[Freeipa-users] be_pam_handler_callback Backend returned: (3, 4, <NULL>) [Internal Error (System error)]
Harald Dunkel
harald.dunkel at aixigo.de
Mon Jan 23 07:43:31 UTC 2017
Hi Thierry,
On 01/20/17 14:17, thierry bordaz wrote:
>
> I agree that it is looking like the conflict entry is the most up-to-date one.
> To try to repair, it would help if you can search groups
>
> cn=System: Read DNS Configuration,cn=permissions,cn=pbac,dc=example,dc=de
> cn=System: Write DNS Configuration,cn=permissions,cn=pbac,dc=example,dc=de
> cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=example,dc=de
> cn=System: Manage DNSSEC keys,cn=permissions,cn=pbac,dc=example,dc=de
> cn=System: Manage DNSSEC metadata,cn=permissions,cn=pbac,dc=example,dc=de
> cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=example,dc=de
> cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=example,dc=de
> cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=example,dc=de
> cn=System: Read DNS Servers Configuration,cn=permissions,cn=pbac,dc=example,dc=de
> cn=System: Read DNS Servers Configuration+nsuniqueid=109be363-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de
>
> Hopefully the two last are identical, but the others may refer to '
> cn=System: Read DNS Servers Configuration+nsuniqueid=109be363-ccd911e6-a5b3d0c8-d8da17db' instead of the non conflict one.
>
They are not the same (see attachments):
--- /tmp/system_read_dns 2017-01-23 08:26:21.580128044 +0100
+++ /tmp/system_read_dns.nsuniqueid 2017-01-23 08:26:42.603217657 +0100
@@ -1,13 +1,13 @@
# extended LDIF
#
# LDAPv3
-# base <cn=System: Read DNS Servers Configuration,cn=permissions,cn=pbac,dc=example,dc=de> with scope baseObject
+# base <cn=System: Read DNS Servers Configuration+nsuniqueid=109be363-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
-# System: Read DNS Servers Configuration, permissions, pbac, example.de
-dn: cn=System: Read DNS Servers Configuration,cn=permissions,cn=pbac,dc=example,dc=de
+# System: Read DNS Servers Configuration + 109be363-ccd911e6-a5b3d0c8-d8da17db, permissions, pbac, example.de
+dn: cn=System: Read DNS Servers Configuration+nsuniqueid=109be363-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de
ipaPermTargetFilter: (objectclass=idnsServerConfigObject)
ipaPermRight: read
ipaPermRight: compare
@@ -21,8 +21,7 @@
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
-member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=example,dc=de
-member: cn=DNS Servers,cn=privileges,cn=pbac,dc=example,dc=de
+member: cn=DNS Servers+nsuniqueid=109be317-ccd911e6-a5b3d0c8-d8da17db,cn=privileges,cn=pbac,dc=example,dc=de
ipaPermDefaultAttr: idnsforwardpolicy
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: idnsforwarders
> We may try to fix groups (with conflict members).
>
> thanks
>
Question: Would you agree its best to avoid swapping "valid" and
"nsuniqueid" records?
Regards
Harri
-------------- next part --------------
# extended LDIF
#
# LDAPv3
# base <cn=System: Read DNS Servers Configuration,cn=permissions,cn=pbac,dc=example,dc=de> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
# System: Read DNS Servers Configuration, permissions, pbac, example.de
dn: cn=System: Read DNS Servers Configuration,cn=permissions,cn=pbac,dc=example,dc=de
ipaPermTargetFilter: (objectclass=idnsServerConfigObject)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read DNS Servers Configuration
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=example,dc=de
member: cn=DNS Servers,cn=privileges,cn=pbac,dc=example,dc=de
ipaPermDefaultAttr: idnsforwardpolicy
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: idnsforwarders
ipaPermDefaultAttr: idnsserverid
ipaPermDefaultAttr: idnssubstitutionvariable
ipaPermDefaultAttr: idnssoamname
ipaPermLocation: dc=example,dc=de
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
-------------- next part --------------
# extended LDIF
#
# LDAPv3
# base <cn=System: Read DNS Servers Configuration+nsuniqueid=109be363-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
# System: Read DNS Servers Configuration + 109be363-ccd911e6-a5b3d0c8-d8da17db, permissions, pbac, example.de
dn: cn=System: Read DNS Servers Configuration+nsuniqueid=109be363-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de
ipaPermTargetFilter: (objectclass=idnsServerConfigObject)
ipaPermRight: read
ipaPermRight: compare
ipaPermRight: search
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Read DNS Servers Configuration
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=DNS Servers+nsuniqueid=109be317-ccd911e6-a5b3d0c8-d8da17db,cn=privileges,cn=pbac,dc=example,dc=de
ipaPermDefaultAttr: idnsforwardpolicy
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: idnsforwarders
ipaPermDefaultAttr: idnsserverid
ipaPermDefaultAttr: idnssubstitutionvariable
ipaPermDefaultAttr: idnssoamname
ipaPermLocation: dc=example,dc=de
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
More information about the Freeipa-users
mailing list