[Freeipa-users] deleting ipa user
Ludwig Krispenz
lkrispen at redhat.com
Wed Apr 29 14:07:20 UTC 2015
On 04/29/2015 03:40 PM, Andy Thompson wrote:
>> -----Original Message-----
>> From: Ludwig Krispenz [mailto:lkrispen at redhat.com]
>> Sent: Wednesday, April 29, 2015 9:22 AM
>> To: thierry bordaz
>> Cc: Andy Thompson; Martin Kosek; freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] deleting ipa user
>>
>>
>> On 04/29/2015 03:14 PM, thierry bordaz wrote:
>>
>>
>> On 04/29/2015 02:43 PM, Andy Thompson wrote:
>>
>>
>> -----Original Message-----
>> From: Martin Kosek [mailto:mkosek at redhat.com]
>> Sent: Wednesday, April 29, 2015 8:31 AM
>> To: Andy Thompson; freeipa-users at redhat.com
>> <mailto:freeipa-users at redhat.com> ; Ludwig Krispenz; Thierry
>> Bordaz
>> Subject: Re: [Freeipa-users] deleting ipa user
>>
>> On 04/29/2015 01:26 PM, Andy Thompson wrote:
>>
>> I'm trying to delete an IPA account and I get a
>> generic "operations error"
>>
>> when trying to remove it. It looks like something is
>> messed up with the
>> group object. The user doesn't show up in the
>> ipausers group and there also
>> isn't a group object for the user in question. Here is
>> the error from the
>> attempt.
>>
>> [29/Apr/2015:07:21:32 -0400] referint-plugin -
>> _update_all_per_mod:
>> entry
>> cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting
>> "member:
>> uid=<username>,cn=users,cn=accounts,dc=domain,dc=com"
>>
>> failed
>>
>> (16)
>> [29/Apr/2015:07:21:32 -0400] referint-plugin -
>> _update_all_per_mod:
>> entry
>> ipaUniqueID=3897c894-e764-11e4-b05b-
>>
>> 005056a92af3,cn=hbac,dc=domain,dc=
>>
>> com: deleting "memberUser:
>>
>> uid=<username>,cn=users,cn=accounts,dc=domain,dc=com" failed
>> (16)
>> [29/Apr/2015:07:21:32 -0400]
>> ldbm_back_delete - conn=0 op=0 Turning a
>> tombstone into a tombstone!
>> "nsuniqueid=7e1a1f87-e82611e4-99f1b343-
>>
>> f0abc1a8,cn=<username>,cn=group
>>
>> s,cn=accounts,dc=domain,dc=com"; e:
>> 0x7fcc84226070, cache_state: 0x0,
>> refcnt: 1
>> [29/Apr/2015:07:21:32 -0400] managed-
>> entries-plugin - mep_del_post_op:
>> failed to delete managed entry
>>
>> (cn=<username>,cn=groups,cn=accounts,dc=domain,dc=com) -
>> error (1)
>> [29/Apr/2015:07:21:32 -0400]
>> ldbm_back_delete - conn=0 op=0 Turning a
>> tombstone into a tombstone!
>> "nsuniqueid=7e1a1f87-e82611e4-99f1b343-
>>
>> f0abc1a8,cn=<username>,cn=group
>>
>> s,cn=accounts,dc=domain,dc=com"; e:
>> 0x7fcc84226070, cache_state: 0x0,
>> refcnt: 1
>> [29/Apr/2015:07:21:32 -0400] managed-
>> entries-plugin - mep_del_post_op:
>> failed to delete managed entry
>>
>> (cn=<username>,cn=groups,cn=accounts,dc=domain,dc=com) -
>> error (1)
>>
>> This is the first time I see this error. CCing Ludwig or
>> Thierry to advise.
>>
>> Andy, please also include FreeIPA and 389-ds-base
>> packages versions so that
>> Thierry and Ludwig know what to look at.
>>
>>
>> Here you go
>>
>> ipa-server-4.1.0-18.el7_1.3.x86_64
>> 389-ds-base-1.3.3.1-15.el7_1.x86_64
>>
>> Thanks much
>>
>> -andy
>>
>>
>>
>> Hello,
>>
>> I wonder it is not a similar issue I hit
>> https://fedorahosted.org/389/ticket/48165. What differs is
>> '_update_all_per_mod' logs but could be a consequence of the same bug.
>>
>>
>> I think what differs taht in the ticket there is an attempt to delete an existng
>> entry, but in the log snippet provided it attempts to delete a tombstone
>> entry (an entry which was already deleted).
>> So the errors logged by DS seem to be ok, but why does IPA want to delete
>> an already deleted user ? but mybe only the mep plugin finds a tombstone
>> and tries to delete it.
>>
>> What was the command executed, is the result the same if repeated ?
>>
>>
> I attempted using the web interface initially
> and then tried using ipa user-del <username> to see if it gave any more detail.
were both attempts at 2015:07:21:32 ? or do you have more errors in the
error log ?
>
> More info though, this is a replicated environment and I just tried deleting it on the replica server and it completed successfully so it appears I might have a replication issue going on? Hopefully I didn't mess something up doing that, should have checked the logs there first.
well, if you cannot delete on one server, but do it on the other this
looks like servers were not consistent before
> I see this in the logs on the replica
>
> [29/Apr/2015:09:35:40 -0400] NSMMReplicationPlugin - agmt="cn=meTomdhixnpipa01.domain.com" (mdhixnpipa01:389): Consumer failed to replay change (uniqueid 7e1a1f87-e82611e4-99f1b343-f0abc1a8, CSN 5540deb8000300030000): Operations error (1). Will retry later.
now the replica tries to replicate the delete and has the same failures
as your direct delete. Do you have other replicas ? Is the delete
replicated to other replicas ?
>
> -andy
More information about the Freeipa-users
mailing list