[Freeipa-users] deleting ipa user
Andy Thompson
Andy.Thompson at e-tcc.com
Wed Apr 29 17:15:02 UTC 2015
> -----Original Message-----
> From: thierry bordaz [mailto:tbordaz at redhat.com]
> Sent: Wednesday, April 29, 2015 1:07 PM
> To: Andy Thompson
> Cc: Ludwig Krispenz; Martin Kosek; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] deleting ipa user
>
> On 04/29/2015 06:45 PM, Andy Thompson wrote:
>
>
> -----Original Message-----
> From: thierry bordaz [mailto:tbordaz at redhat.com]
> Sent: Wednesday, April 29, 2015 12:28 PM
> To: Andy Thompson
> Cc: Ludwig Krispenz; Martin Kosek; freeipa-
> users at redhat.com <mailto:freeipa-users at redhat.com>
> Subject: Re: [Freeipa-users] deleting ipa user
>
> On 04/29/2015 05:58 PM, Andy Thompson wrote:
>
>
> dn:
> nsuniqueid=7e1a1f87-e82611e4-
> 99f1b343-
>
> f0abc1a8,cn=username,cn=groups,c
>
> n=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: dn:
> nsuniqueid=7e1a1f87-e82611e4-
> 99f1b343-
>
> f0abc1a8,cn=username,cn=groups,c
>
> n=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: objectClass;vucsn-
> 55364a42000500040000: posixgroup
> nscpentrywsi: objectClass;vucsn-
> 55364a42000500040000: ipaobject
> nscpentrywsi: objectClass;vucsn-
> 55364a42000500040000:
>
> mepManagedEntry
>
> nscpentrywsi: objectClass;vucsn-
> 55364a42000500040000: top
> nscpentrywsi: objectClass;vucsn-
> 5540deb8000300030000: nsTombstone
> nscpentrywsi:
> cn;vucsn-
> 55364a42000500040000;mdcsn-
> 55364a42000500040000: gfeigh
> nscpentrywsi: gidNumber;vucsn-
> 55364a42000500040000: 1249000003
> nscpentrywsi: description;vucsn-
> 55364a42000500040000: User private
> group for username
> nscpentrywsi:
> mepManagedBy;vucsn-
> 55364a42000500040000: uid=
>
> username,cn=users,cn=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: creatorsName;vucsn-
> 55364a42000500040000: cn=Managed
> Entries,cn=plugins,cn=config
> nscpentrywsi: modifiersName;vucsn-
> 55364a42000500040000: cn=Managed
> Entries,cn=plugins,cn=config
> nscpentrywsi:
> createTimestamp;vucsn-
> 55364a42000500040000:
> 20150421130152Z
> nscpentrywsi:
> modifyTimestamp;vucsn-
> 55364a42000500040000:
> 20150421130152Z
> nscpentrywsi: nsUniqueId: 7e1a1f87-
> e82611e4-
> 99f1b343-f0abc1a8
> nscpentrywsi: ipaUniqueID;vucsn-
> 55364a42000500040000:
> 94dc1638-e826-11e4-878a-
> 005056a92af3
> nscpentrywsi: parentid: 4
> nscpentrywsi: entryid: 385
> nscpentrywsi: nsParentUniqueId:
> 3763f193-
> e76411e4-99f1b343-f0abc1a8
> nscpentrywsi: nstombstonecsn:
> 5540deb8000300030000
> nscpentrywsi: nscpEntryDN:
>
>
> cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: entryusn: 52327
>
> thought I tried that before,
> apparently not.
>
> ok, so we have the entry on one server, the
> csn of the
> objectclass:
> tombstone is :
>
> objectClass;vucsn-5540deb8000300030000:
> nsTombstone
>
> , which matches the csn in the error log:
>
> Consumer failed to replay change (uniqueid
> 7e1a1f87-
> e82611e4-99f1b343-
> f0abc1a8, CSN 5540deb8000300030000):
> Operations error (1)
> so the state of
> the entry is as expected.
>
> Now we nend to find it on the other server. If
> the search for
> the & filter with
> nstombstone does return nothing, could you
> try
>
>
> If I run ldapsearch -LLL -o ldif-wrap=no -H
> ldap://mdhixnpipa01 -x -D
> "cn=directory manager" -W -b "dc=mhbenp,dc=lin"
> "(&(objectclass=nstombstone))" I get below. If I add
> nsuniqueid to the filter
> it returns nothing on the primary server
>
> dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-
>
> f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
> memberOf:
> cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin
> memberOf: ipaUniqueID=3897c894-e764-11e4-b05b-
> 005056a92af3,cn=hbac,dc=mhbenp,dc=lin
> ipaNTSecurityIdentifier: S-1-5-21-1257946092-
> 587846975-4124201916-
> 1003
> krbLastSuccessfulAuth: 20150421180533Z
> krbPasswordExpiration: 20150720180532Z
> userPassword::
>
> e1NIQTUxMn1wekx2TytqSG9YQWkwL1RMWitXcE44dmFRRnFEWUJ3
> U3lrMTJ
>
> ab2ErNUdwakdWTVBnSzlJK0txdWF2b0pXdjZKbVZuZjdWb2txbG04NX
> piWVh
> qTXQxUT09
> krbExtraData::
> AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA==
> krbPrincipalKey::
>
> MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMB
> mgAwIB
>
> AKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF
> 2hLTC5E
>
> P9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A
>
> 0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmd
>
> mZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQ
> WTt++y/l
>
> bFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5
> QLkxJT
> mdmZWlnaKFBMD
>
> +gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCz
>
> xInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJ
> FTlAuTEl
>
> OZ2ZlaWdooTkwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7
> CFCi4qZ
> jwMj1cTwzD1FH6/IbmDSvRMUVw8wE=
> krbLoginFailedCount: 0
> krbTicketFlags: 128
> krbLastPwdChange: 20150421180532Z
> krbLastFailedAuth: 20150421180457Z
> mepManagedEntry:
> cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
> displayName: user name
> cn: User Name
> objectClass: ipaobject
> objectClass: person
> objectClass: top
> objectClass: ipasshuser
> objectClass: inetorgperson
> objectClass: organizationalperson
> objectClass: krbticketpolicyaux
> objectClass: krbprincipalaux
> objectClass: inetuser
> objectClass: posixaccount
> objectClass: ipaSshGroupOfPubKeys
> objectClass: mepOriginEntry
> objectClass: ipantuserattrs
> objectClass: nsTombstone
> loginShell: /bin/bash
> initials: GF
> gecos: User Name
> homeDirectory: /home/username
> uid: username
> mail: username at mhbenp.lin
> <mailto:username at mhbenp.lin> <mailto:username at mhbenp.lin>
> <mailto:username at mhbenp.lin>
> krbPrincipalName: username at MHBENP.LIN
> <mailto:username at MHBENP.LIN>
> <mailto:username at MHBENP.LIN>
> <mailto:username at MHBENP.LIN>
> givenName: User
> sn: name
> ipaUniqueID: 94d31f06-e826-11e4-878a-005056a92af3
> uidNumber: 1249000003
> gidNumber: 1249000003
> nsParentUniqueId: 3763f192-e76411e4-99f1b343-
> f0abc1a8
>
>
>
> In fact, nsuniqueid does not appear in this entry. It is a
> distinguished RDN but
> is missing. Did you run the command with 'nscpentrywsi'
> requested attribute.
> May be nsuniqueid was hidden for that reason but I would
> be surprised.
>
> nsuniqueid is a key element of replication. I wonder how
> replication can find
> the entry itself. nsuniqueid could be in the index but then
> the entry is
> corrupted.
>
>
>
>
> If I request the nscpentrywsi attribute I get
>
> dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-
> f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-
> f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: modifyTimestamp;adcsn-
> 5540be0c000200040002;vucsn-5540be0c000200040002: 20150429111607Z
> nscpentrywsi: modifiersName;adcsn-5540be0c000200040001;vucsn-
> 5540be0c000200040001: uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: nsAccountLock;adcsn-5540be0c000200040000;vucsn-
> 5540be0c000200040000: TRUE
> nscpentrywsi: memberOf;adcsn-5537c2f5000200040000;vucsn-
> 5537c2f5000200040000:
> cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: memberOf;vucsn-5537c2f5000200040000:
> ipaUniqueID=3897c894-e764-11e4-b05b-
> 005056a92af3,cn=hbac,dc=mhbenp,dc=lin
> nscpentrywsi: ipaNTSecurityIdentifier;adcsn-
> 5537a1b1000300040001;vucsn-5537a1b1000300040001: S-1-5-21-1257946092-
> 587846975-4124201916-1003
> nscpentrywsi: krbLastSuccessfulAuth;adcsn-
> 55369202000100040000;vucsn-55369202000100040000: 20150421180533Z
> nscpentrywsi: passwordGraceUserTime;adcsn-
> 55369200000400040000;vucsn-55369200000400040000: 0
> nscpentrywsi: krbPasswordExpiration;adcsn-
> 55369200000200040006;vucsn-55369200000200040006: 20150720180532Z
> nscpentrywsi: userPassword;adcsn-55369200000200040005;vucsn-
> 55369200000200040005:
> {SHA512}pzLvO+jHoXAi0/TLZ+WpN8vaQFqDYBwSyk12Zoa+5GpjGVMPgK9I+
> KquavoJWv6JmVnf7Vokqlm85zbYXjMt1Q==
> nscpentrywsi: krbExtraData;adcsn-55369200000200040004;vucsn-
> 55369200000200040004:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA==
> nscpentrywsi: krbPrincipalKey;adcsn-55369200000200040003;vucsn-
> 55369200000200040003::
> MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIB
> AKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5E
> P9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A0miart7lTDnRh
> 89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKE5MDegAwIB
> EaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/lbFKDbSkZYSJpFnzSRaaI
> WW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKFBMD+gAw
> IBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCzxInn+33pOsEX
> PlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooT
> kwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZjwMj1cTwzD1
> FH6/IbmDSvRMUVw8wE=
> nscpentrywsi: krbLoginFailedCount;adcsn-
> 55369200000200040002;vucsn-55369200000200040002: 0
> nscpentrywsi: krbTicketFlags;adcsn-55369200000200040001;vucsn-
> 55369200000200040001: 128
> nscpentrywsi: krbLastPwdChange;adcsn-
> 55369200000200040000;vucsn-55369200000200040000: 20150421180532Z
> nscpentrywsi: krbLastFailedAuth;adcsn-
> 553691dd000000040000;vucsn-553691dd000200040003: 20150421180457Z
> nscpentrywsi: mepManagedEntry;vucsn-55364a42000700040000:
> cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: displayName;vucsn-55364a42000100040000:
> UserName
> nscpentrywsi: cn;vucsn-55364a42000100040000: UserName
> nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaobject
> nscpentrywsi: objectClass;vucsn-55364a42000100040000: person
> nscpentrywsi: objectClass;vucsn-55364a42000100040000: top
> nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipasshuser
> nscpentrywsi: objectClass;vucsn-55364a42000100040000:
> inetorgperson
> nscpentrywsi: objectClass;vucsn-55364a42000100040000:
> organizationalperson
> nscpentrywsi: objectClass;vucsn-55364a42000100040000:
> krbticketpolicyaux
> nscpentrywsi: objectClass;vucsn-55364a42000100040000:
> krbprincipalaux
> nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetuser
> nscpentrywsi: objectClass;vucsn-55364a42000100040000:
> posixaccount
> nscpentrywsi: objectClass;vucsn-55364a42000100040000:
> ipaSshGroupOfPubKeys
> nscpentrywsi: objectClass;vucsn-55364a42000600040000:
> mepOriginEntry
> nscpentrywsi: objectClass;vucsn-5537a1b1000300040000:
> ipantuserattrs
> nscpentrywsi: objectClass;vucsn-5540deb8000000030000:
> nsTombstone
> nscpentrywsi: loginShell;vucsn-55364a42000100040000: /bin/bash
> nscpentrywsi: initials;vucsn-55364a42000100040000: GF
> nscpentrywsi: gecos;vucsn-55364a42000100040000: UserName
> nscpentrywsi: homeDirectory;vucsn-55364a42000100040000:
> /home/username
> nscpentrywsi: uid;vucsn-55364a42000100040000;mdcsn-
> 55364a42000100040000: username
> nscpentrywsi: mail;vucsn-55364a42000100040000:
> username at mhbenp.lin <mailto:username at mhbenp.lin>
> nscpentrywsi: krbPrincipalName;vucsn-55364a42000100040000:
> username at MHBENP.LIN <mailto:username at MHBENP.LIN>
> nscpentrywsi: givenName;vucsn-55364a42000100040000: Gregg
> nscpentrywsi: sn;vucsn-55364a42000100040000: Name
> nscpentrywsi: creatorsName;vucsn-55364a42000100040000:
> uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: createTimestamp;vucsn-55364a42000100040000:
> 20150421130152Z
> nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8
> nscpentrywsi: ipaUniqueID;vucsn-55364a42000100040000: 94d31f06-
> e826-11e4-878a-005056a92af3
> nscpentrywsi: parentid: 3
> nscpentrywsi: entryid: 385
> nscpentrywsi: uidNumber: 1249000003
> nscpentrywsi: gidNumber: 1249000003
> nscpentrywsi: nsParentUniqueId: 3763f192-e76411e4-99f1b343-
> f0abc1a8
> nscpentrywsi: nstombstonecsn: 5540deb8000000030000
> nscpentrywsi: nscpEntryDN:
> uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: entryusn: 57524
> nscpentrywsi: passwordHistory;adcsn-55369200000500040000;vdcsn-
> 55369200000500040000;deletedattribute;deleted:
>
>
> Ok, so here is my understanding:
> on the second replica (where you succeed to do 'ipa user-del <username>' )
> the entry is looking:
Sorry that was from the replica where I tried to do the delete and failed. This is from the second replica where I successfully deleted the entry but now has the "failed to replay change" error being logged. I've run so many queries I'm starting to lose track :)
dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: modifyTimestamp;adcsn-5540be0c000200040002;vucsn-5540be0c000200040002: 20150429111607Z
nscpentrywsi: modifiersName;adcsn-5540be0c000200040001;vucsn-5540be0c000200040001: uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: nsAccountLock;adcsn-5540be0c000200040000;vucsn-5540be0c000200040000: TRUE
nscpentrywsi: krbLastSuccessfulAuth;adcsn-5537c9b2000000030000;vucsn-5537c9b2000000030000: 20150422161526Z
nscpentrywsi: memberOf;adcsn-5537c2f5000400030000;vucsn-5537c2f5000400030000: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: memberOf;vucsn-5537c2f5000400030000: ipaUniqueID=3897c894-e764-11e4-b05b-005056a92af3,cn=hbac,dc=mhbenp,dc=lin
nscpentrywsi: ipaNTSecurityIdentifier;adcsn-5537a1b1000300040001;vucsn-5537a1b1000300040001: S-1-5-21-1257946092-587846975-4124201916-1003
nscpentrywsi: passwordGraceUserTime;adcsn-55369200000400040000;vucsn-55369200000400040000: 0
nscpentrywsi: krbPasswordExpiration;adcsn-55369200000200040005;vucsn-55369200000200040005: 20150720180532Z
nscpentrywsi: userPassword;adcsn-55369200000200040004;vucsn-55369200000200040004: {SHA512}pzLvO+jHoXAi0/TLZ+WpN8vaQFqDYBwSyk12Zoa+5GpjGVMPgK9I+KquavoJWv6JmVnf7Vokqlm85zbYXjMt1Q==
nscpentrywsi: krbExtraData;adcsn-55369200000200040003;vucsn-55369200000200040003:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA==
nscpentrywsi: krbPrincipalKey;adcsn-55369200000200040002;vucsn-55369200000200040002:: MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5EP9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/lbFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKFBMD+gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCzxInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooTkwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZjwMj1cTwzD1FH6/IbmDSvRMUVw8wE=
nscpentrywsi: krbTicketFlags;adcsn-55369200000200040001;vucsn-55369200000200040001: 128
nscpentrywsi: krbLastPwdChange;adcsn-55369200000200040000;vucsn-55369200000200040000: 20150421180532Z
nscpentrywsi: mepManagedEntry;vucsn-55364a42000700040000: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: displayName;vucsn-55364a42000100040000: UserName
nscpentrywsi: cn;vucsn-55364a42000100040000: UserName
nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaobject
nscpentrywsi: objectClass;vucsn-55364a42000100040000: person
nscpentrywsi: objectClass;vucsn-55364a42000100040000: top
nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipasshuser
nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetorgperson
nscpentrywsi: objectClass;vucsn-55364a42000100040000: organizationalperson
nscpentrywsi: objectClass;vucsn-55364a42000100040000: krbticketpolicyaux
nscpentrywsi: objectClass;vucsn-55364a42000100040000: krbprincipalaux
nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetuser
nscpentrywsi: objectClass;vucsn-55364a42000100040000: posixaccount
nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaSshGroupOfPubKeys
nscpentrywsi: objectClass;vucsn-55364a42000600040000: mepOriginEntry
nscpentrywsi: objectClass;vucsn-5537a1b1000300040000: ipantuserattrs
nscpentrywsi: objectClass;vucsn-5540deb8000000030000: nsTombstone
nscpentrywsi: loginShell;vucsn-55364a42000100040000: /bin/bash
nscpentrywsi: initials;vucsn-55364a42000100040000: GF
nscpentrywsi: gecos;vucsn-55364a42000100040000: UserName
nscpentrywsi: homeDirectory;vucsn-55364a42000100040000: /home/username
nscpentrywsi: uid;vucsn-55364a42000100040000;mdcsn-55364a42000100040000: username
nscpentrywsi: mail;vucsn-55364a42000100040000: username at mhbenp.lin
nscpentrywsi: krbPrincipalName;vucsn-55364a42000100040000: username at MHBENP.LIN
nscpentrywsi: givenName;vucsn-55364a42000100040000: Gregg
nscpentrywsi: sn;vucsn-55364a42000100040000: Name
nscpentrywsi: creatorsName;vucsn-55364a42000100040000: uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: createTimestamp;vucsn-55364a42000100040000: 20150421130152Z
nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8
nscpentrywsi: ipaUniqueID;vucsn-55364a42000100040000: 94d31f06-e826-11e4-878a-005056a92af3
nscpentrywsi: parentid: 3
nscpentrywsi: entryid: 384
nscpentrywsi: uidNumber;vucsn-55364a42000100040000: 1249000003
nscpentrywsi: gidNumber;vucsn-55364a42000100040000: 1249000003
nscpentrywsi: nsParentUniqueId: 3763f192-e76411e4-99f1b343-f0abc1a8
nscpentrywsi: nstombstonecsn: 5540deb8000000030000
nscpentrywsi: nscpEntryDN: uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: entryusn: 52322
nscpentrywsi: passwordHistory;adcsn-55369200000500040000;vdcsn-55369200000500040000;deletedattribute;deleted:
>
> dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-
> f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-
> f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
> ...
> nscpentrywsi: objectClass;vucsn-5540deb8000300030000: nsTombstone ...
> nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8
>
>
>
> On the first replica (where you failed to delete the entry and where you can
> see the replication errors)
> dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-
> f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-
> f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
> ...
> nscpentrywsi: objectClass;vucsn-5540deb8000000030000: nsTombstone ...
> nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8
>
>
> This is not the same entry. It is like two entries with the same 'uid' were
> created.
> Also note that those two entries were deleted on the same replica (replica
> ID=3: likely the second replica) almost at the same time.
>
> The errors is logged on the first replica about "
> nsuniqueid=7e1a1f87-e82611e4-99f1b343-
> f0abc1a8,cn=<username>,cn=groups,cn=accounts,dc=domain,dc=com".
>
> So I think the entry you dumped on the first replica, is not the one we were
> looking at.
> The entry (nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8) should
> exists, but was not returned by the search.
>
>
>
More information about the Freeipa-users
mailing list