[Freeipa-users] be_pam_handler_callback Backend returned: (3, 4, <NULL>) [Internal Error (System error)]

[Harald Dunkel]

Hi Thierry,

On 01/24/17 15:01, thierry bordaz wrote:
>> Hopefully yes, but there were 2 conflicts that already made some
>> problems:
>>
>>     deleting entry "cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de"
>>     ldap_delete: Server is unwilling to perform (53)
>>             additional info: Deleting a managed entry is not allowed. It needs to be manually unlinked first.
>>
>>
>>     deleting entry "cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de"
>>     ldap_delete: Operations error (1)
>>
>> I got these problems before I became more careful with this.
> 
> This will be a difficulty to setup that script.
> You may be unable to delete some entries (managed entry, tombstones..).
> 
> I think one target of the script is to get the 'valid' entries at the expected level: having the expected set of attribute/values. A kind of merge of valid/conflict entries.
> Then you may have to moddn some conflict children under the valid entry.
> At the end, remove the conflict entries.

I agree. But I still need to work on a snapshot first, without
the risk of making things worse.

Would you suggest to disconnect ipabak from the network and ipa1,
cleanup the mess as far as possible, and then connect ipabak
to the network again to rely upon the regular replica synchroni-
zation?

> 
> As I said, setting up such script could take you more time than fixing manually the 43 conflicts.
> 

Maybe there is a misunderstanding about "script" here: Its not
a high-end shell script with man page and command line flags and
so on. It is just a sequence of variable assignments and commands
to run. Goal is to avoid having to type the same stuff twice, and
to make use of copy and paste in an editor. One key feature is to
get something reproducible.


Every helpful advice is highly welcome
Harri