New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
9.1.7 occ user:delete fails with moved users #30170
Comments
GitMate.io thinks the contributor most likely able to help you is @PVince81. Possibly related issues are #29856 (Upgrade 9.1.6 to 9.1.7 fails), #26677 (occ upgrade fails with Sabre\VObject\Recur\NoInstancesException), #17061 (Semicolon not supported in commands), #28112 (Not all users are populated in the user list when 'everyone' is selected.), and #7052 (Active directory primary group membership not honored). |
@owncloud/ldap |
You can try to use the |
@jvillafanez Thanks for the idea!
Same result with --force switch.
|
When i login to the webinterface as admin and go to the "manage user" page the moved users are displayed at their new location as userid_1234 instead of just userid.
|
I wonder if this has something to do with the usernames not being unique... I did a quick test with the default configuration and I didn't notice anything strange.
This happens because the username (in your case, the uid) must be unique, so when we try to insert it to the DB we add a random number to prevent a collision with the other one. The other problem is that we can't detect movements in the LDAP server. What we see is an added user entry and a removed user entry. I'm not sure what we do with the removed entry in 9.1.7 but the added entry might kick in first, which will likely cause a collision with the previous information we have from it. To keep debugging this, in the oc_ldap_user_mapping table, check if there are rows with the same directory uuid. There shouldn't be duplicates. |
@jvillafanez Thanks for your time. I checked for uniqueness of all the directory_uuid in the table. To do this I dumped all directory_uuid entries to a file and did the following:
So every entry is unique. Out-of-the-blue ideas:
|
You can also check the oc_preferences tables, filtering by the target userid. The target user should have an entry like:
That is what is preventing the deletion. Ideally, using the Just to make sure, could you show the output of the The expected output should be something like:
|
@jvillafanez Hi the information is in previous comments. Here both the check-user followed by the user:delete commands.
Same result with --force switch.
Searching in oc_preferences indeed shows isDeleted for the userid before moving to another OU.
|
I think what's happening is the following:
Could you verify if what I've said is correct? Is this a production instance? I'd rather not suggest risky things such a manually fiddling the DB if this is the case. |
@jvillafanez Sorry that it took me so long to reply. Yes it is a production instance.
I think you are correct. Here are two examples. I anonymized with more readable names pparker (Peter Parker) and ldavinci (Leonardo Davinci).
|
Any chance to update to 10.0.5? Being a production instance I'd rather not to touch anything manually, and I still need to reproduce the problem. The soonest would be with 9.1.8. For 10.0.x the behaviour has changed, so at least for LDAP, the user:delete will delete the account data although the user can still be retrieved from LDAP. I'm not sure how it will behave in your environment so make a backup of everything in order to rollback if something goes wrong. |
Checked from a clean 10.0.5 instance, the movement works fairly well. The moved accounts will be detected as non-existent, so you'll have the option to disable or remove the accounts. Since you've moved the accounts, you should disable the accounts and manually reenable them afterwards. As said, this is from a clean 10.0.5 instance. The update from 9.1.7 with your scenario is yet to be tested. |
I think what happened is that you didn't move the entries but copied and delete them, or at least the process seems to be that way. At some point ownCloud has detected both LDAP entries as valid, otherwise I can't reproduce the problem even in 9.1.7. Upgrading to 10.0.5 won't solved the problem because only one of those entry will generate a valid account (the existing entry). This means that the other entry will remain unaccesible because it doesn't have a valid account. Whether intentionally or accidentally, this is a case of uid duplication, which is something admins must avoid. This is why we're recommending not to use the LDAP uid and use the default objectguid (the ugly alphanumeric characters)
Note that the objectguid is different for both entries in my case. As said, upgrading to 10.0.5 won't solve the problem, but it should mitigate the problem because you'll sync the user data on demand, which means that you won't sync data until all the changes are applied to the LDAP server. Obviously, same restrictions apply in any case, in particular, the uniqueness of the username. So far, I'm not aware of anything that can repair that state. |
I'm not sure if this will help, but I will explain what I understand: once you moved the user to another ou:
you change the UUID, that is by default your key in:
Because you have different UUIDs then your configuration tries to add ad new uid:
Because you have the UID already used it will create a random _1234 Number to avoid conflicts. I don't know if you can change back the users But you can get rid of the user that you don't want to have with this process: !!!Be careful using this = Make a backup first!: make select for each user you have duplicated:
If you are sure this is the user you want to delete:
This should clear the most relevant parts, and you should also check if a home storage exists for that user:
if so delete it and also all filecache entries that belong to it:
I don't know if overwriting the uid could help to have it the normal one. @jvillafanez You are the expert here. What I also recommend is to upgrade to oC10 (at least 10.0.4) and use the user_ldap app 0.10.0 (or if it's any newer version) |
Let me be a bit strict here:
|
Yes, you are right, the UUIDs are different in the example that is above, what I suspect is that the old user was deleted and a new with the same cn was created that explains the change from the UUID. if the UUID would be the same, I think that @tomneedham already made some improvements in 0.10.0 and oC10.0.4 where the users are detected as the same and no other new user is created. I agree with you too, modifying the DB is risky and that's why I recommend a full back-up before. I also know that in some behaviors is complicated to remove the user: I also know that it helps to fix some issue: I agree that we have to build something to force removing users that we are sure that have to be removed. |
This issue has been automatically closed. |
Steps to reproduce
sudo -u www-data php occ ldap:show-remnants
sudo -u www-data php occ user:delete userid
(userid here is a placeholder, I can successfully delete users that have been deleted in OpenLDAP)It displays: The specified user could not be deleted. Please check the logs.
Can you help to resolve this?
Expected behaviour
(a) Don't show the user under ldap:remnants when it is not actually deleted. The OpenLDAP user has only been moved to a different OU under the same base.
(b) Should output more helpful error messages as actually shown in the log file.
Actual behaviour
Deleting shown remnants with
sudo -u www-data php occ user:delete
just displays: The specified user could not be deleted. Please check the logs.
/var/log/owncloud.log shows this (Userids are anonymized but are actually displayed in the log with the underscore followed by a number.
Server configuration
Operating system: Ubuntu 16.04
Web server: Apache 2.4.20
Database: mysql 5.7.20
PHP version: 7.0.22-0ubuntu0.16.04.1
ownCloud version: 9.1.7
Updated from an older ownCloud or fresh install: yes
Where did you install ownCloud from: official repo http://download.owncloud.org/download/repositories/9.1/Ubuntu_16.04
Signing status (ownCloud 9.0 and above): what?
The content of config/config.php:
List of activated apps:
Are you using external storage, if yes which one: smb
Are you using encryption: no
Are you using an external user-backend, if yes which one: OpenLDAP
LDAP configuration (delete this part if not used)
Client configuration
Browser: Version 63.0.3239.132
Operating system: Windows 10 64bit Education 1607
Logs
Web server error log
ownCloud log (data/owncloud.log)
Browser log
The text was updated successfully, but these errors were encountered: