[Freeipa-users] deleting ipa user

Wed Apr 29 17:07:02 UTC 2015

On 04/29/2015 06:45 PM, Andy Thompson wrote:
>> -----Original Message-----
>> From: thierry bordaz [mailto:tbordaz at redhat.com]
>> Sent: Wednesday, April 29, 2015 12:28 PM
>> To: Andy Thompson
>> Cc: Ludwig Krispenz; Martin Kosek; freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] deleting ipa user
>>
>> On 04/29/2015 05:58 PM, Andy Thompson wrote:
>>
>>
>> 			dn:
>> 			nsuniqueid=7e1a1f87-e82611e4-99f1b343-
>>
>> 		f0abc1a8,cn=username,cn=groups,c
>>
>> 			n=accounts,dc=mhbenp,dc=lin
>> 			nscpentrywsi: dn:
>> 			nsuniqueid=7e1a1f87-e82611e4-99f1b343-
>>
>> 		f0abc1a8,cn=username,cn=groups,c
>>
>> 			n=accounts,dc=mhbenp,dc=lin
>> 			nscpentrywsi: objectClass;vucsn-
>> 55364a42000500040000: posixgroup
>> 			nscpentrywsi: objectClass;vucsn-
>> 55364a42000500040000: ipaobject
>> 			nscpentrywsi: objectClass;vucsn-
>> 55364a42000500040000:
>>
>> 		mepManagedEntry
>>
>> 			nscpentrywsi: objectClass;vucsn-
>> 55364a42000500040000: top
>> 			nscpentrywsi: objectClass;vucsn-
>> 5540deb8000300030000: nsTombstone
>> 			nscpentrywsi:
>> 			cn;vucsn-55364a42000500040000;mdcsn-
>> 55364a42000500040000: gfeigh
>> 			nscpentrywsi: gidNumber;vucsn-
>> 55364a42000500040000: 1249000003
>> 			nscpentrywsi: description;vucsn-
>> 55364a42000500040000: User private
>> 			group for username
>> 			nscpentrywsi: mepManagedBy;vucsn-
>> 55364a42000500040000: uid=
>> 			username,cn=users,cn=accounts,dc=mhbenp,dc=lin
>> 			nscpentrywsi: creatorsName;vucsn-
>> 55364a42000500040000: cn=Managed
>> 			Entries,cn=plugins,cn=config
>> 			nscpentrywsi: modifiersName;vucsn-
>> 55364a42000500040000: cn=Managed
>> 			Entries,cn=plugins,cn=config
>> 			nscpentrywsi: createTimestamp;vucsn-
>> 55364a42000500040000:
>> 			20150421130152Z
>> 			nscpentrywsi: modifyTimestamp;vucsn-
>> 55364a42000500040000:
>> 			20150421130152Z
>> 			nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-
>> 99f1b343-f0abc1a8
>> 			nscpentrywsi: ipaUniqueID;vucsn-
>> 55364a42000500040000:
>> 			94dc1638-e826-11e4-878a-005056a92af3
>> 			nscpentrywsi: parentid: 4
>> 			nscpentrywsi: entryid: 385
>> 			nscpentrywsi: nsParentUniqueId: 3763f193-
>> e76411e4-99f1b343-f0abc1a8
>> 			nscpentrywsi: nstombstonecsn:
>> 5540deb8000300030000
>> 			nscpentrywsi: nscpEntryDN:
>>
>> 	cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
>> 			nscpentrywsi: entryusn: 52327
>>
>> 			thought I tried that before, apparently not.
>>
>> 		ok, so we have the entry on one server, the csn of the
>> objectclass:
>> 		tombstone is :
>>
>> 		objectClass;vucsn-5540deb8000300030000: nsTombstone
>>
>> 		, which matches the csn in the error log:
>>
>> 		Consumer failed to replay change (uniqueid 7e1a1f87-
>> e82611e4-99f1b343-
>> 		f0abc1a8, CSN 5540deb8000300030000): Operations error (1)
>> so the state of
>> 		the entry is as expected.
>>
>> 		Now we nend to find it on the other server. If the search for
>> the & filter with
>> 		nstombstone does return nothing, could you try
>>
>>
>> 	If I run ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa01 -x -D
>> "cn=directory manager" -W  -b "dc=mhbenp,dc=lin"
>> "(&(objectclass=nstombstone))" I get below.  If I add nsuniqueid to the filter
>> it returns nothing on the primary server
>>
>> 	dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-
>> f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
>> 	memberOf: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin
>> 	memberOf: ipaUniqueID=3897c894-e764-11e4-b05b-
>> 005056a92af3,cn=hbac,dc=mhbenp,dc=lin
>> 	ipaNTSecurityIdentifier: S-1-5-21-1257946092-587846975-4124201916-
>> 1003
>> 	krbLastSuccessfulAuth: 20150421180533Z
>> 	krbPasswordExpiration: 20150720180532Z
>> 	userPassword::
>> e1NIQTUxMn1wekx2TytqSG9YQWkwL1RMWitXcE44dmFRRnFEWUJ3U3lrMTJ
>> ab2ErNUdwakdWTVBnSzlJK0txdWF2b0pXdjZKbVZuZjdWb2txbG04NXpiWVh
>> qTXQxUT09
>> 	krbExtraData:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA==
>> 	krbPrincipalKey::
>> MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIB
>> AKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5E
>> P9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A
>> 	0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmd
>> mZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/l
>> bFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJT
>> mdmZWlnaKFBMD
>> 	+gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCz
>> xInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTEl
>> OZ2ZlaWdooTkwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZ
>> jwMj1cTwzD1FH6/IbmDSvRMUVw8wE=
>> 	krbLoginFailedCount: 0
>> 	krbTicketFlags: 128
>> 	krbLastPwdChange: 20150421180532Z
>> 	krbLastFailedAuth: 20150421180457Z
>> 	mepManagedEntry:
>> cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
>> 	displayName: user name
>> 	cn: User Name
>> 	objectClass: ipaobject
>> 	objectClass: person
>> 	objectClass: top
>> 	objectClass: ipasshuser
>> 	objectClass: inetorgperson
>> 	objectClass: organizationalperson
>> 	objectClass: krbticketpolicyaux
>> 	objectClass: krbprincipalaux
>> 	objectClass: inetuser
>> 	objectClass: posixaccount
>> 	objectClass: ipaSshGroupOfPubKeys
>> 	objectClass: mepOriginEntry
>> 	objectClass: ipantuserattrs
>> 	objectClass: nsTombstone
>> 	loginShell: /bin/bash
>> 	initials: GF
>> 	gecos: User Name
>> 	homeDirectory: /home/username
>> 	uid: username
>> 	mail: username at mhbenp.lin <mailto:username at mhbenp.lin>
>> 	krbPrincipalName: username at MHBENP.LIN
>> <mailto:username at MHBENP.LIN>
>> 	givenName: User
>> 	sn: name
>> 	ipaUniqueID: 94d31f06-e826-11e4-878a-005056a92af3
>> 	uidNumber: 1249000003
>> 	gidNumber: 1249000003
>> 	nsParentUniqueId: 3763f192-e76411e4-99f1b343-f0abc1a8
>>
>>
>>
>> In fact, nsuniqueid does not appear in this entry. It is a distinguished RDN but
>> is missing. Did you run the command with 'nscpentrywsi' requested attribute.
>> May be nsuniqueid was hidden for that reason but I would be surprised.
>>
>> nsuniqueid is a key element of replication. I wonder how replication can find
>> the entry itself. nsuniqueid could be in the index but then the entry is
>> corrupted.
>>
>>
> If I request the nscpentrywsi attribute I get
>
> dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: modifyTimestamp;adcsn-5540be0c000200040002;vucsn-5540be0c000200040002: 20150429111607Z
> nscpentrywsi: modifiersName;adcsn-5540be0c000200040001;vucsn-5540be0c000200040001: uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: nsAccountLock;adcsn-5540be0c000200040000;vucsn-5540be0c000200040000: TRUE
> nscpentrywsi: memberOf;adcsn-5537c2f5000200040000;vucsn-5537c2f5000200040000: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: memberOf;vucsn-5537c2f5000200040000: ipaUniqueID=3897c894-e764-11e4-b05b-005056a92af3,cn=hbac,dc=mhbenp,dc=lin
> nscpentrywsi: ipaNTSecurityIdentifier;adcsn-5537a1b1000300040001;vucsn-5537a1b1000300040001: S-1-5-21-1257946092-587846975-4124201916-1003
> nscpentrywsi: krbLastSuccessfulAuth;adcsn-55369202000100040000;vucsn-55369202000100040000: 20150421180533Z
> nscpentrywsi: passwordGraceUserTime;adcsn-55369200000400040000;vucsn-55369200000400040000: 0
> nscpentrywsi: krbPasswordExpiration;adcsn-55369200000200040006;vucsn-55369200000200040006: 20150720180532Z
> nscpentrywsi: userPassword;adcsn-55369200000200040005;vucsn-55369200000200040005: {SHA512}pzLvO+jHoXAi0/TLZ+WpN8vaQFqDYBwSyk12Zoa+5GpjGVMPgK9I+KquavoJWv6JmVnf7Vokqlm85zbYXjMt1Q==
> nscpentrywsi: krbExtraData;adcsn-55369200000200040004;vucsn-55369200000200040004:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA==
> nscpentrywsi: krbPrincipalKey;adcsn-55369200000200040003;vucsn-55369200000200040003:: MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5EP9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/lbFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKFBMD+gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCzxInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooTkwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZjwMj1cTwzD1FH6/IbmDSvRMUVw8wE=
> nscpentrywsi: krbLoginFailedCount;adcsn-55369200000200040002;vucsn-55369200000200040002: 0
> nscpentrywsi: krbTicketFlags;adcsn-55369200000200040001;vucsn-55369200000200040001: 128
> nscpentrywsi: krbLastPwdChange;adcsn-55369200000200040000;vucsn-55369200000200040000: 20150421180532Z
> nscpentrywsi: krbLastFailedAuth;adcsn-553691dd000000040000;vucsn-553691dd000200040003: 20150421180457Z
> nscpentrywsi: mepManagedEntry;vucsn-55364a42000700040000: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: displayName;vucsn-55364a42000100040000: UserName
> nscpentrywsi: cn;vucsn-55364a42000100040000: UserName
> nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaobject
> nscpentrywsi: objectClass;vucsn-55364a42000100040000: person
> nscpentrywsi: objectClass;vucsn-55364a42000100040000: top
> nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipasshuser
> nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetorgperson
> nscpentrywsi: objectClass;vucsn-55364a42000100040000: organizationalperson
> nscpentrywsi: objectClass;vucsn-55364a42000100040000: krbticketpolicyaux
> nscpentrywsi: objectClass;vucsn-55364a42000100040000: krbprincipalaux
> nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetuser
> nscpentrywsi: objectClass;vucsn-55364a42000100040000: posixaccount
> nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaSshGroupOfPubKeys
> nscpentrywsi: objectClass;vucsn-55364a42000600040000: mepOriginEntry
> nscpentrywsi: objectClass;vucsn-5537a1b1000300040000: ipantuserattrs
> nscpentrywsi: objectClass;vucsn-5540deb8000000030000: nsTombstone
> nscpentrywsi: loginShell;vucsn-55364a42000100040000: /bin/bash
> nscpentrywsi: initials;vucsn-55364a42000100040000: GF
> nscpentrywsi: gecos;vucsn-55364a42000100040000: UserName
> nscpentrywsi: homeDirectory;vucsn-55364a42000100040000: /home/username
> nscpentrywsi: uid;vucsn-55364a42000100040000;mdcsn-55364a42000100040000: username
> nscpentrywsi: mail;vucsn-55364a42000100040000: username at mhbenp.lin
> nscpentrywsi: krbPrincipalName;vucsn-55364a42000100040000: username at MHBENP.LIN
> nscpentrywsi: givenName;vucsn-55364a42000100040000: Gregg
> nscpentrywsi: sn;vucsn-55364a42000100040000: Name
> nscpentrywsi: creatorsName;vucsn-55364a42000100040000: uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: createTimestamp;vucsn-55364a42000100040000: 20150421130152Z
> nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8
> nscpentrywsi: ipaUniqueID;vucsn-55364a42000100040000: 94d31f06-e826-11e4-878a-005056a92af3
> nscpentrywsi: parentid: 3
> nscpentrywsi: entryid: 385
> nscpentrywsi: uidNumber: 1249000003
> nscpentrywsi: gidNumber: 1249000003
> nscpentrywsi: nsParentUniqueId: 3763f192-e76411e4-99f1b343-f0abc1a8
> nscpentrywsi: nstombstonecsn: 5540deb8000000030000
> nscpentrywsi: nscpEntryDN: uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: entryusn: 57524
> nscpentrywsi: passwordHistory;adcsn-55369200000500040000;vdcsn-55369200000500040000;deletedattribute;deleted:

Ok, so here is my understanding:
on the second replica (where you succeed to do 'ipa user-del <username>' 
) the entry is looking:

dn: nsuniqueid=7e1a1f8*7*-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: dn: nsuniqueid=7e1a1f8*7*-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
...
nscpentrywsi: objectClass;vucsn-*5540deb8000300030000*: nsTombstone
...
nscpentrywsi: nsUniqueId: 7e1a1f8*7*-e82611e4-99f1b343-f0abc1a8

On the first replica (where you failed to delete the entry and where you can see the replication errors)
dn: nsuniqueid=7e1a1f8*2*-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: dn: nsuniqueid=7e1a1f8*2*-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
...
nscpentrywsi: objectClass;vucsn-*5540deb8000000030000*: nsTombstone
...
nscpentrywsi: nsUniqueId: 7e1a1f8*2*-e82611e4-99f1b343-f0abc1a8

This is not the same entry. It is like two entries with the same 'uid' were created.
Also note that those two entries were deleted on the same replica (replica ID=3: likely the second replica) almost at the same time.

The errors is logged on the first replica about "
nsuniqueid=7e1a1f8*7*-e82611e4-99f1b343-f0abc1a8,cn=<username>,cn=groups,cn=accounts,dc=domain,dc=com".

So I think the entry you dumped on the first replica, is not the one we were looking at.
The entry (nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8) should exists, but was not returned by the search.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150429/ae002921/attachment.htm>