[Freeipa-users] deleting ipa user

Ludwig Krispenz lkrispen at redhat.com
Wed Apr 29 14:28:01 UTC 2015 

can you do the followin search on both servers ?

  ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx  -x -D "cn=directory 
manager" -w xxx  -b "dc=xxx.... " 
"(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8))" 
nscpentrywsi | grep -i objectClass
>
>> -----Original Message-----
>> From: Ludwig Krispenz [mailto:lkrispen at redhat.com]
>> Sent: Wednesday, April 29, 2015 10:07 AM
>> To: Andy Thompson
>> Cc: thierry bordaz; Martin Kosek; freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] deleting ipa user
>>
>>
>> On 04/29/2015 03:40 PM, Andy Thompson wrote:
>>>> -----Original Message-----
>>>> From: Ludwig Krispenz [mailto:lkrispen at redhat.com]
>>>> Sent: Wednesday, April 29, 2015 9:22 AM
>>>> To: thierry bordaz
>>>> Cc: Andy Thompson; Martin Kosek; freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] deleting ipa user
>>>>
>>>>
>>>> On 04/29/2015 03:14 PM, thierry bordaz wrote:
>>>>
>>>>
>>>> 	On 04/29/2015 02:43 PM, Andy Thompson wrote:
>>>>
>>>>
>>>> 			-----Original Message-----
>>>> 			From: Martin Kosek [mailto:mkosek at redhat.com]
>>>> 			Sent: Wednesday, April 29, 2015 8:31 AM
>>>> 			To: Andy Thompson; freeipa-users at redhat.com
>>>> <mailto:freeipa-users at redhat.com> ; Ludwig Krispenz; Thierry
>>>> 			Bordaz
>>>> 			Subject: Re: [Freeipa-users] deleting ipa user
>>>>
>>>> 			On 04/29/2015 01:26 PM, Andy Thompson wrote:
>>>>
>>>> 				I'm trying to delete an IPA account and I get a
>> generic
>>>> "operations error"
>>>>
>>>> 			when trying to remove it.  It looks like something is
>> messed up
>>>> with the
>>>> 			group object.  The user doesn't show up in the
>> ipausers group and
>>>> there also
>>>> 			isn't a group object for the user in question.  Here is
>> the error
>>>> from the
>>>> 			attempt.
>>>>
>>>> 				[29/Apr/2015:07:21:32 -0400] referint-plugin -
>>>> _update_all_per_mod:
>>>> 				entry
>>>> cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting
>>>> 				"member:
>>>> uid=<username>,cn=users,cn=accounts,dc=domain,dc=com"
>>>>
>>>> 			failed
>>>>
>>>> 				(16)
>>>> 				[29/Apr/2015:07:21:32 -0400] referint-plugin -
>>>> _update_all_per_mod:
>>>> 				entry
>>>> 				ipaUniqueID=3897c894-e764-11e4-b05b-
>>>>
>>>> 			005056a92af3,cn=hbac,dc=domain,dc=
>>>>
>>>> 				com: deleting "memberUser:
>>>>
>>>> 	uid=<username>,cn=users,cn=accounts,dc=domain,dc=com" failed
>>>> (16)
>>>> 				[29/Apr/2015:07:21:32 -0400]
>>>> ldbm_back_delete - conn=0 op=0 Turning a
>>>> 				tombstone into a tombstone!
>>>> 				"nsuniqueid=7e1a1f87-e82611e4-99f1b343-
>>>>
>>>> 			f0abc1a8,cn=<username>,cn=group
>>>>
>>>> 				s,cn=accounts,dc=domain,dc=com"; e:
>>>> 0x7fcc84226070, cache_state: 0x0,
>>>> 				refcnt: 1
>>>> 				[29/Apr/2015:07:21:32 -0400] managed-
>> entries-plugin -
>>>> mep_del_post_op:
>>>> 				failed to delete managed entry
>>>>
>>>> 	(cn=<username>,cn=groups,cn=accounts,dc=domain,dc=com) -
>> error (1)
>>>> 				[29/Apr/2015:07:21:32 -0400]
>>>> ldbm_back_delete - conn=0 op=0 Turning a
>>>> 				tombstone into a tombstone!
>>>> 				"nsuniqueid=7e1a1f87-e82611e4-99f1b343-
>>>>
>>>> 			f0abc1a8,cn=<username>,cn=group
>>>>
>>>> 				s,cn=accounts,dc=domain,dc=com"; e:
>>>> 0x7fcc84226070, cache_state: 0x0,
>>>> 				refcnt: 1
>>>> 				[29/Apr/2015:07:21:32 -0400] managed-
>> entries-plugin -
>>>> mep_del_post_op:
>>>> 				failed to delete managed entry
>>>>
>>>> 	(cn=<username>,cn=groups,cn=accounts,dc=domain,dc=com) -
>> error (1)
>>>> 			This is the first time I see this error. CCing Ludwig or
>> Thierry
>>>> to advise.
>>>>
>>>> 			Andy, please also include FreeIPA and 389-ds-base
>> packages
>>>> versions so that
>>>> 			Thierry and Ludwig know what to look at.
>>>>
>>>>
>>>> 		Here you go
>>>>
>>>> 		ipa-server-4.1.0-18.el7_1.3.x86_64
>>>> 		389-ds-base-1.3.3.1-15.el7_1.x86_64
>>>>
>>>> 		Thanks much
>>>>
>>>> 		-andy
>>>>
>>>>
>>>>
>>>> 	Hello,
>>>>
>>>> 	I wonder it is not a similar issue I hit
>>>> https://fedorahosted.org/389/ticket/48165. What differs is
>>>> '_update_all_per_mod' logs but could be a consequence of the same bug.
>>>>
>>>>
>>>> I think what differs taht in the ticket there is an attempt to delete
>>>> an existng entry, but in the log snippet provided it attempts to
>>>> delete a tombstone entry (an entry which was already deleted).
>>>> So the errors logged by DS seem to be ok, but why does IPA want to
>>>> delete an already deleted user ? but mybe only the mep plugin finds a
>>>> tombstone and tries to delete it.
>>>>
>>>> What was the command executed, is the result the same if repeated ?
>>>>
>>>>
>>> I attempted using the web interface initially
>>>    and then tried using ipa user-del <username> to see if it gave any more
>> detail.
>> were both attempts at 2015:07:21:32 ? or do you have more errors in the
>> error log ?
> I had errors from the other delete attempts but they were the same errors at different times.  I can send my entire log to you offline if it would be helpful.
>
>>> More info though, this is a replicated environment and  I just tried deleting
>> it on the replica server and it completed successfully so it appears I might
>> have a replication issue going on?  Hopefully I didn't mess something up
>> doing that, should have checked the logs there first.
>> well, if you cannot delete on one server, but do it on the other this looks like
>> servers were not consistent before
>>> I see this in the logs on the replica
>>>
>>> [29/Apr/2015:09:35:40 -0400] NSMMReplicationPlugin -
>> agmt="cn=meTomdhixnpipa01.domain.com" (mdhixnpipa01:389): Consumer
>> failed to replay change (uniqueid 7e1a1f87-e82611e4-99f1b343-f0abc1a8,
>> CSN 5540deb8000300030000): Operations error (1). Will retry later.
>> now the replica tries to replicate the delete and has the same failures as your
>> direct delete. Do you have other replicas ? Is the delete replicated to other
>> replicas ?
> I've got two replicas.  The initial error was on the first replica server I installed.  I do not see the same error on the replica server.  I was able to delete the user on the second replica using ipa user-del but now the "failed to replay" error above is cycling in the logs on the second replica.  So it seems that the replica I tried to delete the user on initially is still trying to send a delete event to the second replica server and it is failing because the object is indeed gone from that replica since the delete completed successfully.
>
> -andy

More information about the Freeipa-users mailing list