Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] Commit error is seen when deleting a local user due to UID mismatch

0

0

Article ID: KB36203 KB Last Updated: 29 Mar 2021Version: 2.0
Summary:

This article discusses the scenario where a commit error regarding UID mismatch when deleting a local user. 

Symptoms:

When deleting a local user,  a warning and an error is generated:

[MASTER][edit]
user_demo@router-re0# commit and-quit
re0:
configuration check succeeds
re1:
[edit system login user test1 uid]
  'uid 2000'
    warning: statement does not match patch: '2000' != '2001'
error: remote load-configuration failed on re1
Cause:

When a local user is created without specifying the UID, the first available UID is used on the system for the new account.  Under normal operation with commit synchronization turned on, the UID should be the same on both the primary and backup RE.

If a new user is created only on one routing-engine, then deleted before enabling commit synchronization, the UID assigned to a new user may become out of sync when a new user is added after commit synchronization has been turned on.

Scenario:

RE0 is the only router in the system OR commit synchronization is not turned on. 

  • A local account called test is created and a UID assigned automatically on commit.
set system login user test class super-user authentication plain-text-password
  • After commit, RE0 /var/home directory contents.

      user_demo@router-re0> file list /var/home detail
      /var/home:
      total blocks: 32
      drwxr-xr-x  3 user_demo 20          512 Aug 17 12:06 user_demo/
      drwxr-xr-x  2 test      20          512 Aug 26 11:17 test/    <-- Only present on RE0
      total files: 0
  • RE1 /var/home directory does not have the new test folder.  

user_demo@router-re1> file list /var/home detail   
/var/home:
total blocks: 24
drwxr-xr-x  2 user_demo 20         512 Jul 28 17:41 user_demo/
total files: 0
  • The test user is then deleted off of RE0.  The third column in file list /var/home detail changes from the username to the UID of the account.  

delete system login user test

user_demo@router-re0> file list /var/home detail​ 
/var/home:
total blocks: 32
drwxr-xr-x  3 user_demo 20         512 Aug 17 12:06 user_demo/
drwxr-xr-x  2 2000      20         512 Aug 26 11:17 test/    <-- UID 2000 still tied to /var/home/test
total files: 0
  • Now, commit synchronize is turned on for RE0 and RE1.  RE0 still has the old test UID of 2000 on it, but that does not get synced to RE1 as test user was already deleted form the config.

  • New account called test1 is created.  This gets synced to both routing-engines.  Because of the extra account on RE0 from the start, a different UID is put on RE0 and RE1, leading to the warning when you attempt to delete it later.

set system login user test1 class super-user authentication plain-text-password
  • RE0 UID is 2001 (one more than the 2000 that is still reserved for the old test account that was deleted). 

user_demo@router-re0> show configuration system login user test1 | match uid
uid 2001;
  • RE1 UID is 2000.

user_demo@router-re1> show configuration system login user test1 | match uid
uid 2000;
  • If you attempt to delete the user test1, you get the warning and error that there is a UID mismatch.

 user_demo@router-re0# commit
configuration check succeeds
re1:
[edit system login user test1 uid]
  'uid 2000'
    warning: statement does not match patch: '2000' != '2001'
error: remote load-configuration failed on re1
Solution:

When creating new users, manually specify the UID. 

set system login user test1 uid <User identifier (uid) (100..64000)>
OR
  1. Disable commit synchronization. 

  2. Identify the user account folder in /var/home that is not the same on both routing-engines.  In this case, user test folder is only on RE0.   Delete it from the system.  

    user_demo@router-re0> start shell user root
    Password:
    % ls -l /var/home
    total 24
    drwxr-xr-x  3 user_demo  20  512 Aug 17 12:06 user_demo
    drwxr-xr-x  2 2000       20  512 Aug 26 11:17 test
    drwxr-xr-x  2 test1      20  512 Aug 26 11:26 test1
    % rm -rf test
  3. On RE0 and RE1, delete user test1 we tried to delete before and commit.  

    RE0 - user_demo@router-re0# delete system login user test1
          user_demo@router-re0# commit
    RE1 - user_demo@router-re1# delete system login user test1
          user_demo@router-re1# commit
  4. Delete test1 folder from /var/home on both RE0 and RE1 

    user_demo@router-re0> start shell user root 
    Password:
    root@router-re0:/var/home/user_demo # rm -rf /var/home/test1
    
    user_demo@router-re1> start shell user root 
    Password:
    root@router-re1:/var/home/user_demo # rm -rf /var/home/test1
  5. Enable commit synchronization again.

    set system commit synchronize
  6. Add new user test1 again, and now UID should be the same on both devices. 

    set system login user test1 class super-user authentication plain-text-password
  7. UID now matches on both routing-engines. 

    user_demo@router-re0> show configuration system login user test1 | match uid 
    uid 2000;
     
    user_demo@router-re1> show configuration system login user test1 | match uid 
    uid 2000;
Modification History:
2021-03-24: Updated the article terminology to align with Juniper's Inclusion & Diversity initiatives
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search