On ke, 08 elo 2018, Роман Гинович via FreeIPA-users wrote:
Yeah, i'm found it!
nsslapd-errorlog-level: 81920
[08/Aug/2018:14:48:36.815877034 +0300] - DEBUG - ipa-sidgen-postop - Found
domain SID [S-1-5-21-3815719817-1094829178-2612344331].
[08/Aug/2018:14:48:37.775597841 +0300] - DEBUG - ipa-sidgen-postop - Trying to
add SID for [cn=sidgen,cn=ipa-sidgen-task,cn=tasks,cn=config].
[08/Aug/2018:14:48:37.819957874 +0300] - DEBUG - ipa-sidgen-postop -
[cn=sidgen,cn=ipa-sidgen-task,cn=tasks,cn=config] does not have Posix IDs,
nothing to do.
[08/Aug/2018:14:48:40.810439175 +0300] - ERR - sidgen_task_thread - [file
ipa_sidgen_task.c, line 194]: Sidgen task starts ...
[08/Aug/2018:14:48:40.864083206 +0300] - DEBUG - ipa-sidgen-postop - Base DN:
[dc=domain], Filter:
[(&(objectclass=ipaobject)(!(objectclass=mepmanagedentry))(|(objectclass=posixaccount)(objectclass=posixgroup)(objectclass=ipaidobject))(!(ipantsecurityidentifier=*)))].
[08/Aug/2018:14:48:41.935631916 +0300] - DEBUG - ipa-sidgen-postop - Trying to
add SID for [uid=bad_user_here,cn=staged
users,cn=accounts,cn=provisioning,dc=domain].
[08/Aug/2018:14:48:41.976041848 +0300] - ERR - find_sid_for_ldap_entry - [file
ipa_sidgen_common.c, line 483]: ID value too large.
[08/Aug/2018:14:48:42.226947787 +0300] - ERR - do_work - [file
ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry.
[08/Aug/2018:14:48:42.644938556 +0300] - DEBUG - ipa-sidgen-postop - do_work
finished with [19].
[08/Aug/2018:14:48:42.686593559 +0300] - ERR - sidgen_task_thread - [file
ipa_sidgen_task.c, line 199]: Sidgen task finished [19].
ldapsearch -D "cn=Directory Manager" -W -b cn=provisioning,dc=aim 'uid=bad_user_here' |
grep -E "uidN|gidN"
uidNumber: -1
gidNumber: -1
After remove his, all done ok.
So, this is a user from the staged area, right?. It looks like we need
to fix sidgen plugin to ignore users in the staged area. Additionally,
we need to run sid generation when users moved from the staging to
production.
Could you please open an issue at pagure?
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/YISYXZ33J2SJQFJS5HUC5PY7GBJLBHLQ/