[Freeipa-users] be_pam_handler_callback Backend returned: (3, 4, <NULL>) [Internal Error (System error)]

Ludwig Krispenz lkrispen at redhat.com
Tue Jan 17 16:01:54 UTC 2017 

On 01/17/2017 04:48 PM, Harald Dunkel wrote:
> On 01/17/17 16:12, Harald Dunkel wrote:
>> On 01/17/17 11:38, Sumit Bose wrote:
>>> On Tue, Jan 17, 2017 at 10:44:14AM +0100, Harald Dunkel wrote:
>>>> It seems something got corrupted in my ipa setup. I found this in the
>>>> sssd log file on Wheezy:
>>>>
>>>> (Tue Jan 17 10:19:02 2017) [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [allow_all]
>>>> (Tue Jan 17 10:19:02 2017) [hbac_eval_user_element] (0x0080): Parse error on [cn=System: Manage Host Principals+nsuniqueid=109be36e-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de]
>>> Looks like there was a replication conflict, please see
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html
>>> how to resolve it.
>>>
>> % ldapsearch -D "cn=directory manager" -w secret -b "dc=example,dc=de" "nsds5ReplConflict=*" \* nsds5ReplConflict | grep nsds5ReplConflict | wc -l
>> 26
>>
> PS:
>
> nsds5ReplConflict: namingConflict cn=ipaservers,cn=hostgroups,cn=accounts,dc=example,dc=de
> nsds5ReplConflict: namingConflict cn=ipaservers,cn=ng,cn=alt,dc=example,dc=de
> nsds5ReplConflict: namingConflict cn=domain,cn=topology,cn=ipa,cn=etc,dc=example,dc=de
> nsds5ReplConflict: namingConflict cn=locations,cn=etc,dc=example,dc=de
> nsds5ReplConflict: namingConflict cn=dns administrators,cn=privileges,cn=pbac,dc=example,dc=de
> nsds5ReplConflict: namingConflict cn=dns servers,cn=privileges,cn=pbac,dc=example,dc=de
> nsds5ReplConflict: namingConflict cn=cas,cn=ca,dc=example,dc=de
> nsds5ReplConflict: namingConflict cn=custodia,cn=ipa,cn=etc,dc=example,dc=de
> nsds5ReplConflict: namingConflict cn=dogtag,cn=custodia,cn=ipa,cn=etc,dc=example,dc=de
> nsds5ReplConflict: namingConflict cn=system: add ca,cn=permissions,cn=pbac,dc=example,dc=de
> nsds5ReplConflict: namingConflict cn=system: delete ca,cn=permissions,cn=pbac,dc=example,dc=de
> nsds5ReplConflict: namingConflict cn=system: modify ca,cn=permissions,cn=pbac,dc=example,dc=de
> nsds5ReplConflict: namingConflict cn=system: read cas,cn=permissions,cn=pbac,dc=example,dc=de
> nsds5ReplConflict: namingConflict cn=system: modify dns servers configuration,cn=permissions,cn=pbac,dc=example,dc=de
> nsds5ReplConflict: namingConflict cn=system: read dns servers configuration,cn=permissions,cn=pbac,dc=example,dc=de
> nsds5ReplConflict: namingConflict cn=System: Manage Host Principals,cn=permissions,cn=pbac,dc=example,dc=de
> nsds5ReplConflict: namingConflict cn=System: Add IPA Locations,cn=permissions,cn=pbac,dc=example,dc=de
> nsds5ReplConflict: namingConflict cn=System: Modify IPA Locations,cn=permissions,cn=pbac,dc=example,dc=de
> nsds5ReplConflict: namingConflict cn=System: Read IPA Locations,cn=permissions,cn=pbac,dc=example,dc=de
> nsds5ReplConflict: namingConflict cn=System: Remove IPA Locations,cn=permissions,cn=pbac,dc=example,dc=de
> nsds5ReplConflict: namingConflict cn=System: Read Locations of IPA Servers,cn=permissions,cn=pbac,dc=example,dc=de
> nsds5ReplConflict: namingConflict cn=System: Read Status of Services on IPA Servers,cn=permissions,cn=pbac,dc=example,dc=de
> nsds5ReplConflict: namingConflict cn=System: Manage Service Principals,cn=permissions,cn=pbac,dc=example,dc=de
> nsds5ReplConflict: namingConflict cn=System: Manage User Principals,cn=permissions,cn=pbac,dc=example,dc=de
>
> This looks like a problem of ipa-server-install. These entries were created
> in the very first seconds.
Conflict entries are created if an entry is added on different servers 
at the "same time", where same time means it is created on instance x 
before the add of the entry on instance y was replicated to x. This can 
happen if you run things in parallel, eg upgrades.

There is no simple way to get rid of them, you need to delete them one 
by one, so do:
ldapmodify .......
dn:  cn=System: Manage Host 
Principals+nsuniqueid=109be36e-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de
changetype: delete

for all of your conflict entries
>
>
> Harri
>

-- 
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander

More information about the Freeipa-users mailing list