[Freeipa-users] be_pam_handler_callback Backend returned: (3, 4, <NULL>) [Internal Error (System error)]

Ludwig Krispenz lkrispen at redhat.com
Wed Jan 18 15:22:21 UTC 2017 

On 01/18/2017 02:57 PM, Harald Dunkel wrote:
> On 01/17/17 11:38, Sumit Bose wrote:
>> On Tue, Jan 17, 2017 at 10:44:14AM +0100, Harald Dunkel wrote:
>>> It seems something got corrupted in my ipa setup. I found this in the
>>> sssd log file on Wheezy:
>>>
>>> (Tue Jan 17 10:19:02 2017) [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [allow_all]
>>> (Tue Jan 17 10:19:02 2017) [hbac_eval_user_element] (0x0080): Parse error on [cn=System: Manage Host Principals+nsuniqueid=109be36e-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de]
>> Looks like there was a replication conflict, please see
>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html
>> how to resolve it.
>>
> This is *way* too hot for me.
I think the procedure in the link about renaming is only needed if you 
want to keep both entries with a "normal" dn. But you want to get rid of 
the conflict entries.  Since you have to cleanup each of them 
individually I would suggest to start with one of them.

First get both the conflict entry and the normal entry and compare them:
ldapsearch   -D "cn=directory manager" ..... -b "cn=System: Manage Host 
Principals,cn=permissions,cn=pbac,dc=example,dc=de" -s base
ldapsearch  -D "cn=directory manager"  ..... -b "cn=System: Manage Host 
Principals+nsuniqueid=109be36e-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de" 
-s base

They should be identical.
Next check if the conflict entry has child entries:
ldapsearch  -D "cn=directory manager"  ..... -b "cn=System: Manage Host 
Principals+nsuniqueid=109be36e-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de" 
dn

If there are no entries below the conflict entry you can remove it:
ldapmodify - D "cn=directory manager" ......
dn: cn=System: Manage Host 
Principals+nsuniqueid=109be36e-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de
changetype: delete

> How can I try this in a sandbox?
you can try to reproduce this state on two other machines.
and if you have an established backup and restore process do a backup 
before doing the cleanup
>
>
> Every helpful comment is highly appreciated
> Harri
>

-- 
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander

More information about the Freeipa-users mailing list