On 20 March 2017 at 19:38, Martin Basti <mba...@redhat.com> wrote: > On 19.03.2017 22:58, Lachlan Musicman wrote: > > Hi, > > I've reported a bug against SSSD and Lukas has pointed to a number of > FreeIPA errors in our logs. > I've can't find any information on how I might fix these errors or what I > might do to mitigate them. Any pointers appreciated: > > First error: > > [sssd[be[unixdev.domain.org.au]]] [ipa_sudo_fetch_rules_done] (0x0040): > Received 1 sudo rules > > [sssd[be[unixdev.domain.org.au]]] [sysdb_mod_group_member] (0x0080): > ldb_modify failed: [No such attribute](16)[attribute 'member': no matching > attribute value while deleting attribute on 'name=ipa_bioinf_staff@ > unixdev.domain.org.au,cn=groups,cn=unixdev.domain.org.au,cn=sysdb'] > > [sssd[be[unixdev.domain.org.au]]] [sysdb_error_to_errno] (0x0020): LDB > returned unexpected error: [No such attribute] > > [sssd[be[unixdev.domain.org.au]]] [sysdb_update_members_ex] (0x0020): > Could not remove member [simpsonlach...@domain.org.au] from group [name= > ipa_bioinf_st...@unixdev.domain.org.au,cn=groups,cn=unixdev.domain.org.au,cn=sysdb]. > Skipping > > > > Second error is long list of errors that look like > > > [sssd[be]] [get_ipa_groupname] (0x0020): Expected cn in second component, > got OU > > [sssd[be]] [get_ipa_groupname] (0x0020): Expected groups second component, > got Users > > > I don't know enough about AD to speak meaningfully to these, but a quick > google shows that a group can have cn=Users as it's second component ( see > here for example https://technet.microsoft.com/ > en-us/library/dn579255%28v=ws.11%29.aspx ) > > Is there an LDAP query that I need to define or add to the IPA server? > > cheers > L. > > > Hello, > > can you describe your deployment more? Your DNs doesn't look like created > by FreeIPA > This is not how FreeIPA's DIT looks 'name=ipa_bioinf_staff@ > unixdev.domain.org.au,cn=groups,cn=unixdev.domain.org.au,cn=sysdb' >
DNS isn't done by FreeIPA - it's all in AD. With a one way trust and all users and groups managed by AD - except for overrides and external groups for HBAC - everything is in AD. As for the FreeIPA DIT - that is a group created in FreeIPA (through the GUI iirc). I haven't done anything particularly special to make it look like that (with the domain inside the cn). Unless it's a strange confluence of configurations that has created a situation that would make that happen. cheers L. So, wrt to your question, what can I give you/what were you after?
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project