[Freeipa-users] be_pam_handler_callback Backend returned: (3, 4, <NULL>) [Internal Error (System error)]

Harald Dunkel harald.dunkel at aixigo.de
Tue Jan 31 14:37:45 UTC 2017 

Hi Thierry,

On 01/30/17 09:10, thierry bordaz wrote:
> 
> I understand your concern and in fact it is difficult to anticipate a  potential bad impact of this cleanup. However,I think it is safe to get rid of the following entry.
> Before doing so you may check it exists
> 
> cn=ipaservers,cn=ng,cn=alt,dc=example,dc=de that is managedBy the ipaservers_hostgoups.
> 
> dn: cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de
> mepManagedBy: cn=ipaservers,cn=hostgroups,cn=accounts,dc=example,dc=de
> objectClass: mepManagedEntry
> 
> 
> If you are willing to remove that entry you need to remove the mepmanagedEntry oc. So you need to remove the mepManagedBy and oc in the same operation
> 
> 
> Regarding the following entry
>  dn: cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de
> objectClass: mepOriginEntry
> mepManagedEntry: cn=ipaservers,cn=ng,cn=alt,dc=example,dc=de
> 
> You may want to check if it exists an entry it manages, looking for "(mepManagedBy=
> cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de
> )". If it exists none, you should be able to remove it.
> 
> Also I think working on ipabak, you should be able to do some tests on the cleanup instance to validate everything is working fine.
> 

This looks like a pretty high risk, even if ipabak says everything
is fine.

The major problem was the failure on Debian Wheezy using the very old
sssd. This seems to be gone now by resolving the "easy" cases.

About the "hard" cases: AFAICS

ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de

doesn't list any hosts (the official entry does), and

cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de

points to the duplicate entry only. They are not referenced anywhere
else in the ldap database. So I would suggest to wait and see if
I run in any problem here. Would you agree to this, or do you expect
problems later?


I highly appreciate your help

Regards
Harri





> regards
> thierry
>

More information about the Freeipa-users mailing list