[Freeipa-users] deleting ipa user
Andy Thompson
Andy.Thompson at e-tcc.com
Wed Apr 29 16:45:05 UTC 2015
> -----Original Message-----
> From: thierry bordaz [mailto:tbordaz at redhat.com]
> Sent: Wednesday, April 29, 2015 12:28 PM
> To: Andy Thompson
> Cc: Ludwig Krispenz; Martin Kosek; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] deleting ipa user
>
> On 04/29/2015 05:58 PM, Andy Thompson wrote:
>
>
> dn:
> nsuniqueid=7e1a1f87-e82611e4-99f1b343-
>
> f0abc1a8,cn=username,cn=groups,c
>
> n=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: dn:
> nsuniqueid=7e1a1f87-e82611e4-99f1b343-
>
> f0abc1a8,cn=username,cn=groups,c
>
> n=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: objectClass;vucsn-
> 55364a42000500040000: posixgroup
> nscpentrywsi: objectClass;vucsn-
> 55364a42000500040000: ipaobject
> nscpentrywsi: objectClass;vucsn-
> 55364a42000500040000:
>
> mepManagedEntry
>
> nscpentrywsi: objectClass;vucsn-
> 55364a42000500040000: top
> nscpentrywsi: objectClass;vucsn-
> 5540deb8000300030000: nsTombstone
> nscpentrywsi:
> cn;vucsn-55364a42000500040000;mdcsn-
> 55364a42000500040000: gfeigh
> nscpentrywsi: gidNumber;vucsn-
> 55364a42000500040000: 1249000003
> nscpentrywsi: description;vucsn-
> 55364a42000500040000: User private
> group for username
> nscpentrywsi: mepManagedBy;vucsn-
> 55364a42000500040000: uid=
> username,cn=users,cn=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: creatorsName;vucsn-
> 55364a42000500040000: cn=Managed
> Entries,cn=plugins,cn=config
> nscpentrywsi: modifiersName;vucsn-
> 55364a42000500040000: cn=Managed
> Entries,cn=plugins,cn=config
> nscpentrywsi: createTimestamp;vucsn-
> 55364a42000500040000:
> 20150421130152Z
> nscpentrywsi: modifyTimestamp;vucsn-
> 55364a42000500040000:
> 20150421130152Z
> nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-
> 99f1b343-f0abc1a8
> nscpentrywsi: ipaUniqueID;vucsn-
> 55364a42000500040000:
> 94dc1638-e826-11e4-878a-005056a92af3
> nscpentrywsi: parentid: 4
> nscpentrywsi: entryid: 385
> nscpentrywsi: nsParentUniqueId: 3763f193-
> e76411e4-99f1b343-f0abc1a8
> nscpentrywsi: nstombstonecsn:
> 5540deb8000300030000
> nscpentrywsi: nscpEntryDN:
>
> cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: entryusn: 52327
>
> thought I tried that before, apparently not.
>
> ok, so we have the entry on one server, the csn of the
> objectclass:
> tombstone is :
>
> objectClass;vucsn-5540deb8000300030000: nsTombstone
>
> , which matches the csn in the error log:
>
> Consumer failed to replay change (uniqueid 7e1a1f87-
> e82611e4-99f1b343-
> f0abc1a8, CSN 5540deb8000300030000): Operations error (1)
> so the state of
> the entry is as expected.
>
> Now we nend to find it on the other server. If the search for
> the & filter with
> nstombstone does return nothing, could you try
>
>
> If I run ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa01 -x -D
> "cn=directory manager" -W -b "dc=mhbenp,dc=lin"
> "(&(objectclass=nstombstone))" I get below. If I add nsuniqueid to the filter
> it returns nothing on the primary server
>
> dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-
> f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
> memberOf: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin
> memberOf: ipaUniqueID=3897c894-e764-11e4-b05b-
> 005056a92af3,cn=hbac,dc=mhbenp,dc=lin
> ipaNTSecurityIdentifier: S-1-5-21-1257946092-587846975-4124201916-
> 1003
> krbLastSuccessfulAuth: 20150421180533Z
> krbPasswordExpiration: 20150720180532Z
> userPassword::
> e1NIQTUxMn1wekx2TytqSG9YQWkwL1RMWitXcE44dmFRRnFEWUJ3U3lrMTJ
> ab2ErNUdwakdWTVBnSzlJK0txdWF2b0pXdjZKbVZuZjdWb2txbG04NXpiWVh
> qTXQxUT09
> krbExtraData:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA==
> krbPrincipalKey::
> MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIB
> AKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5E
> P9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A
> 0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmd
> mZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/l
> bFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJT
> mdmZWlnaKFBMD
> +gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCz
> xInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTEl
> OZ2ZlaWdooTkwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZ
> jwMj1cTwzD1FH6/IbmDSvRMUVw8wE=
> krbLoginFailedCount: 0
> krbTicketFlags: 128
> krbLastPwdChange: 20150421180532Z
> krbLastFailedAuth: 20150421180457Z
> mepManagedEntry:
> cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
> displayName: user name
> cn: User Name
> objectClass: ipaobject
> objectClass: person
> objectClass: top
> objectClass: ipasshuser
> objectClass: inetorgperson
> objectClass: organizationalperson
> objectClass: krbticketpolicyaux
> objectClass: krbprincipalaux
> objectClass: inetuser
> objectClass: posixaccount
> objectClass: ipaSshGroupOfPubKeys
> objectClass: mepOriginEntry
> objectClass: ipantuserattrs
> objectClass: nsTombstone
> loginShell: /bin/bash
> initials: GF
> gecos: User Name
> homeDirectory: /home/username
> uid: username
> mail: username at mhbenp.lin <mailto:username at mhbenp.lin>
> krbPrincipalName: username at MHBENP.LIN
> <mailto:username at MHBENP.LIN>
> givenName: User
> sn: name
> ipaUniqueID: 94d31f06-e826-11e4-878a-005056a92af3
> uidNumber: 1249000003
> gidNumber: 1249000003
> nsParentUniqueId: 3763f192-e76411e4-99f1b343-f0abc1a8
>
>
>
> In fact, nsuniqueid does not appear in this entry. It is a distinguished RDN but
> is missing. Did you run the command with 'nscpentrywsi' requested attribute.
> May be nsuniqueid was hidden for that reason but I would be surprised.
>
> nsuniqueid is a key element of replication. I wonder how replication can find
> the entry itself. nsuniqueid could be in the index but then the entry is
> corrupted.
>
>
If I request the nscpentrywsi attribute I get
dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: modifyTimestamp;adcsn-5540be0c000200040002;vucsn-5540be0c000200040002: 20150429111607Z
nscpentrywsi: modifiersName;adcsn-5540be0c000200040001;vucsn-5540be0c000200040001: uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: nsAccountLock;adcsn-5540be0c000200040000;vucsn-5540be0c000200040000: TRUE
nscpentrywsi: memberOf;adcsn-5537c2f5000200040000;vucsn-5537c2f5000200040000: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: memberOf;vucsn-5537c2f5000200040000: ipaUniqueID=3897c894-e764-11e4-b05b-005056a92af3,cn=hbac,dc=mhbenp,dc=lin
nscpentrywsi: ipaNTSecurityIdentifier;adcsn-5537a1b1000300040001;vucsn-5537a1b1000300040001: S-1-5-21-1257946092-587846975-4124201916-1003
nscpentrywsi: krbLastSuccessfulAuth;adcsn-55369202000100040000;vucsn-55369202000100040000: 20150421180533Z
nscpentrywsi: passwordGraceUserTime;adcsn-55369200000400040000;vucsn-55369200000400040000: 0
nscpentrywsi: krbPasswordExpiration;adcsn-55369200000200040006;vucsn-55369200000200040006: 20150720180532Z
nscpentrywsi: userPassword;adcsn-55369200000200040005;vucsn-55369200000200040005: {SHA512}pzLvO+jHoXAi0/TLZ+WpN8vaQFqDYBwSyk12Zoa+5GpjGVMPgK9I+KquavoJWv6JmVnf7Vokqlm85zbYXjMt1Q==
nscpentrywsi: krbExtraData;adcsn-55369200000200040004;vucsn-55369200000200040004:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA==
nscpentrywsi: krbPrincipalKey;adcsn-55369200000200040003;vucsn-55369200000200040003:: MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5EP9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/lbFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKFBMD+gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCzxInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooTkwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZjwMj1cTwzD1FH6/IbmDSvRMUVw8wE=
nscpentrywsi: krbLoginFailedCount;adcsn-55369200000200040002;vucsn-55369200000200040002: 0
nscpentrywsi: krbTicketFlags;adcsn-55369200000200040001;vucsn-55369200000200040001: 128
nscpentrywsi: krbLastPwdChange;adcsn-55369200000200040000;vucsn-55369200000200040000: 20150421180532Z
nscpentrywsi: krbLastFailedAuth;adcsn-553691dd000000040000;vucsn-553691dd000200040003: 20150421180457Z
nscpentrywsi: mepManagedEntry;vucsn-55364a42000700040000: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: displayName;vucsn-55364a42000100040000: UserName
nscpentrywsi: cn;vucsn-55364a42000100040000: UserName
nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaobject
nscpentrywsi: objectClass;vucsn-55364a42000100040000: person
nscpentrywsi: objectClass;vucsn-55364a42000100040000: top
nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipasshuser
nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetorgperson
nscpentrywsi: objectClass;vucsn-55364a42000100040000: organizationalperson
nscpentrywsi: objectClass;vucsn-55364a42000100040000: krbticketpolicyaux
nscpentrywsi: objectClass;vucsn-55364a42000100040000: krbprincipalaux
nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetuser
nscpentrywsi: objectClass;vucsn-55364a42000100040000: posixaccount
nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaSshGroupOfPubKeys
nscpentrywsi: objectClass;vucsn-55364a42000600040000: mepOriginEntry
nscpentrywsi: objectClass;vucsn-5537a1b1000300040000: ipantuserattrs
nscpentrywsi: objectClass;vucsn-5540deb8000000030000: nsTombstone
nscpentrywsi: loginShell;vucsn-55364a42000100040000: /bin/bash
nscpentrywsi: initials;vucsn-55364a42000100040000: GF
nscpentrywsi: gecos;vucsn-55364a42000100040000: UserName
nscpentrywsi: homeDirectory;vucsn-55364a42000100040000: /home/username
nscpentrywsi: uid;vucsn-55364a42000100040000;mdcsn-55364a42000100040000: username
nscpentrywsi: mail;vucsn-55364a42000100040000: username at mhbenp.lin
nscpentrywsi: krbPrincipalName;vucsn-55364a42000100040000: username at MHBENP.LIN
nscpentrywsi: givenName;vucsn-55364a42000100040000: Gregg
nscpentrywsi: sn;vucsn-55364a42000100040000: Name
nscpentrywsi: creatorsName;vucsn-55364a42000100040000: uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: createTimestamp;vucsn-55364a42000100040000: 20150421130152Z
nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8
nscpentrywsi: ipaUniqueID;vucsn-55364a42000100040000: 94d31f06-e826-11e4-878a-005056a92af3
nscpentrywsi: parentid: 3
nscpentrywsi: entryid: 385
nscpentrywsi: uidNumber: 1249000003
nscpentrywsi: gidNumber: 1249000003
nscpentrywsi: nsParentUniqueId: 3763f192-e76411e4-99f1b343-f0abc1a8
nscpentrywsi: nstombstonecsn: 5540deb8000000030000
nscpentrywsi: nscpEntryDN: uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: entryusn: 57524
nscpentrywsi: passwordHistory;adcsn-55369200000500040000;vdcsn-55369200000500040000;deletedattribute;deleted:
More information about the Freeipa-users
mailing list