On Wed, Jun 06, 2018 at 02:30:56PM -0000, Bart via FreeIPA-users wrote: > Hi Jakub, thank you for help. > > I cannot resolve all of the users nor their groups on a client hosts. getent > passwd doesn't return anything, su - user@ad.domain doesn't work either. > > All AD users I tried get resolved on the FreeIPA servers. For the one account > it gets resolved on one client host but on another client host it fails.
It's hard to say without the complete logs, but very often this reason is that one or more of the user's groups can't be resolved on the client. If you do id $username on the client and then try their group on the server, do at least some of them resolve (getent group $groupname) Alternatively, you can look at the sssd_nss.log on the server and check for getgrgid lookups and see if some of them fail. > > Oddly, I can see in server's /var/log/sssd/ad_domain.log that upon issuing su > - user@ad.domain on a client host group membership is being resolved. User is > not resolved on the client host though. > > The only suspicious thing I can find in the logfiles is this entry but I do > not know if it is the culprit or not: > > (Wed Jun 6 16:11:39 2018) [sssd[be[ipa.domain]]] [sysdb_error_to_errno] > (0x0020): LDB returned unexpected error: [No such attribute] > (Wed Jun 6 16:11:39 2018) [sssd[be[ipa.domain]]] [sysdb_mod_group_member] > (0x0400): Error: 14 (Bad address) > (Wed Jun 6 16:11:39 2018) [sssd[be[ipa.domain]]] [sysdb_update_members_ex] > (0x0020): Could not remove member [user@ad.domain] from group > [name=some_group@ad.domain,cn=groups,cn=ad.domain,cn=sysdb]. Skipping Since the message says skipping, I'm quite certain that it's not the problem. > (Wed Jun 6 16:11:39 2018) [sssd[be[ipa.domain]]] [sss_domain_get_state] > (0x1000): Domain ipa.domain is Active > (Wed Jun 6 16:11:39 2018) [sssd[be[ipa.domain]]] [sss_domain_get_state] > (0x1000): Domain ad.domain is Active > (Wed Jun 6 16:11:39 2018) [sssd[be[ipa.domain]]] [ldb] (0x4000): start ldb > transaction (nesting: 1) > (Wed Jun 6 16:11:39 2018) [sssd[be[ipa.domain]]] [ldb] (0x4000): Added timed > event "ltdb_callback": 0x55bdb > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/XM245EV3SEIUYDKNFNJNHDN6V2E6ST77/ _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/PIBGTOUWOADVB5K6O6Z57LLI5BIVI2VN/
