[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-users] deleting ipa user



> -----Original Message-----
> From: thierry bordaz [mailto:tbordaz redhat com]
> Sent: Wednesday, April 29, 2015 12:28 PM
> To: Andy Thompson
> Cc: Ludwig Krispenz; Martin Kosek; freeipa-users redhat com
> Subject: Re: [Freeipa-users] deleting ipa user
> 
> On 04/29/2015 05:58 PM, Andy Thompson wrote:
> 
> 
> 			dn:
> 			nsuniqueid=7e1a1f87-e82611e4-99f1b343-
> 
> 		f0abc1a8,cn=username,cn=groups,c
> 
> 			n=accounts,dc=mhbenp,dc=lin
> 			nscpentrywsi: dn:
> 			nsuniqueid=7e1a1f87-e82611e4-99f1b343-
> 
> 		f0abc1a8,cn=username,cn=groups,c
> 
> 			n=accounts,dc=mhbenp,dc=lin
> 			nscpentrywsi: objectClass;vucsn-
> 55364a42000500040000: posixgroup
> 			nscpentrywsi: objectClass;vucsn-
> 55364a42000500040000: ipaobject
> 			nscpentrywsi: objectClass;vucsn-
> 55364a42000500040000:
> 
> 		mepManagedEntry
> 
> 			nscpentrywsi: objectClass;vucsn-
> 55364a42000500040000: top
> 			nscpentrywsi: objectClass;vucsn-
> 5540deb8000300030000: nsTombstone
> 			nscpentrywsi:
> 			cn;vucsn-55364a42000500040000;mdcsn-
> 55364a42000500040000: gfeigh
> 			nscpentrywsi: gidNumber;vucsn-
> 55364a42000500040000: 1249000003
> 			nscpentrywsi: description;vucsn-
> 55364a42000500040000: User private
> 			group for username
> 			nscpentrywsi: mepManagedBy;vucsn-
> 55364a42000500040000: uid=
> 			username,cn=users,cn=accounts,dc=mhbenp,dc=lin
> 			nscpentrywsi: creatorsName;vucsn-
> 55364a42000500040000: cn=Managed
> 			Entries,cn=plugins,cn=config
> 			nscpentrywsi: modifiersName;vucsn-
> 55364a42000500040000: cn=Managed
> 			Entries,cn=plugins,cn=config
> 			nscpentrywsi: createTimestamp;vucsn-
> 55364a42000500040000:
> 			20150421130152Z
> 			nscpentrywsi: modifyTimestamp;vucsn-
> 55364a42000500040000:
> 			20150421130152Z
> 			nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-
> 99f1b343-f0abc1a8
> 			nscpentrywsi: ipaUniqueID;vucsn-
> 55364a42000500040000:
> 			94dc1638-e826-11e4-878a-005056a92af3
> 			nscpentrywsi: parentid: 4
> 			nscpentrywsi: entryid: 385
> 			nscpentrywsi: nsParentUniqueId: 3763f193-
> e76411e4-99f1b343-f0abc1a8
> 			nscpentrywsi: nstombstonecsn:
> 5540deb8000300030000
> 			nscpentrywsi: nscpEntryDN:
> 
> 	cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
> 			nscpentrywsi: entryusn: 52327
> 
> 			thought I tried that before, apparently not.
> 
> 		ok, so we have the entry on one server, the csn of the
> objectclass:
> 		tombstone is :
> 
> 		objectClass;vucsn-5540deb8000300030000: nsTombstone
> 
> 		, which matches the csn in the error log:
> 
> 		Consumer failed to replay change (uniqueid 7e1a1f87-
> e82611e4-99f1b343-
> 		f0abc1a8, CSN 5540deb8000300030000): Operations error (1)
> so the state of
> 		the entry is as expected.
> 
> 		Now we nend to find it on the other server. If the search for
> the & filter with
> 		nstombstone does return nothing, could you try
> 
> 
> 	If I run ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa01 -x -D
> "cn=directory manager" -W  -b "dc=mhbenp,dc=lin"
> "(&(objectclass=nstombstone))" I get below.  If I add nsuniqueid to the filter
> it returns nothing on the primary server
> 
> 	dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-
> f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
> 	memberOf: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin
> 	memberOf: ipaUniqueID=3897c894-e764-11e4-b05b-
> 005056a92af3,cn=hbac,dc=mhbenp,dc=lin
> 	ipaNTSecurityIdentifier: S-1-5-21-1257946092-587846975-4124201916-
> 1003
> 	krbLastSuccessfulAuth: 20150421180533Z
> 	krbPasswordExpiration: 20150720180532Z
> 	userPassword::
> e1NIQTUxMn1wekx2TytqSG9YQWkwL1RMWitXcE44dmFRRnFEWUJ3U3lrMTJ
> ab2ErNUdwakdWTVBnSzlJK0txdWF2b0pXdjZKbVZuZjdWb2txbG04NXpiWVh
> qTXQxUT09
> 	krbExtraData:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA==
> 	krbPrincipalKey::
> MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIB
> AKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5E
> P9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A
> 	0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmd
> mZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/l
> bFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJT
> mdmZWlnaKFBMD
> 	+gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCz
> xInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTEl
> OZ2ZlaWdooTkwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZ
> jwMj1cTwzD1FH6/IbmDSvRMUVw8wE=
> 	krbLoginFailedCount: 0
> 	krbTicketFlags: 128
> 	krbLastPwdChange: 20150421180532Z
> 	krbLastFailedAuth: 20150421180457Z
> 	mepManagedEntry:
> cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
> 	displayName: user name
> 	cn: User Name
> 	objectClass: ipaobject
> 	objectClass: person
> 	objectClass: top
> 	objectClass: ipasshuser
> 	objectClass: inetorgperson
> 	objectClass: organizationalperson
> 	objectClass: krbticketpolicyaux
> 	objectClass: krbprincipalaux
> 	objectClass: inetuser
> 	objectClass: posixaccount
> 	objectClass: ipaSshGroupOfPubKeys
> 	objectClass: mepOriginEntry
> 	objectClass: ipantuserattrs
> 	objectClass: nsTombstone
> 	loginShell: /bin/bash
> 	initials: GF
> 	gecos: User Name
> 	homeDirectory: /home/username
> 	uid: username
> 	mail: username mhbenp lin <mailto:username mhbenp lin>
> 	krbPrincipalName: username MHBENP LIN
> <mailto:username MHBENP LIN>
> 	givenName: User
> 	sn: name
> 	ipaUniqueID: 94d31f06-e826-11e4-878a-005056a92af3
> 	uidNumber: 1249000003
> 	gidNumber: 1249000003
> 	nsParentUniqueId: 3763f192-e76411e4-99f1b343-f0abc1a8
> 
> 
> 
> In fact, nsuniqueid does not appear in this entry. It is a distinguished RDN but
> is missing. Did you run the command with 'nscpentrywsi' requested attribute.
> May be nsuniqueid was hidden for that reason but I would be surprised.
> 
> nsuniqueid is a key element of replication. I wonder how replication can find
> the entry itself. nsuniqueid could be in the index but then the entry is
> corrupted.
> 
> 

If I request the nscpentrywsi attribute I get 

dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: modifyTimestamp;adcsn-5540be0c000200040002;vucsn-5540be0c000200040002: 20150429111607Z
nscpentrywsi: modifiersName;adcsn-5540be0c000200040001;vucsn-5540be0c000200040001: uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: nsAccountLock;adcsn-5540be0c000200040000;vucsn-5540be0c000200040000: TRUE
nscpentrywsi: memberOf;adcsn-5537c2f5000200040000;vucsn-5537c2f5000200040000: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: memberOf;vucsn-5537c2f5000200040000: ipaUniqueID=3897c894-e764-11e4-b05b-005056a92af3,cn=hbac,dc=mhbenp,dc=lin
nscpentrywsi: ipaNTSecurityIdentifier;adcsn-5537a1b1000300040001;vucsn-5537a1b1000300040001: S-1-5-21-1257946092-587846975-4124201916-1003
nscpentrywsi: krbLastSuccessfulAuth;adcsn-55369202000100040000;vucsn-55369202000100040000: 20150421180533Z
nscpentrywsi: passwordGraceUserTime;adcsn-55369200000400040000;vucsn-55369200000400040000: 0
nscpentrywsi: krbPasswordExpiration;adcsn-55369200000200040006;vucsn-55369200000200040006: 20150720180532Z
nscpentrywsi: userPassword;adcsn-55369200000200040005;vucsn-55369200000200040005: {SHA512}pzLvO+jHoXAi0/TLZ+WpN8vaQFqDYBwSyk12Zoa+5GpjGVMPgK9I+KquavoJWv6JmVnf7Vokqlm85zbYXjMt1Q==
nscpentrywsi: krbExtraData;adcsn-55369200000200040004;vucsn-55369200000200040004:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA==
nscpentrywsi: krbPrincipalKey;adcsn-55369200000200040003;vucsn-55369200000200040003:: MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5EP9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/lbFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKFBMD+gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCzxInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooTkwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZjwMj1cTwzD1FH6/IbmDSvRMUVw8wE=
nscpentrywsi: krbLoginFailedCount;adcsn-55369200000200040002;vucsn-55369200000200040002: 0
nscpentrywsi: krbTicketFlags;adcsn-55369200000200040001;vucsn-55369200000200040001: 128
nscpentrywsi: krbLastPwdChange;adcsn-55369200000200040000;vucsn-55369200000200040000: 20150421180532Z
nscpentrywsi: krbLastFailedAuth;adcsn-553691dd000000040000;vucsn-553691dd000200040003: 20150421180457Z
nscpentrywsi: mepManagedEntry;vucsn-55364a42000700040000: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: displayName;vucsn-55364a42000100040000: UserName
nscpentrywsi: cn;vucsn-55364a42000100040000: UserName
nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaobject
nscpentrywsi: objectClass;vucsn-55364a42000100040000: person
nscpentrywsi: objectClass;vucsn-55364a42000100040000: top
nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipasshuser
nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetorgperson
nscpentrywsi: objectClass;vucsn-55364a42000100040000: organizationalperson
nscpentrywsi: objectClass;vucsn-55364a42000100040000: krbticketpolicyaux
nscpentrywsi: objectClass;vucsn-55364a42000100040000: krbprincipalaux
nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetuser
nscpentrywsi: objectClass;vucsn-55364a42000100040000: posixaccount
nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaSshGroupOfPubKeys
nscpentrywsi: objectClass;vucsn-55364a42000600040000: mepOriginEntry
nscpentrywsi: objectClass;vucsn-5537a1b1000300040000: ipantuserattrs
nscpentrywsi: objectClass;vucsn-5540deb8000000030000: nsTombstone
nscpentrywsi: loginShell;vucsn-55364a42000100040000: /bin/bash
nscpentrywsi: initials;vucsn-55364a42000100040000: GF
nscpentrywsi: gecos;vucsn-55364a42000100040000: UserName
nscpentrywsi: homeDirectory;vucsn-55364a42000100040000: /home/username
nscpentrywsi: uid;vucsn-55364a42000100040000;mdcsn-55364a42000100040000: username
nscpentrywsi: mail;vucsn-55364a42000100040000: username mhbenp lin
nscpentrywsi: krbPrincipalName;vucsn-55364a42000100040000: username MHBENP LIN
nscpentrywsi: givenName;vucsn-55364a42000100040000: Gregg
nscpentrywsi: sn;vucsn-55364a42000100040000: Name
nscpentrywsi: creatorsName;vucsn-55364a42000100040000: uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: createTimestamp;vucsn-55364a42000100040000: 20150421130152Z
nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8
nscpentrywsi: ipaUniqueID;vucsn-55364a42000100040000: 94d31f06-e826-11e4-878a-005056a92af3
nscpentrywsi: parentid: 3
nscpentrywsi: entryid: 385
nscpentrywsi: uidNumber: 1249000003
nscpentrywsi: gidNumber: 1249000003
nscpentrywsi: nsParentUniqueId: 3763f192-e76411e4-99f1b343-f0abc1a8
nscpentrywsi: nstombstonecsn: 5540deb8000000030000
nscpentrywsi: nscpEntryDN: uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: entryusn: 57524
nscpentrywsi: passwordHistory;adcsn-55369200000500040000;vdcsn-55369200000500040000;deletedattribute;deleted:


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]