[Freeipa-users] be_pam_handler_callback Backend returned: (3, 4, <NULL>) [Internal Error (System error)]

thierry bordaz tbordaz at redhat.com
Tue Jan 24 14:01:28 UTC 2017 


On 01/24/2017 02:22 PM, Harald Dunkel wrote:
> On 01/24/17 12:57, thierry bordaz wrote:
>> If I understand correctly the iterations of development I do not understand why, at this point, you need to reconnect ipabak.
>> After you create ipabak replica, you take a snapshot of it (let ipabak_0), then disconnect it from ipa1/ipa2.
>>
>> Then you may start incremental dev of the script on the offline ipabak.
>> Before each test of the script, you just need to get ipabak to ipabak_0.
>> Am I missing something ?
>>
> ipa1 is not idle while the script is in development. I do not
> know if these conflicting entries pop up in some new entries
> on ipa1 while the script is in development. When the script
> seems to be ready, then I have to verify it with very recent
> copy of the database before the final run.

I would be surprised that new conflicts are popping up on ipa1/ipa2 
during develop of the script.
But yes when the script is ready, you need to sync ipabak/ipa1 to be 
sure the script will run successfully on all conflicts (old and new).

>
>>> When the script appears to be ready I have to revert and sync
>>> ipabak again as above, but instead of disconnecting it from the
>>> network I have to stop all ipa servers in parallel to take a
>>> snapshot of each. (All ipa servers are LXC containers.) Next
>>> start the ipa servers again and run the script on ipabak, now
>>> connected with ipa1. This should make the changes "official".
>> How do you know if the script is ready ? When it resolves all the conflict entries ?
>>
> Hopefully yes, but there were 2 conflicts that already made some
> problems:
>
> 	deleting entry "cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de"
> 	ldap_delete: Server is unwilling to perform (53)
> 	        additional info: Deleting a managed entry is not allowed. It needs to be manually unlinked first.
>
>
> 	deleting entry "cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de"
> 	ldap_delete: Operations error (1)
>
> I got these problems before I became more careful with this.

This will be a difficulty to setup that script.
You may be unable to delete some entries (managed entry, tombstones..).

I think one target of the script is to get the 'valid' entries at the 
expected level: having the expected set of attribute/values. A kind of 
merge of valid/conflict entries.
Then you may have to moddn some conflict children under the valid entry.
At the end, remove the conflict entries.

As I said, setting up such script could take you more time than fixing 
manually the 43 conflicts.

regards
thierry
>
> Regards
> Harri
>

More information about the Freeipa-users mailing list