------------------
[root at ipa slapd-pxxx-abc-CA]# ipa user-show --all --raw phys210e
ipa: ERROR: phys210e: user not found



On 09/03/2014 10:43 AM, Rob Crittenden wrote:
> Martin Kosek wrote:
>> Can you check /var/log/dirsrv/slapd-YOUR-REALM/access, search for the DEL
>> operation and see what was the error code that DS gave when it refused to
>> delete the user?
> Were I to guess the issue is that this is a replication conflict entry.
> If you do:
>
> # ipa user-show --all --raw phys210e |grep dn:
>
> It will likely begin with nsuniqueid=<hex>, ...
>
> The reason it can be found and not deleted is we create the dn to be
> removed, we don't search for it. So the user uid=phys210e,cn=users,...
> etc doesn't exist but the user nsuniqueid=<hex> ... does.
>
> You'll need to use ldapmodify or ldapdelete to remove the entry though
> I'd check your other masters to see what the state of the user is there.
>
> rob
>
>> Martin
>>
>> On 09/03/2014 06:18 PM, Ron wrote:
>>> user-find sees a user but user-del cannot remove it.  What can I do?
>>> Thanks.
>>> Regards,
>>> Ron
>>>
>>> [root at ipa]# ipa user-find --login phys210e
>>> --------------
>>> 1 user matched
>>> --------------
>>>   User login: phys210e
>>>   First name: Testing
>>>   Last name: Phys210
>>>   Home directory: /home2/phys210e
>>>   Login shell: /bin/bash
>>>   Email address: phys210e at pxxx.abc.ca
>>>   UID: 15010
>>>   GID: 15010
>>>   Account disabled: False
>>>   Password: True
>>>   Kerberos keys available: False
>>> ----------------------------
>>> Number of entries returned 1
>>> ----------------------------
>>> [root at ipa]# ipa user-del phys210e --continue
>>> ---------------
>>> Deleted user ""
>>> ---------------
>>>   Failed to remove: phys210e
>>>
>>>
>>> [root at ipa]# cat /etc/redhat-release
>>> Red Hat Enterprise Linux Server release 6.5 (Santiago)
>>>
>>> [root at ipa]# rpm -qa|grep ipa; rpm -qa|grep 389
>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>>> ipa-admintools-3.0.0-37.el6.i686
>>> ipa-pki-common-theme-9.0.3-7.el6.noarch
>>> libipa_hbac-1.9.2-129.el6_5.4.i686
>>> ipa-server-selinux-3.0.0-37.el6.i686
>>> python-iniparse-0.3.1-2.1.el6.noarch
>>> libipa_hbac-python-1.9.2-129.el6_5.4.i686
>>> ipa-server-3.0.0-37.el6.i686
>>> ipa-python-3.0.0-37.el6.i686
>>> ipa-client-3.0.0-37.el6.i686
>>> 389-ds-base-libs-1.2.11.15-33.el6_5.i686
>>> 389-ds-base-1.2.11.15-33.el6_5.i686


-- 
Ron Parachoniak
Systems Manager, Department of Physics & Astronomy
University of British Columbia, Vancouver, B.C.  V6T 1Z1
Phone: (604) 838-6437

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140903/6a19387d/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xA1D0F827.asc
Type: application/pgp-keys
Size: 4721 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140903/6a19387d/attachment.bin>

More information about the Freeipa-users mailing list