[Freeipa-users] How to delete a managed group [SOLVED]

Bob Hinton bob at jackland.demon.co.uk
Thu Aug 4 19:01:39 UTC 2016 

On 03/08/2016 14:13, Rob Crittenden wrote:
> Bob Hinton wrote:
>> On 03/08/2016 07:15, Petr Spacek wrote:
>>> On 3.8.2016 00:58, Bob Hinton wrote:
>>>> Hi,
>>>>
>>>> Something went wrong when trying to restore some preserved users so I
>>>> deleted them and then tried to recreate them. This failed with -
>>>>
>>>> ipa: ERROR: Unable to create private group. A group 'XXXXX' 
>>>> already exists.
>>>>
>>>> Trying to delete this group produces -
>>>>
>>>> ipa: ERROR: Unable to create private group. A group 'XXXXX' already
>>>> exists.
>>>>
>>>> Trying to detach it with
>>>>
>>>> ipa group-detach XXXXX
>>>>
>>>> produces
>>>>
>>>> ipa: ERROR: XXXXX: group not found
>>>>
>>>> ipa group-show XXXXX
>>> I would try
>>> $ ipa group show XXXXX --all --raw
>>>
>>> that could show us if there is something interesting like
>>> replication conflict
>>> or so.
>>>
>>> Petr^2 Spacek
>> Hi Petr,
>>
>> This produces ...
>>
>> ipa group-show XXXXX --all --raw
>>    dn: cn=XXXXX,cn=groups,cn=accounts,dc=local,dc=com
>>    cn: XXXXX
>>    description: User private group for XXXXX
>>    gidnumber: 799830053
>>    ipaUniqueID: 3b8e0ec8-58c4-11e6-806d-005056015864
>>    mepManagedBy: uid=XXXXX,cn=users,cn=accounts,dc=local,dc=com
>>    objectClass: posixgroup
>>    objectClass: ipaobject
>>    objectClass: mepManagedEntry
>>    objectClass: top
>>
>> We do have some replication problems at the moment - two recreated
>> replicas currently have two RUVs so this could this be how the user
>> delete completed without the corresponding group?
>
> Not sure. The 389-ds plugin should, by definition, remove the group
> when a user is deleted. I'd be more inclined to believe that the group
> was added and the user not in a replication event.
>
> Removing the group requires an ldapmodify:
>
> % kinit admin
> % ldapmodify -Y GSSAPI
> SASL/GSSAPI authentication started
> SASL username: admin at EXAMPLE.COM
> SASL SSF: 56
> SASL data security layer installed.
> dn: cn=deleteme,cn=groups,cn=accounts,dc=example,dc=com
> changetype: modify
> delete: objectclass
> objectclass: mepManagedEntry
> -
> delete: mepManagedBy
> mepManagedBy: uid=deleteme,cn=users,cn=accounts,dc=example,dc=com
> ^D
> modifying entry "cn=deleteme,cn=groups,cn=accounts,dc=example,dc=com"
>
> % ipa group-del deleteme
> ------------------------
> Deleted group "deleteme"
> ------------------------
>
> Makes me wonder if the managed entry plugin should allow deletion if
> the other side of the link doesn't exist. I'll investigate this.
>
> rob
> .
>
Hi Rob,

Your procedure detailed above allowed me to delete the old private
groups and then recreate the user accounts.

Many Thanks

Bob

More information about the Freeipa-users mailing list