Hi all,
I've run into an issue with RetroCL (I think) on our IPA server. This is the sole master, there is no replication:
# ipa-replica-manage list
<ipa-hostname>: master
The problem appeared during an attempted group rename, but every subsequent attempt to change results in the same error:
[27/Jan/2020:11:29:49.590558266 +0000] - ERR - managed-entries-plugin - mep_rename_managed_entry - Unable to rename managed entry "cn=matstudio2016,cn=groups,cn=accounts,<domain>" to "cn=matstudio,cn=groups,cn=accounts,<domain>" (Already exists).
[27/Jan/2020:11:29:49.897693314 +0000] - ERR - ldbm_back_modrdn - SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin returned error but did not set SLAPI_RESULT_CODE
[27/Jan/2020:13:23:16.986652546 +0000] - ERR - DSRetroclPlugin - write_replog_db - An error occured while adding change number 264303, dn = changenumber=264303,cn=changelog: Already exists.
[27/Jan/2020:13:23:16.989427768 +0000] - ERR - DSRetroclPlugin - retrocl_postob - Operation failure [68]
[27/Jan/2020:13:23:16.993607315 +0000] - ERR - managed-entries-plugin - mep_add_managed_entry - Unable to add managed entry "cn=materialsstudio,cn=groups,cn=accounts,<domain>" for origin entry "uid=materialsstudio,cn=users,cn=accounts,<domain>" (Already exists).
[27/Jan/2020:13:23:16.998637893 +0000] - ERR - DSRetroclPlugin - write_replog_db - An error occured while adding change number 264303, dn = changenumber=264303,cn=changelog: Already exists.
[27/Jan/2020:13:23:17.001620504 +0000] - ERR - DSRetroclPlugin - retrocl_postob - Operation failure [68]
[27/Jan/2020:13:23:17.005510536 +0000] - ERR - managed-entries-plugin - mep_add_managed_entry - Unable to add managed entry "cn=materialsstudio,cn=groups,cn=accounts,<domain>" for origin entry "uid=materialsstudio,cn=users,cn=accounts,<domain>" (Already exists).
[27/Jan/2020:13:23:55.016578895 +0000] - ERR - DSRetroclPlugin - write_replog_db - An error occured while adding change number 264302, dn = changenumber=264302,cn=changelog: Already exists.
[27/Jan/2020:13:23:55.020029522 +0000] - ERR - DSRetroclPlugin - retrocl_postob - Operation failure [68]
I note that the changenumber decreased by 1 as well. Unfortunately the access log has rotated several times since the change, so I can't extract anything from there. My colleague did have a record of the commands that were run:
# ipa user-mod --rename=matstudio matstudio2016
# ipa user-mod --rename=matstudio2016 matstudio
# ipa user-mod --rename=matstudio matstudio2016
There is no group-mod command, so I assume that the group rename attempt was ipa trying to rename the private group matstudio2016 to matstudio, which already existed:
# ipa group-show matstudio2016
Group name: matstudio2016
Description: User private group for matstudio2016
GID: 99999
# ipa group-show matstudio
Group name: matstudio
Description: blanked
GID: 11008
Member users: blanked
I've tried to delete the groups, both via ipa and ldapmodify (tried to remove the mepManagedEntry objectclass and mepManagedBy attribute), but always encounter the changelog error. Alas there is no backup prior to this change from which to restore, so I am trying to fix things online. Thankfully authorisation and authentication is still working for now, but we can't add users, modify groups, etc.
Incidentally, ipa user-show --all --raw returns nothing for either uid, but ldapsearch does. The old user (matstudio2016) and group (matstudio) were migrated at least once from the ipa database of older clusters, possibly twice. I've pulled out the pertinent entries from each record:
# ldapsearch -Y GSSAPI uid=matstudio2016
# matstudio, users, accounts, <domain>
dn: uid=matstudio,cn=users,cn=accounts,<domain>
displayName: MatStudioAccount MatStudioAccount
cn: MatStudioAccount MatStudioAccount
krbCanonicalName: matstudio@<domain>
uidNumber: 99999
gidNumber: 11008
krbPrincipalName: matstudio@<domain>
givenName: MatStudioAccount
homeDirectory: <path-to>/matstudio
ipaUniqueID: 6e8f1900-b044-11e8-be99-00a1dafce440
mepManagedEntry: cn=matstudio2016,cn=groups,cn=accounts,<domain>
memberOf: ipaUniqueID=b7b3447a-b02c-11e8-9fe1-00a1dafce440,cn=hbac,<domain>
uid: matstudio
# ldapsearch -Y GSSAPI uid=matstudio
# matstudio, users, compat, <domain>
dn: uid=matstudio,cn=users,cn=compat,<domain>
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
gecos: MatStudioAccount MatStudioAccount
cn: MatStudioAccount MatStudioAccount
uidNumber: 99999
gidNumber: 11008
loginShell: /bin/bash
homeDirectory: <path-to>/matstudio
ipaAnchorUUID:: OklQQTpwcmkuY3NmMy5hbGNlcy5uZXR3b3JrOjZlOGYxOTAwLWIwNDQtMTFlOC
1iZTk5LTAwYTFkYWZjZTQ0MA==
uid: matstudio
I'm scratching my head here; any suggestions will be most gratefully received!
Thanks,
Mark