[Freeipa-users] How to delete a managed group

Rob Crittenden rcritten at redhat.com
Wed Aug 3 13:13:43 UTC 2016 

Bob Hinton wrote:
> On 03/08/2016 07:15, Petr Spacek wrote:
>> On 3.8.2016 00:58, Bob Hinton wrote:
>>> Hi,
>>>
>>> Something went wrong when trying to restore some preserved users so I
>>> deleted them and then tried to recreate them. This failed with -
>>>
>>> ipa: ERROR: Unable to create private group. A group 'XXXXX'  already exists.
>>>
>>> Trying to delete this group produces -
>>>
>>> ipa: ERROR: Unable to create private group. A group 'XXXXX' already exists.
>>>
>>> Trying to detach it with
>>>
>>> ipa group-detach XXXXX
>>>
>>> produces
>>>
>>> ipa: ERROR: XXXXX: group not found
>>>
>>> ipa group-show XXXXX
>> I would try
>> $ ipa group show XXXXX --all --raw
>>
>> that could show us if there is something interesting like replication conflict
>> or so.
>>
>> Petr^2 Spacek
> Hi Petr,
>
> This produces ...
>
> ipa group-show XXXXX --all --raw
>    dn: cn=XXXXX,cn=groups,cn=accounts,dc=local,dc=com
>    cn: XXXXX
>    description: User private group for XXXXX
>    gidnumber: 799830053
>    ipaUniqueID: 3b8e0ec8-58c4-11e6-806d-005056015864
>    mepManagedBy: uid=XXXXX,cn=users,cn=accounts,dc=local,dc=com
>    objectClass: posixgroup
>    objectClass: ipaobject
>    objectClass: mepManagedEntry
>    objectClass: top
>
> We do have some replication problems at the moment - two recreated
> replicas currently have two RUVs so this could this be how the user
> delete completed without the corresponding group?

Not sure. The 389-ds plugin should, by definition, remove the group when 
a user is deleted. I'd be more inclined to believe that the group was 
added and the user not in a replication event.

Removing the group requires an ldapmodify:

% kinit admin
% ldapmodify -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: admin at EXAMPLE.COM
SASL SSF: 56
SASL data security layer installed.
dn: cn=deleteme,cn=groups,cn=accounts,dc=example,dc=com
changetype: modify
delete: objectclass
objectclass: mepManagedEntry
-
delete: mepManagedBy
mepManagedBy: uid=deleteme,cn=users,cn=accounts,dc=example,dc=com
^D
modifying entry "cn=deleteme,cn=groups,cn=accounts,dc=example,dc=com"

% ipa group-del deleteme
------------------------
Deleted group "deleteme"
------------------------

Makes me wonder if the managed entry plugin should allow deletion if the 
other side of the link doesn't exist. I'll investigate this.

rob

More information about the Freeipa-users mailing list