[Freeipa-users] be_pam_handler_callback Backend returned: (3, 4, <NULL>) [Internal Error (System error)]

Fri Jan 20 13:17:25 UTC 2017

On 01/20/2017 12:23 PM, Harald Dunkel wrote:
> On 01/18/17 16:22, Ludwig Krispenz wrote:
>> I think the procedure in the link about renaming is only needed if you want to keep both entries with a "normal" dn. But you want to get rid of the conflict entries.  Since you have to cleanup each of them individually I would suggest to start with one of them.
>>
>> First get both the conflict entry and the normal entry and compare them:
>> ldapsearch   -D "cn=directory manager" ..... -b "cn=System: Manage Host Principals,cn=permissions,cn=pbac,dc=example,dc=de" -s base
>> ldapsearch  -D "cn=directory manager"  ..... -b "cn=System: Manage Host Principals+nsuniqueid=109be36e-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de" -s base
>>
>> They should be identical.
>> Next check if the conflict entry has child entries:
>> ldapsearch  -D "cn=directory manager"  ..... -b "cn=System: Manage Host Principals+nsuniqueid=109be36e-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de" dn
>>
>> If there are no entries below the conflict entry you can remove it:
>> ldapmodify - D "cn=directory manager" ......
>> dn: cn=System: Manage Host Principals+nsuniqueid=109be36e-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de
>> changetype: delete
>>
> Of course they are not identical :-(. Worst case seems to be this
> one:
>
> % ldapsearch -o ldif-wrap=no -D "cn=directory manager" -w secret -b "cn=DNS Servers+nsuniqueid=109be317-ccd911e6-a5b3d0c8-d8da17db,cn=privileges,cn=pbac,dc=example,dc=de" -s base
> # extended LDIF
> #
> # LDAPv3
> # base <cn=DNS Servers+nsuniqueid=109be317-ccd911e6-a5b3d0c8-d8da17db,cn=privileges,cn=pbac,dc=example,dc=de> with scope baseObject
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # DNS Servers + 109be317-ccd911e6-a5b3d0c8-d8da17db, privileges, pbac, example.de
> dn: cn=DNS Servers+nsuniqueid=109be317-ccd911e6-a5b3d0c8-d8da17db,cn=privileges,cn=pbac,dc=example,dc=de
> memberOf: cn=System: Read DNS Configuration,cn=permissions,cn=pbac,dc=example,dc=de
> memberOf: cn=System: Write DNS Configuration,cn=permissions,cn=pbac,dc=example,dc=de
> memberOf: cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=example,dc=de
> memberOf: cn=System: Manage DNSSEC keys,cn=permissions,cn=pbac,dc=example,dc=de
> memberOf: cn=System: Manage DNSSEC metadata,cn=permissions,cn=pbac,dc=example,dc=de
> memberOf: cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=example,dc=de
> memberOf: cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=example,dc=de
> memberOf: cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=example,dc=de
> memberOf: cn=System: Read DNS Servers Configuration+nsuniqueid=109be363-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de
> objectClass: top
> objectClass: groupofnames
> objectClass: nestedgroup
> cn: DNS Servers
> description: DNS Servers
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
>
> % ldapsearch -o ldif-wrap=no -D "cn=directory manager" -w secret -b "cn=DNS Servers,cn=privileges,cn=pbac,dc=example,dc=de" -s base
> # extended LDIF
> #
> # LDAPv3
> # base <cn=DNS Servers,cn=privileges,cn=pbac,dc=example,dc=de> with scope baseObject
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # DNS Servers, privileges, pbac, example.de
> dn: cn=DNS Servers,cn=privileges,cn=pbac,dc=example,dc=de
> memberOf: cn=System: Read DNS Servers Configuration,cn=permissions,cn=pbac,dc=example,dc=de
> objectClass: top
> objectClass: groupofnames
> objectClass: nestedgroup
> cn: DNS Servers
> description: DNS Servers
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
> Looks like the wrong record has been marked as a duplicate. Can I just copy
> the missing "memberOf" attributes to the good record, delete the bad record,
> and all is fine?

I agree that it is looking like the conflict entry is the most 
up-to-date one.
To try to repair, it would help if you can search groups

cn=System: Read DNS Configuration,cn=permissions,cn=pbac,dc=example,dc=de
cn=System: Write DNS Configuration,cn=permissions,cn=pbac,dc=example,dc=de
cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=example,dc=de
cn=System: Manage DNSSEC keys,cn=permissions,cn=pbac,dc=example,dc=de
cn=System: Manage DNSSEC metadata,cn=permissions,cn=pbac,dc=example,dc=de
cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=example,dc=de
cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=example,dc=de
cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=example,dc=de
cn=System: Read DNS Servers Configuration,cn=permissions,cn=pbac,dc=example,dc=de
cn=System: Read DNS Servers Configuration+nsuniqueid=109be363-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de

Hopefully the two last are identical, but the others may refer to  '
cn=System: Read DNS Servers Configuration+nsuniqueid=109be363-ccd911e6-a5b3d0c8-d8da17db' instead of the non conflict one.

We may try to fix groups (with conflict members).

thanks

>
>
> Next ldapmodify returned these error messages:
>
> 	deleting entry "cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de"
> 	ldap_delete: Server is unwilling to perform (53)
> 	        additional info: Deleting a managed entry is not allowed. It needs to be manually unlinked first.
>
>
> 	deleting entry "cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de"
> 	ldap_delete: Operations error (1)
>
>
> I am highly concerned especially about the "Operations error". Sounds
> like something internal.
>
>
> Every helpful comment is highly appreciated.
> Harri
>