We have an entry, what after clicking delete on the UI got partially deleted. The compat tree entry is gone. The accounts tree entry is there. ldapsearch finds the entry by uid, but does fail by dn. ipa user-show <USERID> finds the user ipa user-del <USERID> says no such user ldapdelete fails to delete the entry by dn with err=32 Web ui shows user User content can be modified from ipa cli and web ui - like name, shell, but cannot be deleted Other entries can be created and deleted without issue. We have 4way master-master replication. Tried cli on 3 and got same result and issue. The third is not touched and the entry is available there both accounts and compat tree.
ipa-server-4.6.4-10.el7.centos.3.x86_64 CentOS Linux release 7.6.1810 (Core)
On full broken master: # <USERID>, users, accounts, cxn dn: uid=<USERID>,cn=users,cn=accounts,dc=cxn gecos: FOO BAR displayName: FOO BAR krbLastAdminUnlock: 20190807124134Z krbLoginFailedCount: 0 memberOf: cn=ipausers,cn=groups,cn=accounts,dc=cxn memberOf: cn=somegroup1,cn=groups,cn=accounts,dc=cxn memberOf: cn=somegroupt2,cn=groups,cn=accounts,dc=cxn gidNumber: <GID> uidNumber: <UID> ipaUniqueID: <RANDOMUNIQUEID> cn: BAZ givenName: FOO krbPrincipalName: <USERID>@CXN mail: <MAIL> homeDirectory: /home/<USERID> sn: BAR initials: cU loginShell: /bin/false objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry krbCanonicalName: <USERID>@CXN uid: <USERID> mepManagedEntry: cn=<USERID>,cn=groups,cn=accounts,dc=cxn krbPasswordExpiration: 20170615133527Z krbLastPwdChange: 20170615133527Z krbExtraData:: AAIfjUJZcm9vdC9hZG1pbkBDWE4A
On untouched master: # <USERID>, users, compat, cxn dn: uid=<USERID>,cn=users,cn=compat,dc=cxn objectClass: posixAccount objectClass: ipaOverrideTarget objectClass: top gecos: BAZ cn: BAZ uidNumber: <UID> gidNumber: <GID> loginShell: /bin/false homeDirectory: /home/<USERID> ipaAnchorUUID:: somerandomuuid uid: <USERID>
# <USERID>, users, accounts, cxn dn: uid=<USERID>,cn=users,cn=accounts,dc=cxn gecos: FOO BAR displayName: FOO BAR krbLastAdminUnlock: 20190807124134Z memberOf: cn=ipausers,cn=groups,cn=accounts,dc=cxn memberOf: cn=group1,cn=groups,cn=accounts,dc=cxn memberOf: cn=group2,cn=groups,cn=accounts,dc=cxn gidNumber: <GID> krbExtraData:: AAIfjUJZcm9vdC9hZG1pbkBDWE4A krbLastPwdChange: 20170615133527Z krbPasswordExpiration: 20170615133527Z mepManagedEntry: cn=<USERID>,cn=groups,cn=accounts,dc=cxn uid: <USERID> krbCanonicalName: <USERID>@CXN objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/false initials: cU sn: BAR homeDirectory: /home/<USERID> mail: <MAIL> krbPrincipalName: <USERID>@CXN givenName: FOO cn: BAZ ipaUniqueID: randomuniqueid uidNumber: <UID>
-- *Sándor Juhász* System Administrator *ChemAxon* *Kft*. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964
Sandor Juhasz via FreeIPA-users wrote:
We have an entry, what after clicking delete on the UI got partially deleted. The compat tree entry is gone. The accounts tree entry is there. ldapsearch finds the entry by uid, but does fail by dn. ipa user-show <USERID> finds the user ipa user-del <USERID> says no such user ldapdelete fails to delete the entry by dn with err=32 Web ui shows user User content can be modified from ipa cli and web ui - like name, shell, but cannot be deleted Other entries can be created and deleted without issue. We have 4way master-master replication. Tried cli on 3 and got same result and issue. The third is not touched and the entry is available there both accounts and compat tree.
ipa-server-4.6.4-10.el7.centos.3.x86_64 CentOS Linux release 7.6.1810 (Core)
On full broken master: # <USERID>, users, accounts, cxn dn: uid=<USERID>,cn=users,cn=accounts,dc=cxn gecos: FOO BAR displayName: FOO BAR krbLastAdminUnlock: 20190807124134Z krbLoginFailedCount: 0 memberOf: cn=ipausers,cn=groups,cn=accounts,dc=cxn memberOf: cn=somegroup1,cn=groups,cn=accounts,dc=cxn memberOf: cn=somegroupt2,cn=groups,cn=accounts,dc=cxn gidNumber: <GID> uidNumber: <UID> ipaUniqueID: <RANDOMUNIQUEID> cn: BAZ givenName: FOO krbPrincipalName: <USERID>@CXN mail: <MAIL> homeDirectory: /home/<USERID> sn: BAR initials: cU loginShell: /bin/false objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry krbCanonicalName: <USERID>@CXN uid: <USERID> mepManagedEntry: cn=<USERID>,cn=groups,cn=accounts,dc=cxn krbPasswordExpiration: 20170615133527Z krbLastPwdChange: 20170615133527Z krbExtraData:: AAIfjUJZcm9vdC9hZG1pbkBDWE4A
Can you check to see if the group entry exists, cn=<USERID>,cn=groups,cn=accounts,dc=cxn via ldapsearch?
rob
Was detached and deleted prior to the user's deletion. First modified by dn: cn=<USERID>,cn=groups,cn=accounts,dc=cxn changetype: modify delete: objectclass objectclass: mepManagedEntry - delete: mepManagedBy
Then deleted. -- *Sándor Juhász* System Administrator *ChemAxon* *Kft*. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964
On Wed, Aug 7, 2019 at 3:58 PM Rob Crittenden rcritten@redhat.com wrote:
Sandor Juhasz via FreeIPA-users wrote:
We have an entry, what after clicking delete on the UI got partially deleted. The compat tree entry is gone. The accounts tree entry is there. ldapsearch finds the entry by uid, but does fail by dn. ipa user-show <USERID> finds the user ipa user-del <USERID> says no such user ldapdelete fails to delete the entry by dn with err=32 Web ui shows user User content can be modified from ipa cli and web ui - like name, shell, but cannot be deleted Other entries can be created and deleted without issue. We have 4way master-master replication. Tried cli on 3 and got same result and issue. The third is not touched and the entry is available there both accounts and compat tree.
ipa-server-4.6.4-10.el7.centos.3.x86_64 CentOS Linux release 7.6.1810 (Core)
On full broken master: # <USERID>, users, accounts, cxn dn: uid=<USERID>,cn=users,cn=accounts,dc=cxn gecos: FOO BAR displayName: FOO BAR krbLastAdminUnlock: 20190807124134Z krbLoginFailedCount: 0 memberOf: cn=ipausers,cn=groups,cn=accounts,dc=cxn memberOf: cn=somegroup1,cn=groups,cn=accounts,dc=cxn memberOf: cn=somegroupt2,cn=groups,cn=accounts,dc=cxn gidNumber: <GID> uidNumber: <UID> ipaUniqueID: <RANDOMUNIQUEID> cn: BAZ givenName: FOO krbPrincipalName: <USERID>@CXN mail: <MAIL> homeDirectory: /home/<USERID> sn: BAR initials: cU loginShell: /bin/false objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry krbCanonicalName: <USERID>@CXN uid: <USERID> mepManagedEntry: cn=<USERID>,cn=groups,cn=accounts,dc=cxn krbPasswordExpiration: 20170615133527Z krbLastPwdChange: 20170615133527Z krbExtraData:: AAIfjUJZcm9vdC9hZG1pbkBDWE4A
Can you check to see if the group entry exists, cn=<USERID>,cn=groups,cn=accounts,dc=cxn via ldapsearch?
rob
Sandor Juhasz wrote:
Was detached and deleted prior to the user's deletion. First modified by dn: cn=<USERID>,cn=groups,cn=accounts,dc=cxn changetype: modify delete: objectclass objectclass: mepManagedEntry
delete: mepManagedBy
Then deleted.
I don't know if this is the issue or not but the user still shows:
objectClass: mepOriginEntry mepManagedEntry: cn=<USERID>,cn=groups,cn=accounts,dc=cxn
What led you to manually disconnect the group?
rob
-- *Sándor Juhász* System Administrator *ChemAxon* *Kft*. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964
On Wed, Aug 7, 2019 at 3:58 PM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Sandor Juhasz via FreeIPA-users wrote: > We have an entry, what after clicking delete on the UI got partially > deleted. > The compat tree entry is gone. > The accounts tree entry is there. > ldapsearch finds the entry by uid, but does fail by dn. > ipa user-show <USERID> finds the user > ipa user-del <USERID> says no such user > ldapdelete fails to delete the entry by dn with err=32 > Web ui shows user > User content can be modified from ipa cli and web ui - like name, shell, > but cannot be deleted > Other entries can be created and deleted without issue. > We have 4way master-master replication. Tried cli on 3 and got same > result and issue. > The third is not touched and the entry is available there both accounts > and compat tree. > > > ipa-server-4.6.4-10.el7.centos.3.x86_64 > CentOS Linux release 7.6.1810 (Core) > > On full broken master: > # <USERID>, users, accounts, cxn > dn: uid=<USERID>,cn=users,cn=accounts,dc=cxn > gecos: FOO BAR > displayName: FOO BAR > krbLastAdminUnlock: 20190807124134Z > krbLoginFailedCount: 0 > memberOf: cn=ipausers,cn=groups,cn=accounts,dc=cxn > memberOf: cn=somegroup1,cn=groups,cn=accounts,dc=cxn > memberOf: cn=somegroupt2,cn=groups,cn=accounts,dc=cxn > gidNumber: <GID> > uidNumber: <UID> > ipaUniqueID: <RANDOMUNIQUEID> > cn: BAZ > givenName: FOO > krbPrincipalName: <USERID>@CXN > mail: <MAIL> > homeDirectory: /home/<USERID> > sn: BAR > initials: cU > loginShell: /bin/false > objectClass: ipaobject > objectClass: person > objectClass: top > objectClass: ipasshuser > objectClass: inetorgperson > objectClass: organizationalperson > objectClass: krbticketpolicyaux > objectClass: krbprincipalaux > objectClass: inetuser > objectClass: posixaccount > objectClass: ipaSshGroupOfPubKeys > objectClass: mepOriginEntry > krbCanonicalName: <USERID>@CXN > uid: <USERID> > mepManagedEntry: cn=<USERID>,cn=groups,cn=accounts,dc=cxn > krbPasswordExpiration: 20170615133527Z > krbLastPwdChange: 20170615133527Z > krbExtraData:: AAIfjUJZcm9vdC9hZG1pbkBDWE4A Can you check to see if the group entry exists, cn=<USERID>,cn=groups,cn=accounts,dc=cxn via ldapsearch? rob
Many cases for service users the matching group was created by either error or mistake. Where those service users are mostly under some group collecting them, also assigned as GID. So the leftovers were detached and deleted, so there is less confusion. So far there were no issues like this. -- *Sándor Juhász* System Administrator *ChemAxon* *Kft*. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964
On Wed, Aug 7, 2019 at 4:10 PM Rob Crittenden rcritten@redhat.com wrote:
Sandor Juhasz wrote:
Was detached and deleted prior to the user's deletion. First modified by dn: cn=<USERID>,cn=groups,cn=accounts,dc=cxn changetype: modify delete: objectclass objectclass: mepManagedEntry
delete: mepManagedBy
Then deleted.
I don't know if this is the issue or not but the user still shows:
objectClass: mepOriginEntry mepManagedEntry: cn=<USERID>,cn=groups,cn=accounts,dc=cxn
What led you to manually disconnect the group?
rob
-- *Sándor Juhász* System Administrator *ChemAxon* *Kft*. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964
On Wed, Aug 7, 2019 at 3:58 PM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Sandor Juhasz via FreeIPA-users wrote: > We have an entry, what after clicking delete on the UI gotpartially
> deleted. > The compat tree entry is gone. > The accounts tree entry is there. > ldapsearch finds the entry by uid, but does fail by dn. > ipa user-show <USERID> finds the user > ipa user-del <USERID> says no such user > ldapdelete fails to delete the entry by dn with err=32 > Web ui shows user > User content can be modified from ipa cli and web ui - like name, shell, > but cannot be deleted > Other entries can be created and deleted without issue. > We have 4way master-master replication. Tried cli on 3 and got same > result and issue. > The third is not touched and the entry is available there both accounts > and compat tree. > > > ipa-server-4.6.4-10.el7.centos.3.x86_64 > CentOS Linux release 7.6.1810 (Core) > > On full broken master: > # <USERID>, users, accounts, cxn > dn: uid=<USERID>,cn=users,cn=accounts,dc=cxn > gecos: FOO BAR > displayName: FOO BAR > krbLastAdminUnlock: 20190807124134Z > krbLoginFailedCount: 0 > memberOf: cn=ipausers,cn=groups,cn=accounts,dc=cxn > memberOf: cn=somegroup1,cn=groups,cn=accounts,dc=cxn > memberOf: cn=somegroupt2,cn=groups,cn=accounts,dc=cxn > gidNumber: <GID> > uidNumber: <UID> > ipaUniqueID: <RANDOMUNIQUEID> > cn: BAZ > givenName: FOO > krbPrincipalName: <USERID>@CXN > mail: <MAIL> > homeDirectory: /home/<USERID> > sn: BAR > initials: cU > loginShell: /bin/false > objectClass: ipaobject > objectClass: person > objectClass: top > objectClass: ipasshuser > objectClass: inetorgperson > objectClass: organizationalperson > objectClass: krbticketpolicyaux > objectClass: krbprincipalaux > objectClass: inetuser > objectClass: posixaccount > objectClass: ipaSshGroupOfPubKeys > objectClass: mepOriginEntry > krbCanonicalName: <USERID>@CXN > uid: <USERID> > mepManagedEntry: cn=<USERID>,cn=groups,cn=accounts,dc=cxn > krbPasswordExpiration: 20170615133527Z > krbLastPwdChange: 20170615133527Z > krbExtraData:: AAIfjUJZcm9vdC9hZG1pbkBDWE4A Can you check to see if the group entry exists, cn=<USERID>,cn=groups,cn=accounts,dc=cxn via ldapsearch? rob
You have found the key i guess - related to the mepmanagedentry. The issue can be reproduced. Detaching and deleting the managed group results in the not deletable user. Now the question is, how do i get out of it? -- *Sándor Juhász* System Administrator *ChemAxon* *Kft*. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964
On Wed, Aug 7, 2019 at 4:21 PM Sandor Juhasz sjuhasz@chemaxon.com wrote:
Many cases for service users the matching group was created by either error or mistake. Where those service users are mostly under some group collecting them, also assigned as GID. So the leftovers were detached and deleted, so there is less confusion. So far there were no issues like this. -- *Sándor Juhász* System Administrator *ChemAxon* *Kft*. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964
On Wed, Aug 7, 2019 at 4:10 PM Rob Crittenden rcritten@redhat.com wrote:
Sandor Juhasz wrote:
Was detached and deleted prior to the user's deletion. First modified by dn: cn=<USERID>,cn=groups,cn=accounts,dc=cxn changetype: modify delete: objectclass objectclass: mepManagedEntry
delete: mepManagedBy
Then deleted.
I don't know if this is the issue or not but the user still shows:
objectClass: mepOriginEntry mepManagedEntry: cn=<USERID>,cn=groups,cn=accounts,dc=cxn
What led you to manually disconnect the group?
rob
-- *Sándor Juhász* System Administrator *ChemAxon* *Kft*. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964
On Wed, Aug 7, 2019 at 3:58 PM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Sandor Juhasz via FreeIPA-users wrote: > We have an entry, what after clicking delete on the UI gotpartially
> deleted. > The compat tree entry is gone. > The accounts tree entry is there. > ldapsearch finds the entry by uid, but does fail by dn. > ipa user-show <USERID> finds the user > ipa user-del <USERID> says no such user > ldapdelete fails to delete the entry by dn with err=32 > Web ui shows user > User content can be modified from ipa cli and web ui - like name, shell, > but cannot be deleted > Other entries can be created and deleted without issue. > We have 4way master-master replication. Tried cli on 3 and gotsame
> result and issue. > The third is not touched and the entry is available there both accounts > and compat tree. > > > ipa-server-4.6.4-10.el7.centos.3.x86_64 > CentOS Linux release 7.6.1810 (Core) > > On full broken master: > # <USERID>, users, accounts, cxn > dn: uid=<USERID>,cn=users,cn=accounts,dc=cxn > gecos: FOO BAR > displayName: FOO BAR > krbLastAdminUnlock: 20190807124134Z > krbLoginFailedCount: 0 > memberOf: cn=ipausers,cn=groups,cn=accounts,dc=cxn > memberOf: cn=somegroup1,cn=groups,cn=accounts,dc=cxn > memberOf: cn=somegroupt2,cn=groups,cn=accounts,dc=cxn > gidNumber: <GID> > uidNumber: <UID> > ipaUniqueID: <RANDOMUNIQUEID> > cn: BAZ > givenName: FOO > krbPrincipalName: <USERID>@CXN > mail: <MAIL> > homeDirectory: /home/<USERID> > sn: BAR > initials: cU > loginShell: /bin/false > objectClass: ipaobject > objectClass: person > objectClass: top > objectClass: ipasshuser > objectClass: inetorgperson > objectClass: organizationalperson > objectClass: krbticketpolicyaux > objectClass: krbprincipalaux > objectClass: inetuser > objectClass: posixaccount > objectClass: ipaSshGroupOfPubKeys > objectClass: mepOriginEntry > krbCanonicalName: <USERID>@CXN > uid: <USERID> > mepManagedEntry: cn=<USERID>,cn=groups,cn=accounts,dc=cxn > krbPasswordExpiration: 20170615133527Z > krbLastPwdChange: 20170615133527Z > krbExtraData:: AAIfjUJZcm9vdC9hZG1pbkBDWE4A Can you check to see if the group entry exists, cn=<USERID>,cn=groups,cn=accounts,dc=cxn via ldapsearch? rob
I was able to cheat it on the replica where the user was not partially deleted. I had to recreate and reattach the deleted group. Then detach it with ipa group-detach Then delete the user. Then the replication took care of the rest of the masters and purged the remainders.
Any idea how to do it easier? I cannot refer user by dn: because when i try, even with a not problematic user i get no such object? Any idea? -- *Sándor Juhász* System Administrator *ChemAxon* *Kft*. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964
On Wed, Aug 7, 2019 at 4:32 PM Sandor Juhasz sjuhasz@chemaxon.com wrote:
You have found the key i guess - related to the mepmanagedentry. The issue can be reproduced. Detaching and deleting the managed group results in the not deletable user. Now the question is, how do i get out of it? -- *Sándor Juhász* System Administrator *ChemAxon* *Kft*. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964
On Wed, Aug 7, 2019 at 4:21 PM Sandor Juhasz sjuhasz@chemaxon.com wrote:
Many cases for service users the matching group was created by either error or mistake. Where those service users are mostly under some group collecting them, also assigned as GID. So the leftovers were detached and deleted, so there is less confusion. So far there were no issues like this. -- *Sándor Juhász* System Administrator *ChemAxon* *Kft*. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964
On Wed, Aug 7, 2019 at 4:10 PM Rob Crittenden rcritten@redhat.com wrote:
Sandor Juhasz wrote:
Was detached and deleted prior to the user's deletion. First modified by dn: cn=<USERID>,cn=groups,cn=accounts,dc=cxn changetype: modify delete: objectclass objectclass: mepManagedEntry
delete: mepManagedBy
Then deleted.
I don't know if this is the issue or not but the user still shows:
objectClass: mepOriginEntry mepManagedEntry: cn=<USERID>,cn=groups,cn=accounts,dc=cxn
What led you to manually disconnect the group?
rob
-- *Sándor Juhász* System Administrator *ChemAxon* *Kft*. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964
On Wed, Aug 7, 2019 at 3:58 PM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Sandor Juhasz via FreeIPA-users wrote: > We have an entry, what after clicking delete on the UI gotpartially
> deleted. > The compat tree entry is gone. > The accounts tree entry is there. > ldapsearch finds the entry by uid, but does fail by dn. > ipa user-show <USERID> finds the user > ipa user-del <USERID> says no such user > ldapdelete fails to delete the entry by dn with err=32 > Web ui shows user > User content can be modified from ipa cli and web ui - like name, shell, > but cannot be deleted > Other entries can be created and deleted without issue. > We have 4way master-master replication. Tried cli on 3 and gotsame
> result and issue. > The third is not touched and the entry is available there both accounts > and compat tree. > > > ipa-server-4.6.4-10.el7.centos.3.x86_64 > CentOS Linux release 7.6.1810 (Core) > > On full broken master: > # <USERID>, users, accounts, cxn > dn: uid=<USERID>,cn=users,cn=accounts,dc=cxn > gecos: FOO BAR > displayName: FOO BAR > krbLastAdminUnlock: 20190807124134Z > krbLoginFailedCount: 0 > memberOf: cn=ipausers,cn=groups,cn=accounts,dc=cxn > memberOf: cn=somegroup1,cn=groups,cn=accounts,dc=cxn > memberOf: cn=somegroupt2,cn=groups,cn=accounts,dc=cxn > gidNumber: <GID> > uidNumber: <UID> > ipaUniqueID: <RANDOMUNIQUEID> > cn: BAZ > givenName: FOO > krbPrincipalName: <USERID>@CXN > mail: <MAIL> > homeDirectory: /home/<USERID> > sn: BAR > initials: cU > loginShell: /bin/false > objectClass: ipaobject > objectClass: person > objectClass: top > objectClass: ipasshuser > objectClass: inetorgperson > objectClass: organizationalperson > objectClass: krbticketpolicyaux > objectClass: krbprincipalaux > objectClass: inetuser > objectClass: posixaccount > objectClass: ipaSshGroupOfPubKeys > objectClass: mepOriginEntry > krbCanonicalName: <USERID>@CXN > uid: <USERID> > mepManagedEntry: cn=<USERID>,cn=groups,cn=accounts,dc=cxn > krbPasswordExpiration: 20170615133527Z > krbLastPwdChange: 20170615133527Z > krbExtraData:: AAIfjUJZcm9vdC9hZG1pbkBDWE4A Can you check to see if the group entry exists, cn=<USERID>,cn=groups,cn=accounts,dc=cxn via ldapsearch? rob
Sandor Juhasz via FreeIPA-users wrote:
I was able to cheat it on the replica where the user was not partially deleted. I had to recreate and reattach the deleted group. Then detach it with ipa group-detach Then delete the user. Then the replication took care of the rest of the masters and purged the remainders.
Any idea how to do it easier? I cannot refer user by dn: because when i try, even with a not problematic user i get no such object? Any idea?
I'm not sure what you mean about the dn or why you used the ldapmodify instead of group-detach in the first place.
rob
-- *Sándor Juhász* System Administrator *ChemAxon* *Kft*. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964
On Wed, Aug 7, 2019 at 4:32 PM Sandor Juhasz <sjuhasz@chemaxon.com mailto:sjuhasz@chemaxon.com> wrote:
You have found the key i guess - related to the mepmanagedentry. The issue can be reproduced. Detaching and deleting the managed group results in the not deletable user. Now the question is, how do i get out of it? -- *Sándor Juhász* System Administrator *ChemAxon* *Kft*. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964 On Wed, Aug 7, 2019 at 4:21 PM Sandor Juhasz <sjuhasz@chemaxon.com <mailto:sjuhasz@chemaxon.com>> wrote: Many cases for service users the matching group was created by either error or mistake. Where those service users are mostly under some group collecting them, also assigned as GID. So the leftovers were detached and deleted, so there is less confusion. So far there were no issues like this. -- *Sándor Juhász* System Administrator *ChemAxon* *Kft*. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964 On Wed, Aug 7, 2019 at 4:10 PM Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com>> wrote: Sandor Juhasz wrote: > Was detached and deleted prior to the user's deletion. > First modified by > dn: cn=<USERID>,cn=groups,cn=accounts,dc=cxn > changetype: modify > delete: objectclass > objectclass: mepManagedEntry > - > delete: mepManagedBy > > Then deleted. I don't know if this is the issue or not but the user still shows: objectClass: mepOriginEntry mepManagedEntry: cn=<USERID>,cn=groups,cn=accounts,dc=cxn What led you to manually disconnect the group? rob > -- > *Sándor Juhász* > System Administrator > *ChemAxon* *Kft*. > Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 > Cell: +36704258964 > > > On Wed, Aug 7, 2019 at 3:58 PM Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote: > > Sandor Juhasz via FreeIPA-users wrote: > > We have an entry, what after clicking delete on the UI got partially > > deleted. > > The compat tree entry is gone. > > The accounts tree entry is there. > > ldapsearch finds the entry by uid, but does fail by dn. > > ipa user-show <USERID> finds the user > > ipa user-del <USERID> says no such user > > ldapdelete fails to delete the entry by dn with err=32 > > Web ui shows user > > User content can be modified from ipa cli and web ui - like name, > shell, > > but cannot be deleted > > Other entries can be created and deleted without issue. > > We have 4way master-master replication. Tried cli on 3 and got same > > result and issue. > > The third is not touched and the entry is available there both > accounts > > and compat tree. > > > > > > ipa-server-4.6.4-10.el7.centos.3.x86_64 > > CentOS Linux release 7.6.1810 (Core) > > > > On full broken master: > > # <USERID>, users, accounts, cxn > > dn: uid=<USERID>,cn=users,cn=accounts,dc=cxn > > gecos: FOO BAR > > displayName: FOO BAR > > krbLastAdminUnlock: 20190807124134Z > > krbLoginFailedCount: 0 > > memberOf: cn=ipausers,cn=groups,cn=accounts,dc=cxn > > memberOf: cn=somegroup1,cn=groups,cn=accounts,dc=cxn > > memberOf: cn=somegroupt2,cn=groups,cn=accounts,dc=cxn > > gidNumber: <GID> > > uidNumber: <UID> > > ipaUniqueID: <RANDOMUNIQUEID> > > cn: BAZ > > givenName: FOO > > krbPrincipalName: <USERID>@CXN > > mail: <MAIL> > > homeDirectory: /home/<USERID> > > sn: BAR > > initials: cU > > loginShell: /bin/false > > objectClass: ipaobject > > objectClass: person > > objectClass: top > > objectClass: ipasshuser > > objectClass: inetorgperson > > objectClass: organizationalperson > > objectClass: krbticketpolicyaux > > objectClass: krbprincipalaux > > objectClass: inetuser > > objectClass: posixaccount > > objectClass: ipaSshGroupOfPubKeys > > objectClass: mepOriginEntry > > krbCanonicalName: <USERID>@CXN > > uid: <USERID> > > mepManagedEntry: cn=<USERID>,cn=groups,cn=accounts,dc=cxn > > krbPasswordExpiration: 20170615133527Z > > krbLastPwdChange: 20170615133527Z > > krbExtraData:: AAIfjUJZcm9vdC9hZG1pbkBDWE4A > > Can you check to see if the group entry exists, > cn=<USERID>,cn=groups,cn=accounts,dc=cxn via ldapsearch? > > rob >
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
The question was how to refer user entity as it has two dn in the accounts and compat trees.
Anyway. I have done the manual detach, because i found that solution suggested by someone here on the list and i was stupid enough not to further investigate. I was able to fix all broken entities with readding, reattaching the groups and detaching them again with ipa group-detach. That fixed the users as well. Thanks for your help.
-- *Sándor Juhász* System Administrator *ChemAxon* *Kft*. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964
On Wed, Aug 7, 2019 at 7:15 PM Rob Crittenden rcritten@redhat.com wrote:
Sandor Juhasz via FreeIPA-users wrote:
I was able to cheat it on the replica where the user was not partially deleted. I had to recreate and reattach the deleted group. Then detach it with ipa group-detach Then delete the user. Then the replication took care of the rest of the masters and purged the remainders.
Any idea how to do it easier? I cannot refer user by dn: because when i try, even with a not problematic user i get no such object? Any idea?
I'm not sure what you mean about the dn or why you used the ldapmodify instead of group-detach in the first place.
rob
-- *Sándor Juhász* System Administrator *ChemAxon* *Kft*. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964
On Wed, Aug 7, 2019 at 4:32 PM Sandor Juhasz <sjuhasz@chemaxon.com mailto:sjuhasz@chemaxon.com> wrote:
You have found the key i guess - related to the mepmanagedentry. The issue can be reproduced. Detaching and deleting the managed group results in the not deletable user. Now the question is, how do i get out of it? -- *Sándor Juhász* System Administrator *ChemAxon* *Kft*. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary,H-1031
Cell: +36704258964 On Wed, Aug 7, 2019 at 4:21 PM Sandor Juhasz <sjuhasz@chemaxon.com <mailto:sjuhasz@chemaxon.com>> wrote: Many cases for service users the matching group was created by either error or mistake. Where those service users are mostly under some group collecting them, also assigned as GID. So the leftovers were detached and deleted, so there is less confusion. So far there were no issues like this. -- *Sándor Juhász* System Administrator *ChemAxon* *Kft*. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964 On Wed, Aug 7, 2019 at 4:10 PM Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com>> wrote: Sandor Juhasz wrote: > Was detached and deleted prior to the user's deletion. > First modified by > dn: cn=<USERID>,cn=groups,cn=accounts,dc=cxn > changetype: modify > delete: objectclass > objectclass: mepManagedEntry > - > delete: mepManagedBy > > Then deleted. I don't know if this is the issue or not but the user still shows: objectClass: mepOriginEntry mepManagedEntry: cn=<USERID>,cn=groups,cn=accounts,dc=cxn What led you to manually disconnect the group? rob > -- > *Sándor Juhász* > System Administrator > *ChemAxon* *Kft*. > Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 > Cell: +36704258964 > > > On Wed, Aug 7, 2019 at 3:58 PM Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote: > > Sandor Juhasz via FreeIPA-users wrote: > > We have an entry, what after clicking delete on the UI got partially > > deleted. > > The compat tree entry is gone. > > The accounts tree entry is there. > > ldapsearch finds the entry by uid, but does fail bydn.
> > ipa user-show <USERID> finds the user > > ipa user-del <USERID> says no such user > > ldapdelete fails to delete the entry by dn witherr=32
> > Web ui shows user > > User content can be modified from ipa cli and web ui - like name, > shell, > > but cannot be deleted > > Other entries can be created and deleted withoutissue.
> > We have 4way master-master replication. Tried cli on 3 and got same > > result and issue. > > The third is not touched and the entry is available there both > accounts > > and compat tree. > > > > > > ipa-server-4.6.4-10.el7.centos.3.x86_64 > > CentOS Linux release 7.6.1810 (Core) > > > > On full broken master: > > # <USERID>, users, accounts, cxn > > dn: uid=<USERID>,cn=users,cn=accounts,dc=cxn > > gecos: FOO BAR > > displayName: FOO BAR > > krbLastAdminUnlock: 20190807124134Z > > krbLoginFailedCount: 0 > > memberOf: cn=ipausers,cn=groups,cn=accounts,dc=cxn > > memberOf: cn=somegroup1,cn=groups,cn=accounts,dc=cxn > > memberOf: cn=somegroupt2,cn=groups,cn=accounts,dc=cxn > > gidNumber: <GID> > > uidNumber: <UID> > > ipaUniqueID: <RANDOMUNIQUEID> > > cn: BAZ > > givenName: FOO > > krbPrincipalName: <USERID>@CXN > > mail: <MAIL> > > homeDirectory: /home/<USERID> > > sn: BAR > > initials: cU > > loginShell: /bin/false > > objectClass: ipaobject > > objectClass: person > > objectClass: top > > objectClass: ipasshuser > > objectClass: inetorgperson > > objectClass: organizationalperson > > objectClass: krbticketpolicyaux > > objectClass: krbprincipalaux > > objectClass: inetuser > > objectClass: posixaccount > > objectClass: ipaSshGroupOfPubKeys > > objectClass: mepOriginEntry > > krbCanonicalName: <USERID>@CXN > > uid: <USERID> > > mepManagedEntry: cn=<USERID>,cn=groups,cn=accounts,dc=cxn > > krbPasswordExpiration: 20170615133527Z > > krbLastPwdChange: 20170615133527Z > > krbExtraData:: AAIfjUJZcm9vdC9hZG1pbkBDWE4A > > Can you check to see if the group entry exists, > cn=<USERID>,cn=groups,cn=accounts,dc=cxn vialdapsearch?
> > rob >
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On to, 08 elo 2019, Sandor Juhasz via FreeIPA-users wrote:
The question was how to refer user entity as it has two dn in the accounts and compat trees.
You should ignore compat tree when using ipa CLI. It doesn't look there at all and compat tree entry is always regenerated when changes happen to the primary entry.
Anyway. I have done the manual detach, because i found that solution suggested by someone here on the list and i was stupid enough not to further investigate. I was able to fix all broken entities with readding, reattaching the groups and detaching them again with ipa group-detach. That fixed the users as well. Thanks for your help.
-- *Sándor Juhász* System Administrator *ChemAxon* *Kft*. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964
On Wed, Aug 7, 2019 at 7:15 PM Rob Crittenden rcritten@redhat.com wrote:
Sandor Juhasz via FreeIPA-users wrote:
I was able to cheat it on the replica where the user was not partially deleted. I had to recreate and reattach the deleted group. Then detach it with ipa group-detach Then delete the user. Then the replication took care of the rest of the masters and purged the remainders.
Any idea how to do it easier? I cannot refer user by dn: because when i try, even with a not problematic user i get no such object? Any idea?
I'm not sure what you mean about the dn or why you used the ldapmodify instead of group-detach in the first place.
rob
-- *Sándor Juhász* System Administrator *ChemAxon* *Kft*. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964
On Wed, Aug 7, 2019 at 4:32 PM Sandor Juhasz <sjuhasz@chemaxon.com mailto:sjuhasz@chemaxon.com> wrote:
You have found the key i guess - related to the mepmanagedentry. The issue can be reproduced. Detaching and deleting the managed group results in the not deletable user. Now the question is, how do i get out of it? -- *Sándor Juhász* System Administrator *ChemAxon* *Kft*. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary,H-1031
Cell: +36704258964 On Wed, Aug 7, 2019 at 4:21 PM Sandor Juhasz <sjuhasz@chemaxon.com <mailto:sjuhasz@chemaxon.com>> wrote: Many cases for service users the matching group was created by either error or mistake. Where those service users are mostly under some group collecting them, also assigned as GID. So the leftovers were detached and deleted, so there is less confusion. So far there were no issues like this. -- *Sándor Juhász* System Administrator *ChemAxon* *Kft*. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964 On Wed, Aug 7, 2019 at 4:10 PM Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com>> wrote: Sandor Juhasz wrote: > Was detached and deleted prior to the user's deletion. > First modified by > dn: cn=<USERID>,cn=groups,cn=accounts,dc=cxn > changetype: modify > delete: objectclass > objectclass: mepManagedEntry > - > delete: mepManagedBy > > Then deleted. I don't know if this is the issue or not but the user still shows: objectClass: mepOriginEntry mepManagedEntry: cn=<USERID>,cn=groups,cn=accounts,dc=cxn What led you to manually disconnect the group? rob > -- > *Sándor Juhász* > System Administrator > *ChemAxon* *Kft*. > Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 > Cell: +36704258964 > > > On Wed, Aug 7, 2019 at 3:58 PM Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote: > > Sandor Juhasz via FreeIPA-users wrote: > > We have an entry, what after clicking delete on the UI got partially > > deleted. > > The compat tree entry is gone. > > The accounts tree entry is there. > > ldapsearch finds the entry by uid, but does fail bydn.
> > ipa user-show <USERID> finds the user > > ipa user-del <USERID> says no such user > > ldapdelete fails to delete the entry by dn witherr=32
> > Web ui shows user > > User content can be modified from ipa cli and web ui - like name, > shell, > > but cannot be deleted > > Other entries can be created and deleted withoutissue.
> > We have 4way master-master replication. Tried cli on 3 and got same > > result and issue. > > The third is not touched and the entry is available there both > accounts > > and compat tree. > > > > > > ipa-server-4.6.4-10.el7.centos.3.x86_64 > > CentOS Linux release 7.6.1810 (Core) > > > > On full broken master: > > # <USERID>, users, accounts, cxn > > dn: uid=<USERID>,cn=users,cn=accounts,dc=cxn > > gecos: FOO BAR > > displayName: FOO BAR > > krbLastAdminUnlock: 20190807124134Z > > krbLoginFailedCount: 0 > > memberOf: cn=ipausers,cn=groups,cn=accounts,dc=cxn > > memberOf: cn=somegroup1,cn=groups,cn=accounts,dc=cxn > > memberOf: cn=somegroupt2,cn=groups,cn=accounts,dc=cxn > > gidNumber: <GID> > > uidNumber: <UID> > > ipaUniqueID: <RANDOMUNIQUEID> > > cn: BAZ > > givenName: FOO > > krbPrincipalName: <USERID>@CXN > > mail: <MAIL> > > homeDirectory: /home/<USERID> > > sn: BAR > > initials: cU > > loginShell: /bin/false > > objectClass: ipaobject > > objectClass: person > > objectClass: top > > objectClass: ipasshuser > > objectClass: inetorgperson > > objectClass: organizationalperson > > objectClass: krbticketpolicyaux > > objectClass: krbprincipalaux > > objectClass: inetuser > > objectClass: posixaccount > > objectClass: ipaSshGroupOfPubKeys > > objectClass: mepOriginEntry > > krbCanonicalName: <USERID>@CXN > > uid: <USERID> > > mepManagedEntry: cn=<USERID>,cn=groups,cn=accounts,dc=cxn > > krbPasswordExpiration: 20170615133527Z > > krbLastPwdChange: 20170615133527Z > > krbExtraData:: AAIfjUJZcm9vdC9hZG1pbkBDWE4A > > Can you check to see if the group entry exists, > cn=<USERID>,cn=groups,cn=accounts,dc=cxn vialdapsearch?
> > rob >
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Rob Crittenden -
Sandor Juhasz