[Freeipa-users] be_pam_handler_callback Backend returned: (3, 4, <NULL>) [Internal Error (System error)]

thierry bordaz tbordaz at redhat.com
Mon Jan 23 10:59:10 UTC 2017 


On 01/23/2017 08:43 AM, Harald Dunkel wrote:
> Hi Thierry,
>
> On 01/20/17 14:17, thierry bordaz wrote:
>> I agree that it is looking like the conflict entry is the most up-to-date one.
>> To try to repair, it would help if you can search groups
>>
>> cn=System: Read DNS Configuration,cn=permissions,cn=pbac,dc=example,dc=de
>> cn=System: Write DNS Configuration,cn=permissions,cn=pbac,dc=example,dc=de
>> cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=example,dc=de
>> cn=System: Manage DNSSEC keys,cn=permissions,cn=pbac,dc=example,dc=de
>> cn=System: Manage DNSSEC metadata,cn=permissions,cn=pbac,dc=example,dc=de
>> cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=example,dc=de
>> cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=example,dc=de
>> cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=example,dc=de
>> cn=System: Read DNS Servers Configuration,cn=permissions,cn=pbac,dc=example,dc=de
>> cn=System: Read DNS Servers Configuration+nsuniqueid=109be363-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de
>>
>> Hopefully the two last are identical, but the others may refer to  '
>> cn=System: Read DNS Servers Configuration+nsuniqueid=109be363-ccd911e6-a5b3d0c8-d8da17db' instead of the non conflict one.
>>
> They are not the same (see attachments):
>
> --- /tmp/system_read_dns	2017-01-23 08:26:21.580128044 +0100
> +++ /tmp/system_read_dns.nsuniqueid	2017-01-23 08:26:42.603217657 +0100
> @@ -1,13 +1,13 @@
>   # extended LDIF
>   #
>   # LDAPv3
> -# base <cn=System: Read DNS Servers Configuration,cn=permissions,cn=pbac,dc=example,dc=de> with scope baseObject
> +# base <cn=System: Read DNS Servers Configuration+nsuniqueid=109be363-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de> with scope baseObject
>   # filter: (objectclass=*)
>   # requesting: ALL
>   #
>
> -# System: Read DNS Servers Configuration, permissions, pbac, example.de
> -dn: cn=System: Read DNS Servers Configuration,cn=permissions,cn=pbac,dc=example,dc=de
> +# System: Read DNS Servers Configuration + 109be363-ccd911e6-a5b3d0c8-d8da17db, permissions, pbac, example.de
> +dn: cn=System: Read DNS Servers Configuration+nsuniqueid=109be363-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de
>   ipaPermTargetFilter: (objectclass=idnsServerConfigObject)
>   ipaPermRight: read
>   ipaPermRight: compare
> @@ -21,8 +21,7 @@
>   objectClass: top
>   objectClass: groupofnames
>   objectClass: ipapermissionv2
> -member: cn=DNS Administrators,cn=privileges,cn=pbac,dc=example,dc=de
> -member: cn=DNS Servers,cn=privileges,cn=pbac,dc=example,dc=de
> +member: cn=DNS Servers+nsuniqueid=109be317-ccd911e6-a5b3d0c8-d8da17db,cn=privileges,cn=pbac,dc=example,dc=de
>   ipaPermDefaultAttr: idnsforwardpolicy
>   ipaPermDefaultAttr: objectclass
>   ipaPermDefaultAttr: idnsforwarders
>
>> We may try to fix groups (with conflict members).
>>
>> thanks
>>
> Question: Would you agree its best to avoid swapping "valid" and
> "nsuniqueid" records?
We need to get a clear status before trying to swap them.
For example in your attachment the valid entry is member of 'DNS Admin' 
while the conflict one is not. So possibly the valid entry is the one to 
keep.

Conflicts entry
dn: cn=DNS Servers,cn=privileges,cn=pbac,dc=example,dc=de

belong to all these groups
memberOf: cn=System: Read DNS 
Configuration,cn=permissions,cn=pbac,dc=example,dc=de
memberOf: cn=System: Write DNS 
Configuration,cn=permissions,cn=pbac,dc=example,dc=de
memberOf: cn=System: Add DNS 
Entries,cn=permissions,cn=pbac,dc=example,dc=de
memberOf: cn=System: Manage DNSSEC 
keys,cn=permissions,cn=pbac,dc=example,dc=de
memberOf: cn=System: Manage DNSSEC 
metadata,cn=permissions,cn=pbac,dc=example,dc=de
memberOf: cn=System: Read DNS 
Entries,cn=permissions,cn=pbac,dc=example,dc=de
memberOf: cn=System: Remove DNS 
Entries,cn=permissions,cn=pbac,dc=example,dc=de
memberOf: cn=System: Update DNS 
Entries,cn=permissions,cn=pbac,dc=example,dc=de
memberOf: cn=System: Read DNS Servers 
Configuration+nsuniqueid=109be363-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de

My initial thought was to check how it was member (which attribute it is 
using and if it is nested/direct membership).
So then we may try to repair the "valid" entry, making it similarly 
member of those groups.

But this is looking to be complex job and no guaranty it will repair 
everything broken.

Do you have a way to restore from a state where there was no conflict ?

regards
theirry

>
> Regards
> Harri
>

More information about the Freeipa-users mailing list