[Freeipa-users] deleting ipa user
thierry bordaz
tbordaz at redhat.com
Thu Apr 30 07:29:13 UTC 2015
On 04/29/2015 07:15 PM, Andy Thompson wrote:
>
>> -----Original Message-----
>> From: thierry bordaz [mailto:tbordaz at redhat.com]
>> Sent: Wednesday, April 29, 2015 1:07 PM
>> To: Andy Thompson
>> Cc: Ludwig Krispenz; Martin Kosek; freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] deleting ipa user
>>
>> On 04/29/2015 06:45 PM, Andy Thompson wrote:
>>
>>
>> -----Original Message-----
>> From: thierry bordaz [mailto:tbordaz at redhat.com]
>> Sent: Wednesday, April 29, 2015 12:28 PM
>> To: Andy Thompson
>> Cc: Ludwig Krispenz; Martin Kosek; freeipa-
>> users at redhat.com <mailto:freeipa-users at redhat.com>
>> Subject: Re: [Freeipa-users] deleting ipa user
>>
>> On 04/29/2015 05:58 PM, Andy Thompson wrote:
>>
>>
>> dn:
>> nsuniqueid=7e1a1f87-e82611e4-
>> 99f1b343-
>>
>> f0abc1a8,cn=username,cn=groups,c
>>
>> n=accounts,dc=mhbenp,dc=lin
>> nscpentrywsi: dn:
>> nsuniqueid=7e1a1f87-e82611e4-
>> 99f1b343-
>>
>> f0abc1a8,cn=username,cn=groups,c
>>
>> n=accounts,dc=mhbenp,dc=lin
>> nscpentrywsi: objectClass;vucsn-
>> 55364a42000500040000: posixgroup
>> nscpentrywsi: objectClass;vucsn-
>> 55364a42000500040000: ipaobject
>> nscpentrywsi: objectClass;vucsn-
>> 55364a42000500040000:
>>
>> mepManagedEntry
>>
>> nscpentrywsi: objectClass;vucsn-
>> 55364a42000500040000: top
>> nscpentrywsi: objectClass;vucsn-
>> 5540deb8000300030000: nsTombstone
>> nscpentrywsi:
>> cn;vucsn-
>> 55364a42000500040000;mdcsn-
>> 55364a42000500040000: gfeigh
>> nscpentrywsi: gidNumber;vucsn-
>> 55364a42000500040000: 1249000003
>> nscpentrywsi: description;vucsn-
>> 55364a42000500040000: User private
>> group for username
>> nscpentrywsi:
>> mepManagedBy;vucsn-
>> 55364a42000500040000: uid=
>>
>> username,cn=users,cn=accounts,dc=mhbenp,dc=lin
>> nscpentrywsi: creatorsName;vucsn-
>> 55364a42000500040000: cn=Managed
>> Entries,cn=plugins,cn=config
>> nscpentrywsi: modifiersName;vucsn-
>> 55364a42000500040000: cn=Managed
>> Entries,cn=plugins,cn=config
>> nscpentrywsi:
>> createTimestamp;vucsn-
>> 55364a42000500040000:
>> 20150421130152Z
>> nscpentrywsi:
>> modifyTimestamp;vucsn-
>> 55364a42000500040000:
>> 20150421130152Z
>> nscpentrywsi: nsUniqueId: 7e1a1f87-
>> e82611e4-
>> 99f1b343-f0abc1a8
>> nscpentrywsi: ipaUniqueID;vucsn-
>> 55364a42000500040000:
>> 94dc1638-e826-11e4-878a-
>> 005056a92af3
>> nscpentrywsi: parentid: 4
>> nscpentrywsi: entryid: 385
>> nscpentrywsi: nsParentUniqueId:
>> 3763f193-
>> e76411e4-99f1b343-f0abc1a8
>> nscpentrywsi: nstombstonecsn:
>> 5540deb8000300030000
>> nscpentrywsi: nscpEntryDN:
>>
>>
>> cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
>> nscpentrywsi: entryusn: 52327
>>
>> thought I tried that before,
>> apparently not.
>>
>> ok, so we have the entry on one server, the
>> csn of the
>> objectclass:
>> tombstone is :
>>
>> objectClass;vucsn-5540deb8000300030000:
>> nsTombstone
>>
>> , which matches the csn in the error log:
>>
>> Consumer failed to replay change (uniqueid
>> 7e1a1f87-
>> e82611e4-99f1b343-
>> f0abc1a8, CSN 5540deb8000300030000):
>> Operations error (1)
>> so the state of
>> the entry is as expected.
>>
>> Now we nend to find it on the other server. If
>> the search for
>> the & filter with
>> nstombstone does return nothing, could you
>> try
>>
>>
>> If I run ldapsearch -LLL -o ldif-wrap=no -H
>> ldap://mdhixnpipa01 -x -D
>> "cn=directory manager" -W -b "dc=mhbenp,dc=lin"
>> "(&(objectclass=nstombstone))" I get below. If I add
>> nsuniqueid to the filter
>> it returns nothing on the primary server
>>
>> dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-
>>
>> f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
>> memberOf:
>> cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin
>> memberOf: ipaUniqueID=3897c894-e764-11e4-b05b-
>> 005056a92af3,cn=hbac,dc=mhbenp,dc=lin
>> ipaNTSecurityIdentifier: S-1-5-21-1257946092-
>> 587846975-4124201916-
>> 1003
>> krbLastSuccessfulAuth: 20150421180533Z
>> krbPasswordExpiration: 20150720180532Z
>> userPassword::
>>
>> e1NIQTUxMn1wekx2TytqSG9YQWkwL1RMWitXcE44dmFRRnFEWUJ3
>> U3lrMTJ
>>
>> ab2ErNUdwakdWTVBnSzlJK0txdWF2b0pXdjZKbVZuZjdWb2txbG04NX
>> piWVh
>> qTXQxUT09
>> krbExtraData::
>> AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA==
>> krbPrincipalKey::
>>
>> MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMB
>> mgAwIB
>>
>> AKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF
>> 2hLTC5E
>>
>> P9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A
>>
>> 0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmd
>>
>> mZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQ
>> WTt++y/l
>>
>> bFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5
>> QLkxJT
>> mdmZWlnaKFBMD
>>
>> +gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCz
>>
>> xInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJ
>> FTlAuTEl
>>
>> OZ2ZlaWdooTkwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7
>> CFCi4qZ
>> jwMj1cTwzD1FH6/IbmDSvRMUVw8wE=
>> krbLoginFailedCount: 0
>> krbTicketFlags: 128
>> krbLastPwdChange: 20150421180532Z
>> krbLastFailedAuth: 20150421180457Z
>> mepManagedEntry:
>> cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
>> displayName: user name
>> cn: User Name
>> objectClass: ipaobject
>> objectClass: person
>> objectClass: top
>> objectClass: ipasshuser
>> objectClass: inetorgperson
>> objectClass: organizationalperson
>> objectClass: krbticketpolicyaux
>> objectClass: krbprincipalaux
>> objectClass: inetuser
>> objectClass: posixaccount
>> objectClass: ipaSshGroupOfPubKeys
>> objectClass: mepOriginEntry
>> objectClass: ipantuserattrs
>> objectClass: nsTombstone
>> loginShell: /bin/bash
>> initials: GF
>> gecos: User Name
>> homeDirectory: /home/username
>> uid: username
>> mail: username at mhbenp.lin
>> <mailto:username at mhbenp.lin> <mailto:username at mhbenp.lin>
>> <mailto:username at mhbenp.lin>
>> krbPrincipalName: username at MHBENP.LIN
>> <mailto:username at MHBENP.LIN>
>> <mailto:username at MHBENP.LIN>
>> <mailto:username at MHBENP.LIN>
>> givenName: User
>> sn: name
>> ipaUniqueID: 94d31f06-e826-11e4-878a-005056a92af3
>> uidNumber: 1249000003
>> gidNumber: 1249000003
>> nsParentUniqueId: 3763f192-e76411e4-99f1b343-
>> f0abc1a8
>>
>>
>>
>> In fact, nsuniqueid does not appear in this entry. It is a
>> distinguished RDN but
>> is missing. Did you run the command with 'nscpentrywsi'
>> requested attribute.
>> May be nsuniqueid was hidden for that reason but I would
>> be surprised.
>>
>> nsuniqueid is a key element of replication. I wonder how
>> replication can find
>> the entry itself. nsuniqueid could be in the index but then
>> the entry is
>> corrupted.
>>
>>
>>
>>
>> If I request the nscpentrywsi attribute I get
>>
>> dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-
>> f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
>> nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-
>> f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
>> nscpentrywsi: modifyTimestamp;adcsn-
>> 5540be0c000200040002;vucsn-5540be0c000200040002: 20150429111607Z
>> nscpentrywsi: modifiersName;adcsn-5540be0c000200040001;vucsn-
>> 5540be0c000200040001: uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin
>> nscpentrywsi: nsAccountLock;adcsn-5540be0c000200040000;vucsn-
>> 5540be0c000200040000: TRUE
>> nscpentrywsi: memberOf;adcsn-5537c2f5000200040000;vucsn-
>> 5537c2f5000200040000:
>> cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin
>> nscpentrywsi: memberOf;vucsn-5537c2f5000200040000:
>> ipaUniqueID=3897c894-e764-11e4-b05b-
>> 005056a92af3,cn=hbac,dc=mhbenp,dc=lin
>> nscpentrywsi: ipaNTSecurityIdentifier;adcsn-
>> 5537a1b1000300040001;vucsn-5537a1b1000300040001: S-1-5-21-1257946092-
>> 587846975-4124201916-1003
>> nscpentrywsi: krbLastSuccessfulAuth;adcsn-
>> 55369202000100040000;vucsn-55369202000100040000: 20150421180533Z
>> nscpentrywsi: passwordGraceUserTime;adcsn-
>> 55369200000400040000;vucsn-55369200000400040000: 0
>> nscpentrywsi: krbPasswordExpiration;adcsn-
>> 55369200000200040006;vucsn-55369200000200040006: 20150720180532Z
>> nscpentrywsi: userPassword;adcsn-55369200000200040005;vucsn-
>> 55369200000200040005:
>> {SHA512}pzLvO+jHoXAi0/TLZ+WpN8vaQFqDYBwSyk12Zoa+5GpjGVMPgK9I+
>> KquavoJWv6JmVnf7Vokqlm85zbYXjMt1Q==
>> nscpentrywsi: krbExtraData;adcsn-55369200000200040004;vucsn-
>> 55369200000200040004:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA==
>> nscpentrywsi: krbPrincipalKey;adcsn-55369200000200040003;vucsn-
>> 55369200000200040003::
>> MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIB
>> AKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5E
>> P9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A0miart7lTDnRh
>> 89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKE5MDegAwIB
>> EaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/lbFKDbSkZYSJpFnzSRaaI
>> WW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKFBMD+gAw
>> IBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCzxInn+33pOsEX
>> PlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooT
>> kwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZjwMj1cTwzD1
>> FH6/IbmDSvRMUVw8wE=
>> nscpentrywsi: krbLoginFailedCount;adcsn-
>> 55369200000200040002;vucsn-55369200000200040002: 0
>> nscpentrywsi: krbTicketFlags;adcsn-55369200000200040001;vucsn-
>> 55369200000200040001: 128
>> nscpentrywsi: krbLastPwdChange;adcsn-
>> 55369200000200040000;vucsn-55369200000200040000: 20150421180532Z
>> nscpentrywsi: krbLastFailedAuth;adcsn-
>> 553691dd000000040000;vucsn-553691dd000200040003: 20150421180457Z
>> nscpentrywsi: mepManagedEntry;vucsn-55364a42000700040000:
>> cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
>> nscpentrywsi: displayName;vucsn-55364a42000100040000:
>> UserName
>> nscpentrywsi: cn;vucsn-55364a42000100040000: UserName
>> nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaobject
>> nscpentrywsi: objectClass;vucsn-55364a42000100040000: person
>> nscpentrywsi: objectClass;vucsn-55364a42000100040000: top
>> nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipasshuser
>> nscpentrywsi: objectClass;vucsn-55364a42000100040000:
>> inetorgperson
>> nscpentrywsi: objectClass;vucsn-55364a42000100040000:
>> organizationalperson
>> nscpentrywsi: objectClass;vucsn-55364a42000100040000:
>> krbticketpolicyaux
>> nscpentrywsi: objectClass;vucsn-55364a42000100040000:
>> krbprincipalaux
>> nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetuser
>> nscpentrywsi: objectClass;vucsn-55364a42000100040000:
>> posixaccount
>> nscpentrywsi: objectClass;vucsn-55364a42000100040000:
>> ipaSshGroupOfPubKeys
>> nscpentrywsi: objectClass;vucsn-55364a42000600040000:
>> mepOriginEntry
>> nscpentrywsi: objectClass;vucsn-5537a1b1000300040000:
>> ipantuserattrs
>> nscpentrywsi: objectClass;vucsn-5540deb8000000030000:
>> nsTombstone
>> nscpentrywsi: loginShell;vucsn-55364a42000100040000: /bin/bash
>> nscpentrywsi: initials;vucsn-55364a42000100040000: GF
>> nscpentrywsi: gecos;vucsn-55364a42000100040000: UserName
>> nscpentrywsi: homeDirectory;vucsn-55364a42000100040000:
>> /home/username
>> nscpentrywsi: uid;vucsn-55364a42000100040000;mdcsn-
>> 55364a42000100040000: username
>> nscpentrywsi: mail;vucsn-55364a42000100040000:
>> username at mhbenp.lin <mailto:username at mhbenp.lin>
>> nscpentrywsi: krbPrincipalName;vucsn-55364a42000100040000:
>> username at MHBENP.LIN <mailto:username at MHBENP.LIN>
>> nscpentrywsi: givenName;vucsn-55364a42000100040000: Gregg
>> nscpentrywsi: sn;vucsn-55364a42000100040000: Name
>> nscpentrywsi: creatorsName;vucsn-55364a42000100040000:
>> uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin
>> nscpentrywsi: createTimestamp;vucsn-55364a42000100040000:
>> 20150421130152Z
>> nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8
>> nscpentrywsi: ipaUniqueID;vucsn-55364a42000100040000: 94d31f06-
>> e826-11e4-878a-005056a92af3
>> nscpentrywsi: parentid: 3
>> nscpentrywsi: entryid: 385
>> nscpentrywsi: uidNumber: 1249000003
>> nscpentrywsi: gidNumber: 1249000003
>> nscpentrywsi: nsParentUniqueId: 3763f192-e76411e4-99f1b343-
>> f0abc1a8
>> nscpentrywsi: nstombstonecsn: 5540deb8000000030000
>> nscpentrywsi: nscpEntryDN:
>> uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
>> nscpentrywsi: entryusn: 57524
>> nscpentrywsi: passwordHistory;adcsn-55369200000500040000;vdcsn-
>> 55369200000500040000;deletedattribute;deleted:
>>
>>
>> Ok, so here is my understanding:
>> on the second replica (where you succeed to do 'ipa user-del <username>' )
>> the entry is looking:
> Sorry that was from the replica where I tried to do the delete and failed. This is from the second replica where I successfully deleted the entry but now has the "failed to replay change" error being logged. I've run so many queries I'm starting to lose track :)
difficult to keep following track with replication :-)
You got a first replica where you failed to delete the entry.
You got a second replica where you succeeded to delete the entry.
On first replica you can see messages like:
[29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! "nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=<username>,cn=groups,cn=accounts,dc=domain,dc=com"; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1
On the second replica you can see messages like:
[29/Apr/2015:09:35:40 -0400] NSMMReplicationPlugin - agmt="cn=meTomdhixnpipa01.domain.com" (mdhixnpipa01:389): Consumer failed to replay change (uniqueid 7e1a1f87-e82611e4-99f1b343-f0abc1a8, CSN 5540deb8000300030000): Operations error (1). Will retry later.
On the first replica, you had difficulties to retrieve the entry and
finally had to remove 'nsuniqueid' from the filter to retrieve this entry
dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
...
nscpentrywsi: objectClass;vucsn-5540deb8000000030000: nsTombstone
...
nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8
...
On the second replica you can the entry:
dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
...
nscpentrywsi: objectClass;vucsn-5540deb8000300030000: nsTombstone
...
nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8
Note that the entry retrieved on the first replica has
nsuniqueid=7e1a1f82..
while the entry retrieved on the second replica has nsuniqueid=7e1a1f87 ...
It differs '2' instead of '7'. So this is not the same entry (from replication point of view).
The error reported in the first replica was about
Turning a tombstone into a tombstone! "nsuniqueid=7e1a1f87...
The error reported in the second replica was also about
Consumer failed to replay change (uniqueid 7e1a1f87...
So I think the entry you dumped on the first replica is not (should not be) the one we are looking for.
Although it could be two entries having the same DN but that was deleted, added and then deleted again.
The difficulty is to retrieve it (on the first replica) as we cannot specify its 'nsuniqueid' to retrieve it.
May be you can retrieve it with its (&(objectclass=nstombstone)(ipauniqueid=94dc1638-e826-11e4-878a-005056a92af3))
thanks
thierry
>
> dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: modifyTimestamp;adcsn-5540be0c000200040002;vucsn-5540be0c000200040002: 20150429111607Z
> nscpentrywsi: modifiersName;adcsn-5540be0c000200040001;vucsn-5540be0c000200040001: uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: nsAccountLock;adcsn-5540be0c000200040000;vucsn-5540be0c000200040000: TRUE
> nscpentrywsi: krbLastSuccessfulAuth;adcsn-5537c9b2000000030000;vucsn-5537c9b2000000030000: 20150422161526Z
> nscpentrywsi: memberOf;adcsn-5537c2f5000400030000;vucsn-5537c2f5000400030000: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: memberOf;vucsn-5537c2f5000400030000: ipaUniqueID=3897c894-e764-11e4-b05b-005056a92af3,cn=hbac,dc=mhbenp,dc=lin
> nscpentrywsi: ipaNTSecurityIdentifier;adcsn-5537a1b1000300040001;vucsn-5537a1b1000300040001: S-1-5-21-1257946092-587846975-4124201916-1003
> nscpentrywsi: passwordGraceUserTime;adcsn-55369200000400040000;vucsn-55369200000400040000: 0
> nscpentrywsi: krbPasswordExpiration;adcsn-55369200000200040005;vucsn-55369200000200040005: 20150720180532Z
> nscpentrywsi: userPassword;adcsn-55369200000200040004;vucsn-55369200000200040004: {SHA512}pzLvO+jHoXAi0/TLZ+WpN8vaQFqDYBwSyk12Zoa+5GpjGVMPgK9I+KquavoJWv6JmVnf7Vokqlm85zbYXjMt1Q==
> nscpentrywsi: krbExtraData;adcsn-55369200000200040003;vucsn-55369200000200040003:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA==
> nscpentrywsi: krbPrincipalKey;adcsn-55369200000200040002;vucsn-55369200000200040002:: MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5EP9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/lbFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKFBMD+gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCzxInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooTkwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZjwMj1cTwzD1FH6/IbmDSvRMUVw8wE=
> nscpentrywsi: krbTicketFlags;adcsn-55369200000200040001;vucsn-55369200000200040001: 128
> nscpentrywsi: krbLastPwdChange;adcsn-55369200000200040000;vucsn-55369200000200040000: 20150421180532Z
> nscpentrywsi: mepManagedEntry;vucsn-55364a42000700040000: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: displayName;vucsn-55364a42000100040000: UserName
> nscpentrywsi: cn;vucsn-55364a42000100040000: UserName
> nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaobject
> nscpentrywsi: objectClass;vucsn-55364a42000100040000: person
> nscpentrywsi: objectClass;vucsn-55364a42000100040000: top
> nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipasshuser
> nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetorgperson
> nscpentrywsi: objectClass;vucsn-55364a42000100040000: organizationalperson
> nscpentrywsi: objectClass;vucsn-55364a42000100040000: krbticketpolicyaux
> nscpentrywsi: objectClass;vucsn-55364a42000100040000: krbprincipalaux
> nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetuser
> nscpentrywsi: objectClass;vucsn-55364a42000100040000: posixaccount
> nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaSshGroupOfPubKeys
> nscpentrywsi: objectClass;vucsn-55364a42000600040000: mepOriginEntry
> nscpentrywsi: objectClass;vucsn-5537a1b1000300040000: ipantuserattrs
> nscpentrywsi: objectClass;vucsn-5540deb8000000030000: nsTombstone
> nscpentrywsi: loginShell;vucsn-55364a42000100040000: /bin/bash
> nscpentrywsi: initials;vucsn-55364a42000100040000: GF
> nscpentrywsi: gecos;vucsn-55364a42000100040000: UserName
> nscpentrywsi: homeDirectory;vucsn-55364a42000100040000: /home/username
> nscpentrywsi: uid;vucsn-55364a42000100040000;mdcsn-55364a42000100040000: username
> nscpentrywsi: mail;vucsn-55364a42000100040000: username at mhbenp.lin
> nscpentrywsi: krbPrincipalName;vucsn-55364a42000100040000: username at MHBENP.LIN
> nscpentrywsi: givenName;vucsn-55364a42000100040000: Gregg
> nscpentrywsi: sn;vucsn-55364a42000100040000: Name
> nscpentrywsi: creatorsName;vucsn-55364a42000100040000: uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: createTimestamp;vucsn-55364a42000100040000: 20150421130152Z
> nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8
> nscpentrywsi: ipaUniqueID;vucsn-55364a42000100040000: 94d31f06-e826-11e4-878a-005056a92af3
> nscpentrywsi: parentid: 3
> nscpentrywsi: entryid: 384
> nscpentrywsi: uidNumber;vucsn-55364a42000100040000: 1249000003
> nscpentrywsi: gidNumber;vucsn-55364a42000100040000: 1249000003
> nscpentrywsi: nsParentUniqueId: 3763f192-e76411e4-99f1b343-f0abc1a8
> nscpentrywsi: nstombstonecsn: 5540deb8000000030000
> nscpentrywsi: nscpEntryDN: uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: entryusn: 52322
> nscpentrywsi: passwordHistory;adcsn-55369200000500040000;vdcsn-55369200000500040000;deletedattribute;deleted:
>> dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-
>> f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
>> nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-
>> f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
>> ...
>> nscpentrywsi: objectClass;vucsn-5540deb8000300030000: nsTombstone ...
>> nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8
>>
>>
>>
>> On the first replica (where you failed to delete the entry and where you can
>> see the replication errors)
>> dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-
>> f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
>> nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-
>> f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
>> ...
>> nscpentrywsi: objectClass;vucsn-5540deb8000000030000: nsTombstone ...
>> nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8
>>
>>
>> This is not the same entry. It is like two entries with the same 'uid' were
>> created.
>> Also note that those two entries were deleted on the same replica (replica
>> ID=3: likely the second replica) almost at the same time.
>>
>> The errors is logged on the first replica about "
>> nsuniqueid=7e1a1f87-e82611e4-99f1b343-
>> f0abc1a8,cn=<username>,cn=groups,cn=accounts,dc=domain,dc=com".
>>
>> So I think the entry you dumped on the first replica, is not the one we were
>> looking at.
>> The entry (nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8) should
>> exists, but was not returned by the search.
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150430/36337242/attachment.htm>
More information about the Freeipa-users
mailing list