[Freeipa-users] deleting ipa user

Andy Thompson Andy.Thompson at e-tcc.com
Thu Apr 30 10:41:08 UTC 2015 

> You got a first replica where you failed to delete the entry.
> You got a second replica where you succeeded to delete the entry.
> 
> On first replica you can see messages like:
> 
> [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a
> tombstone into a tombstone! "nsuniqueid=7e1a1f87-e82611e4-99f1b343-
> f0abc1a8,cn=<username>,cn=groups,cn=accounts,dc=domain,dc=com"; e:
> 0x7fcc84226070, cache_state: 0x0, refcnt: 1
> 
> On the second replica you can see messages like:
> 
> [29/Apr/2015:09:35:40 -0400] NSMMReplicationPlugin -
> agmt="cn=meTomdhixnpipa01.domain.com" (mdhixnpipa01:389): Consumer
> failed to replay change (uniqueid 7e1a1f87-e82611e4-99f1b343-f0abc1a8,
> CSN 5540deb8000300030000): Operations error (1). Will retry later.
> 
> 
> On the first replica, you had difficulties to retrieve the entry and finally had to
> remove 'nsuniqueid' from the filter to retrieve this entry
> 
> dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-
> f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-
> f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
> ...
> nscpentrywsi: objectClass;vucsn-5540deb8000000030000: nsTombstone ...
> nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8
> ...
> 
> 
> On the second replica you can the entry:
> 
> dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-
> f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-
> f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
> ...
> nscpentrywsi: objectClass;vucsn-5540deb8000300030000: nsTombstone ...
> nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8
> 
> 
> Note that the entry retrieved on the first replica has nsuniqueid=7e1a1f82..
> while the entry retrieved on the second replica has nsuniqueid=7e1a1f87 ...
> 
> It differs '2' instead of '7'. So this is not the same entry (from replication point
> of view).
> 
> The error reported in the first replica was about Turning a tombstone into a
> tombstone! "nsuniqueid=7e1a1f87...
> 
> 
> The error reported in the second replica was also about
> Consumer failed to replay change (uniqueid 7e1a1f87...
> 
> 
> So I think the entry you dumped on the first replica is not (should not be) the
> one we are looking for.

It appears that f82 is the user object and f87 is the group object.  So you are right, I don't think f82 is what we were looking for, it just happened to have the username in it when I grepped without filtering the uniqueid.  I'm not sure why it was having problems with the user group object, but I don't have individual group objects showing up for any local accounts I've created.

All that being said, I put 389-ds-base-1.3.3.1-16.el7_1.x86_64 on the box yesterday and the error has not shown since.  So I'm not sure if it was because of the minor upgrade or cycling the daemon.

Is there any way to find the root cause of this?  And is it normal that individual group objects are not created for users?  I thought I remembered reading somewhere that they were derived and not static entries?   The few accounts I have on there were created in the web interface, most of my users are all trust users.

> Although it could be two entries having the same DN but that was deleted,
> added and then deleted again.
> 
> The difficulty is to retrieve it (on the first replica) as we cannot specify its
> 'nsuniqueid' to retrieve it.
> May be you can retrieve it with its
> (&(objectclass=nstombstone)(ipauniqueid=94dc1638-e826-11e4-878a-
> 005056a92af3))
> 
> 
> thanks
> thierry
> 
> 
> 
> 
> 	dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-
> f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
> 	nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-
> f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
> 	nscpentrywsi: modifyTimestamp;adcsn-
> 5540be0c000200040002;vucsn-5540be0c000200040002: 20150429111607Z
> 	nscpentrywsi: modifiersName;adcsn-5540be0c000200040001;vucsn-
> 5540be0c000200040001: uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin
> 	nscpentrywsi: nsAccountLock;adcsn-5540be0c000200040000;vucsn-
> 5540be0c000200040000: TRUE
> 	nscpentrywsi: krbLastSuccessfulAuth;adcsn-
> 5537c9b2000000030000;vucsn-5537c9b2000000030000: 20150422161526Z
> 	nscpentrywsi: memberOf;adcsn-5537c2f5000400030000;vucsn-
> 5537c2f5000400030000:
> cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin
> 	nscpentrywsi: memberOf;vucsn-5537c2f5000400030000:
> ipaUniqueID=3897c894-e764-11e4-b05b-
> 005056a92af3,cn=hbac,dc=mhbenp,dc=lin
> 	nscpentrywsi: ipaNTSecurityIdentifier;adcsn-
> 5537a1b1000300040001;vucsn-5537a1b1000300040001: S-1-5-21-1257946092-
> 587846975-4124201916-1003
> 	nscpentrywsi: passwordGraceUserTime;adcsn-
> 55369200000400040000;vucsn-55369200000400040000: 0
> 	nscpentrywsi: krbPasswordExpiration;adcsn-
> 55369200000200040005;vucsn-55369200000200040005: 20150720180532Z
> 	nscpentrywsi: userPassword;adcsn-55369200000200040004;vucsn-
> 55369200000200040004:
> {SHA512}pzLvO+jHoXAi0/TLZ+WpN8vaQFqDYBwSyk12Zoa+5GpjGVMPgK9I+
> KquavoJWv6JmVnf7Vokqlm85zbYXjMt1Q==
> 	nscpentrywsi: krbExtraData;adcsn-55369200000200040003;vucsn-
> 55369200000200040003:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA==
> 	nscpentrywsi: krbPrincipalKey;adcsn-55369200000200040002;vucsn-
> 55369200000200040002::
> MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIB
> AKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5E
> P9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A0miart7lTDnRh
> 89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKE5MDegAwIB
> EaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/lbFKDbSkZYSJpFnzSRaaI
> WW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKFBMD+gAw
> IBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCzxInn+33pOsEX
> PlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooT
> kwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZjwMj1cTwzD1
> FH6/IbmDSvRMUVw8wE=
> 	nscpentrywsi: krbTicketFlags;adcsn-55369200000200040001;vucsn-
> 55369200000200040001: 128
> 	nscpentrywsi: krbLastPwdChange;adcsn-
> 55369200000200040000;vucsn-55369200000200040000: 20150421180532Z
> 	nscpentrywsi: mepManagedEntry;vucsn-55364a42000700040000:
> cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
> 	nscpentrywsi: displayName;vucsn-55364a42000100040000:
> UserName
> 	nscpentrywsi: cn;vucsn-55364a42000100040000: UserName
> 	nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaobject
> 	nscpentrywsi: objectClass;vucsn-55364a42000100040000: person
> 	nscpentrywsi: objectClass;vucsn-55364a42000100040000: top
> 	nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipasshuser
> 	nscpentrywsi: objectClass;vucsn-55364a42000100040000:
> inetorgperson
> 	nscpentrywsi: objectClass;vucsn-55364a42000100040000:
> organizationalperson
> 	nscpentrywsi: objectClass;vucsn-55364a42000100040000:
> krbticketpolicyaux
> 	nscpentrywsi: objectClass;vucsn-55364a42000100040000:
> krbprincipalaux
> 	nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetuser
> 	nscpentrywsi: objectClass;vucsn-55364a42000100040000:
> posixaccount
> 	nscpentrywsi: objectClass;vucsn-55364a42000100040000:
> ipaSshGroupOfPubKeys
> 	nscpentrywsi: objectClass;vucsn-55364a42000600040000:
> mepOriginEntry
> 	nscpentrywsi: objectClass;vucsn-5537a1b1000300040000:
> ipantuserattrs
> 	nscpentrywsi: objectClass;vucsn-5540deb8000000030000:
> nsTombstone
> 	nscpentrywsi: loginShell;vucsn-55364a42000100040000: /bin/bash
> 	nscpentrywsi: initials;vucsn-55364a42000100040000: GF
> 	nscpentrywsi: gecos;vucsn-55364a42000100040000: UserName
> 	nscpentrywsi: homeDirectory;vucsn-55364a42000100040000:
> /home/username
> 	nscpentrywsi: uid;vucsn-55364a42000100040000;mdcsn-
> 55364a42000100040000: username
> 	nscpentrywsi: mail;vucsn-55364a42000100040000:
> username at mhbenp.lin <mailto:username at mhbenp.lin>
> 	nscpentrywsi: krbPrincipalName;vucsn-55364a42000100040000:
> username at MHBENP.LIN <mailto:username at MHBENP.LIN>
> 	nscpentrywsi: givenName;vucsn-55364a42000100040000: Gregg
> 	nscpentrywsi: sn;vucsn-55364a42000100040000: Name
> 	nscpentrywsi: creatorsName;vucsn-55364a42000100040000:
> uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin
> 	nscpentrywsi: createTimestamp;vucsn-55364a42000100040000:
> 20150421130152Z
> 	nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8
> 	nscpentrywsi: ipaUniqueID;vucsn-55364a42000100040000: 94d31f06-
> e826-11e4-878a-005056a92af3
> 	nscpentrywsi: parentid: 3
> 	nscpentrywsi: entryid: 384
> 	nscpentrywsi: uidNumber;vucsn-55364a42000100040000: 1249000003
> 	nscpentrywsi: gidNumber;vucsn-55364a42000100040000: 1249000003
> 	nscpentrywsi: nsParentUniqueId: 3763f192-e76411e4-99f1b343-
> f0abc1a8
> 	nscpentrywsi: nstombstonecsn: 5540deb8000000030000
> 	nscpentrywsi: nscpEntryDN:
> uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
> 	nscpentrywsi: entryusn: 52322
> 	nscpentrywsi: passwordHistory;adcsn-55369200000500040000;vdcsn-
> 55369200000500040000;deletedattribute;deleted:
> 
> 
> 		dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-
> 
> 	f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
> 		nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-
> 
> 	f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
> 		...
> 		nscpentrywsi: objectClass;vucsn-5540deb8000300030000:
> nsTombstone ...
> 		nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-
> f0abc1a8
> 
> 
> 
> 		On the first replica (where you failed to delete the entry and
> where you can
> 		see the replication errors)
> 		dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-
> 
> 	f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
> 		nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-
> 
> 	f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
> 		...
> 		nscpentrywsi: objectClass;vucsn-5540deb8000000030000:
> nsTombstone ...
> 		nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-
> f0abc1a8
> 
> 
> 		This is not the same entry. It is like two entries with the same
> 'uid' were
> 		created.
> 		Also note that those two entries were deleted on the same
> replica (replica
> 		ID=3: likely the second replica) almost at the same time.
> 
> 		The errors is logged on the first replica about "
> 		nsuniqueid=7e1a1f87-e82611e4-99f1b343-
> 
> 	f0abc1a8,cn=<username>,cn=groups,cn=accounts,dc=domain,dc=co
> m".
> 
> 		So I think the entry you dumped on the first replica, is not the
> one we were
> 		looking at.
> 		The entry (nsuniqueid=7e1a1f87-e82611e4-99f1b343-
> f0abc1a8) should
> 		exists, but was not returned by the search.
> 
> 
> 
> 
> 
>

More information about the Freeipa-users mailing list