[Freeipa-users] be_pam_handler_callback Backend returned: (3, 4, <NULL>) [Internal Error (System error)]

Harald Dunkel harald.dunkel at aixigo.de
Wed Jan 18 07:13:57 UTC 2017 

Hi Ludwig,

On 01/17/17 17:01, Ludwig Krispenz wrote:
> 
> On 01/17/2017 04:48 PM, Harald Dunkel wrote:
>> On 01/17/17 16:12, Harald Dunkel wrote:
>>> On 01/17/17 11:38, Sumit Bose wrote:
>>>> On Tue, Jan 17, 2017 at 10:44:14AM +0100, Harald Dunkel wrote:
>>>>> It seems something got corrupted in my ipa setup. I found this in the
>>>>> sssd log file on Wheezy:
>>>>>
>>>>> (Tue Jan 17 10:19:02 2017) [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [allow_all]
>>>>> (Tue Jan 17 10:19:02 2017) [hbac_eval_user_element] (0x0080): Parse error on [cn=System: Manage Host Principals+nsuniqueid=109be36e-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de]
>>>> Looks like there was a replication conflict, please see
>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html
>>>> how to resolve it.
>>>>
>>> % ldapsearch -D "cn=directory manager" -w secret -b "dc=example,dc=de" "nsds5ReplConflict=*" \* nsds5ReplConflict | grep nsds5ReplConflict | wc -l
>>> 26
>>>
>> PS:
>>
>> nsds5ReplConflict: namingConflict cn=ipaservers,cn=hostgroups,cn=accounts,dc=example,dc=de
>> nsds5ReplConflict: namingConflict cn=ipaservers,cn=ng,cn=alt,dc=example,dc=de
>> nsds5ReplConflict: namingConflict cn=domain,cn=topology,cn=ipa,cn=etc,dc=example,dc=de
>> nsds5ReplConflict: namingConflict cn=locations,cn=etc,dc=example,dc=de
>> nsds5ReplConflict: namingConflict cn=dns administrators,cn=privileges,cn=pbac,dc=example,dc=de
>> nsds5ReplConflict: namingConflict cn=dns servers,cn=privileges,cn=pbac,dc=example,dc=de
>> nsds5ReplConflict: namingConflict cn=cas,cn=ca,dc=example,dc=de
>> nsds5ReplConflict: namingConflict cn=custodia,cn=ipa,cn=etc,dc=example,dc=de
>> nsds5ReplConflict: namingConflict cn=dogtag,cn=custodia,cn=ipa,cn=etc,dc=example,dc=de
>> nsds5ReplConflict: namingConflict cn=system: add ca,cn=permissions,cn=pbac,dc=example,dc=de
>> nsds5ReplConflict: namingConflict cn=system: delete ca,cn=permissions,cn=pbac,dc=example,dc=de
>> nsds5ReplConflict: namingConflict cn=system: modify ca,cn=permissions,cn=pbac,dc=example,dc=de
>> nsds5ReplConflict: namingConflict cn=system: read cas,cn=permissions,cn=pbac,dc=example,dc=de
>> nsds5ReplConflict: namingConflict cn=system: modify dns servers configuration,cn=permissions,cn=pbac,dc=example,dc=de
>> nsds5ReplConflict: namingConflict cn=system: read dns servers configuration,cn=permissions,cn=pbac,dc=example,dc=de
>> nsds5ReplConflict: namingConflict cn=System: Manage Host Principals,cn=permissions,cn=pbac,dc=example,dc=de
>> nsds5ReplConflict: namingConflict cn=System: Add IPA Locations,cn=permissions,cn=pbac,dc=example,dc=de
>> nsds5ReplConflict: namingConflict cn=System: Modify IPA Locations,cn=permissions,cn=pbac,dc=example,dc=de
>> nsds5ReplConflict: namingConflict cn=System: Read IPA Locations,cn=permissions,cn=pbac,dc=example,dc=de
>> nsds5ReplConflict: namingConflict cn=System: Remove IPA Locations,cn=permissions,cn=pbac,dc=example,dc=de
>> nsds5ReplConflict: namingConflict cn=System: Read Locations of IPA Servers,cn=permissions,cn=pbac,dc=example,dc=de
>> nsds5ReplConflict: namingConflict cn=System: Read Status of Services on IPA Servers,cn=permissions,cn=pbac,dc=example,dc=de
>> nsds5ReplConflict: namingConflict cn=System: Manage Service Principals,cn=permissions,cn=pbac,dc=example,dc=de
>> nsds5ReplConflict: namingConflict cn=System: Manage User Principals,cn=permissions,cn=pbac,dc=example,dc=de
>>
>> This looks like a problem of ipa-server-install. These entries were created
>> in the very first seconds.
> Conflict entries are created if an entry is added on different servers at the "same time", where same time means it is created on instance x before the add of the entry on instance y was replicated to x. This can happen if you run things in parallel, eg upgrades.
> 

You mean Freeipa has a race condition? I use tools like clusterssh to
install or upgrade several hosts in parallel (n <= 49 due to available
screen and font size). The "same time" is built in.

Of course I understand that Freeipa is a special case, because it is
network application, but it should be able to handle n = 2.

> There is no simple way to get rid of them, you need to delete them one by one, so do:
> ldapmodify .......
> dn:  cn=System: Manage Host Principals+nsuniqueid=109be36e-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de
> changetype: delete
> 
> for all of your conflict entries

I am surely no specialist for ldap, so hopefully its allowed to ask
a question:

This is a tree-like structure. If I delete a conflicting node, what
happens to the leafs? Is there any indication that these leafs
contain information that is not needed anymore? Isn't it possible
that server b created a huge tree with tons of subnodes and leafs
before the conflict is detected?



Every helpful comment is highly appreciated
Harri

More information about the Freeipa-users mailing list