| Summary: | ipa user-find can not show preserved user | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | fnie |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Kaleem <ksiddiqu> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.2 | CC: | dkupka, fnie, pvoborni, rcritten, tbordaz |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-10-07 12:12:21 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
fnie
2016-09-08 04:27:52 UTC
How did you preserved the users? I.e. we need very specific reproduction steps in order to help. we use HTTP API from IPA server to change the user to preserved. and i found error message, when i try to undel this user it got: -sh-4.2$ ipa user-undel lfernandes ipa: ERROR: Operations error: -sh-4.2$ [Thu Sep 08 11:50:01.441460 2016] [:error] [pid 27106] ipa: INFO: [jsonserver_kerb] fnie_@xxxxx: user_undel(u'lfernandes', version=u'2.156'): DatabaseError Works for me: $ head -n 2 /etc/os-release NAME="Red Hat Enterprise Linux Server" VERSION="7.2 (Maipo)" $ ipa ping ------------------------------------------- IPA server version 4.2.0. API version 2.156 ------------------------------------------- $ ipa user-add --first Test --last User User login [tuser]: ------------------ Added user "tuser" ------------------ User login: tuser First name: Test Last name: User Full name: Test User Display name: Test User Initials: TU Home directory: /home/tuser GECOS: Test User Login shell: /bin/sh Kerberos principal: tuser Email address: tuser UID: 468400011 GID: 468400011 Password: False Member of groups: ipausers Kerberos keys available: False $ ipa user-del --preserve tuser -------------------- Deleted user "tuser" -------------------- $ ipa user-find --preserved=TRUE --sizelimit=10 -------------- 1 user matched -------------- User login: tuser First name: Test Last name: User Home directory: /home/tuser Login shell: /bin/sh Email address: tuser UID: 468400011 GID: 468400011 Account disabled: True Preserved user: True Password: False Kerberos keys available: False ---------------------------- Number of entries returned 1 ---------------------------- $ ipa user-undel tuser ------------------------------ Undeleted user account "tuser" ------------------------------ fnie, what exact version of IPA do you use? Does the workflow in comment 4 works for you. If not is it only for certain user or for all users? Or for certain kind of users, e.g. only migrated ones? -sh-4.2$ ipa ping ------------------------------------------- IPA server version 4.2.0. API version 2.156 --------- -sh-4.2$ ipa user-find --preserved=TRUE --sizelimit=100 lfernandes -------------- 1 user matched -------------- User login: lfernandes First name: lfernandes Last name: lfernandes Home directory: /home/lfernandes Login shell: /bin/sh Email address: lfernandes.ebayc3.com UID: 100006806 GID: 100006806 Job Title: Migrate User Accounts 20160823 Account disabled: True Preserved user: True Password: False Kerberos keys available: False ---------------------------- Number of entries returned 1 ---------------------------- -sh-4.2$ ipa user-undel lfernandes ipa: ERROR: Operations error: this only happen on this user account, which also have issue to checkout in ipa ui, you can NOT see it in ipa ui, but can find it in ipa command. and can NOT un-del it. I meant the package version: $ rpm -q ipa-server For the $ ipa user-find --preserved=TRUE --sizelimit=100 lfernandes fail: please enable debug logging in administration framework: https://www.freeipa.org/page/Troubleshooting#Administration_Framework restart http server #$ systemclt restart httpd.service Attach relevant (check times) parts of /var/log/httpd/error_log /var/log/dirsrv/slapd-EXAMPLE-COM/access /var/log/dirsrv/slapd-EXAMPLE-COM/errors Thierry, do you remember how memberof and mepManagedEntry(user private group) behaves in undel command? Should they be present in preserved user? Hi, sh-4.2$ rpm -q ipa-server ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 -sh-4.2 ipa user-find --preserved=TRUE --sizelimit=100 lfernandes this command not fail, i am saying the ui not show it. this is the http log: [Tue Sep 13 16:01:59.702392 2016] [:error] [pid 20598] ipa: INFO: [jsonserver_session] fnie_.COM: user_find(u'lfernandes', preserved=True, sizelimit=100, whoami=False, all=False, raw=False, version=u'2.156', no_members=False, pkey_only=False): SUCCESS [Tue Sep 13 16:02:18.687675 2016] [:error] [pid 20703] ipa: INFO: [jsonserver_session] fnie_.COM: user_undel(u'lfernandes', version=u'2.156'): DatabaseError ldap access log: [13/Sep/2016:16:33:38 +0000] conn=224202 op=4 RESULT err=32 tag=101 nentries=0 etime=0 [13/Sep/2016:16:33:38 +0000] conn=224202 op=5 SRCH base="uid=lfernandes,cn=deleted users,cn=accounts,cn=provisioning,dc=eaz,dc=ebayc3,dc=com" scope=0 filter="(objectClass=*)" attrs="distinguishedName" [13/Sep/2016:16:33:38 +0000] conn=224202 op=5 RESULT err=0 tag=101 nentries=1 etime=0 [13/Sep/2016:16:33:38 +0000] conn=224202 op=6 SRCH base="uid=lfernandes,cn=deleted users,cn=accounts,cn=provisioning,dc=eaz,dc=ebayc3,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL [13/Sep/2016:16:33:38 +0000] conn=224202 op=6 RESULT err=0 tag=101 nentries=1 etime=0 [13/Sep/2016:16:33:38 +0000] conn=224202 op=7 MODRDN dn="uid=lfernandes,cn=deleted users,cn=accounts,cn=provisioning,dc=eaz,dc=ebayc3,dc=com" newrdn="uid=lfernandes" newsuperior="cn=users,cn=accounts,dc=eaz,dc=ebayc3,dc=com" [13/Sep/2016:16:33:39 +0000] conn=224202 op=7 RESULT err=1 tag=109 nentries=0 etime=1 csn=57d82a65000000040000 [13/Sep/2016:16:33:39 +0000] conn=224202 op=8 UNBIND [13/Sep/2016:16:33:39 +0000] conn=224202 op=8 fd=115 closed - U1 not found error log relate to this action. Regarding memberof and mep plugins during 'undel': A preserved user is not member of any group so when the entry is moved back to cn=users,cn=account,SUFFIX it is like a 'user-add' of a new entry that will/should not contain any 'memberof' value. The previous managed entry (upg group) was deleted when the entry was preserved. When the entry is moved back a new managed group should be create. (as long as it is a posixaccount and descr!=__no_upg__) Regarding the error unwilling to perform, the error log may provide additional info. I will try to reproduce the test case Just to be sure I understand your situation correctly I will summarize it as I see it and ask bunch of probably silly questions. 1. You've added X users from that you've deleted-preserved Y users. 2. running $ ipa user-find --preserved=TRUE --sizelimit=100 shows all but one (lfernandes) of the Y preserved users. The other preserved users are listed as expected. 3. running $ ipa user-find --preserved=TRUE --sizelimit=100 lfernandes shows the user as expected. 4. Navigating to Identity->Users->Preserved users in WebUI lists all but one (lfernandes) of the Y preserved users. Is my understanding correct? Is Y less than 100 (the size limit)? Is the user listed in search without size limit ($ ipa user-find --preserved=True)? Is the user listed in search for substring of his user name ($ ipa user-find --preserved=True lfern)? Does $ $ ldapsearch -Y GSSAPI "uid=lfernandes" shows the user entry? Could you please paste information about user you've used to delete, search and undel lfernandes ($ ipa user-find --all --raw --principal fnie_.COM)? <<1. You've added X users from that you've deleted-preserved Y users. do you mean i add other user after i preserve the Y(lfernandes) user ? yes, i add lots of user and perserve lots and then try to un-perserve them all. add user more than 100, and try to perserve user more than 100, and then try to un-perserve them all, only failed on (lfernandes) <<2. running $ ipa user-find --preserved=TRUE --sizelimit=100 shows all but one (lfernandes) of the Y preserved users. The other preserved users are listed as expected. the command outputs return fine, all perserved users returned as expected. >>3. running $ ipa user-find --preserved=TRUE --sizelimit=100 lfernandes shows the user as expected. yes specify also good. >.4. Navigating to Identity->Users->Preserved users in WebUI lists all but one (lfernandes) of the Y preserved users. yes, only can see other preserved users, but only (lfernandes) not show up. >>Is the user listed in search without size limit ($ ipa user-find --preserved=True)? yes, i just add the sizelimit as condition. i note the log says there is database error when i try to un-per this users. how can i get the detail error message ?
Thanks for all your feedback and explanation. To help us to understand the issue, we would need more data
- Failing to retrieve ('ipa user-find --preserved=true') 'lfernandes' entry.
Would you run the following commands and provide the output and access/error logs (under /etc/dirsrv/slapd-<instance>)
date
ldapsearch -D "cn=directory manager" -w xxxx -scope base -o ldif-wrap=no -b "uid=lfernandes,cn=deleted users,cn=accounts,cn=provisioning,dc=eaz,dc=ebayc3,dc=com" "(objectclass=*)" -LLL dn
date
ldapsearch -D "cn=directory manager" -w xxxx -scope sub -o ldif-wrap=no -b "uid=lfernandes,cn=deleted users,cn=accounts,cn=provisioning,dc=eaz,dc=ebayc3,dc=com" "(objectclass=*)" -LLL dn
date
ldapsearch -D "cn=directory manager" -w xxxx -scope sub -o ldif-wrap=no -b "cn=deleted users,cn=accounts,cn=provisioning,dc=eaz,dc=ebayc3,dc=com" "(objectclass=*)" -LLL dn | grep 'uid=lfernandes'
date
ldapsearch -D "cn=directory manager" -w xxxx -scope sub -o ldif-wrap=no -b "cn=deleted users,cn=accounts,cn=provisioning,dc=eaz,dc=ebayc3,dc=com" "(objectclass=*)" -LLL dn | wc -l
- Failing undelete ('ipa user-undel lfernandes).
Would you run the following commands and provide the output and access/error logs (under /etc/dirsrv/slapd-<instance>)
date
ldapsearch -D "cn=directory manager" -w xxxx -scope sub -o ldif-wrap=no -b "cn=users,cn=accounts,dc=eaz,dc=ebayc3,dc=com" '(uid=lfernandes)' -LLL
<set the plugin log level: nsslapd-errorlog-level=65536 >
http://www.port389.org/docs/389ds/FAQ/faq.html#Troubleshooting
date
ipa user-undel lfernandes
-sh-4.2$ ldapsearch -D "cn=admin" -w xxxx -o ldif-wrap=no -b "uid=lfernandes,cn=deleted users,cn=accounts,cn=provisioning,dc=eaz,dc=ebayc3,dc=com" "(objectclass=*)" -LLL dn ldap_bind: No such object (32) The command fails because of the use of 'cn=admin' (that does not exist) in place of 'cn=directory manager'. For grabbing the data (https://bugzilla.redhat.com/show_bug.cgi?id=1374139#c17) I prefer the use of 'cn=directory manager' to prevent acis impact. Closing for inactivity. |