[Freeipa-users] Re: Network I/O error when trying to resolve AD users

[Ronald Wimmer via FreeIPA-users]

On 01.07.21 18:00, Sumit Bose via FreeIPA-users wrote:
Am Wed, Jun 30, 2021 at 01:29:48PM +0200 schrieb Ronald Wimmer via 
FreeIPA-users:
On 30.06.21 13:26, Sumit Bose via FreeIPA-users wrote:
Am Wed, Jun 30, 2021 at 12:13:54PM +0200 schrieb Ronald Wimmer via 
FreeIPA-users:
Today I set up an IPA test web application in our IPA test environment. I
figured out that my AD user was resolved but the user of my colleague was
not. (getent passwd userA/userB)
I stopped SSSD, cleared the cache with 'rm -rf /var/lib/sss/db/*' and
started SSSD again. After that I could not resolve any AD user. The sssd
logs showed an Network I/O error:

==> /var/log/sssd/sssd_ipatest.mydomain.at.log <==
(2021-06-30 11:46:14): [be[ipatest.mydomain.at]] [ipa_s2n_exop_done]
(0x0040): ldap_extended_operation result: Operations error(1), Failed to
handle the request.
.
(2021-06-30 11:46:14): [be[ipatest.mydomain.at]] [ipa_s2n_exop_done]
(0x0040): ldap_extended_operation failed, server logs might contain more
details.

Hi,

you should check on the IPA servers if the users and all the
group-memberships can be resolved properly, i.e. 'id aduser@AD.DOMAIN'
should display the user and all its groups with both name and ID. If
some groups are only listed by GID you should check why the IPA server
cannot resolve the name.

Resolving the users on an IPA server works properly.

Hi,

I'm afraid in this case you should point the client to a dedicated
server and check the SSSD nss logs for issues while the client is
sending the request to the server. If this does not give a hint then
enabling plugin debugging in the 389ds LDAP server might help.

(2021-07-02 14:25:45): [nss] [sss_ncache_check_str] (0x2000): Checking 
negative cache for 
[NCE/USER/someaddomain.mydomain.at/myadu...@someaddomain.mydomain.at]
(2021-07-02 14:25:45): [nss] [cache_req_search_ncache] (0x0400): CR #2: 
[myadu...@someaddomain.mydomain.at] is not present in negative cache
(2021-07-02 14:25:45): [nss] [cache_req_search_cache] (0x0400): CR #2: 
Looking up [myadu...@someaddomain.mydomain.at] in cache
(2021-07-02 14:25:45): [nss] [cache_req_search_cache] (0x0400): CR #2: 
Object [myadu...@someaddomain.mydomain.at] was not found in cache
(2021-07-02 14:25:45): [nss] [cache_req_search_dp] (0x0400): CR #2: 
Looking up [myadu...@someaddomain.mydomain.at] in data provider
(2021-07-02 14:25:45): [nss] [sss_dp_get_account_send] (0x0400): 
Creating request for 
[someaddomain.mydomain.at][0x1][BE_REQ_USER][name=myadu...@someaddomain.mydomain.at:-]
(2021-07-02 14:25:49): [nss] [sbus_dispatch] (0x4000): Dispatching.
(2021-07-02 14:25:49): [nss] [cache_req_common_process_dp_reply] 
(0x0040): CR #2: Data Provider Error: 3, 17, File exists
(2021-07-02 14:25:49): [nss] [cache_req_common_process_dp_reply] 
(0x0400): CR #2: Due to an error we will return cached data

(2021-07-02 14:25:29): [be[ipatest.mydomain.at]] [server_setup] 
(0x0040): Starting with debug level = 0x0070
(2021-07-02 14:25:49): [be[ipatest.mydomain.at]] 
[sysdb_set_cache_entry_attr] (0x0040): Error: 17 (File exists)
(2021-07-02 14:25:49): [be[ipatest.mydomain.at]] 
[sysdb_set_cache_entry_attr] (0x0040): Error: 17 (File exists)
(2021-07-02 14:25:49): [be[ipatest.mydomain.at]] [sysdb_store_new_group] 
(0x0040): sysdb_add_group failed (while renaming group) for: 
myadu...@someaddomain.mydomain.at [1073895519].
(2021-07-02 14:25:49): [be[ipatest.mydomain.at]] [sysdb_store_group] 
(0x0040): Cache update failed: 17
(2021-07-02 14:25:49): [be[ipatest.mydomain.at]] [ipa_s2n_save_objects] 
(0x0040): sysdb_store_group failed.
(2021-07-02 14:25:49): [be[ipatest.mydomain.at]] 
[ipa_s2n_get_list_save_step] (0x0040): ipa_s2n_save_objects failed.
(2021-07-02 14:25:49): [be[ipatest.mydomain.at]] [ipa_s2n_get_list_next] 
(0x0040): ipa_s2n_get_list_save_step failed.
(2021-07-02 14:25:49): [be[ipatest.mydomain.at]] [ipa_s2n_get_list_done] 
(0x0040): s2n get_fqlist request failed.
(2021-07-02 14:25:49): [be[ipatest.mydomain.at]] 
[ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: 
[17]: File exists.
(2021-07-02 14:25:55): [be[ipatest.mydomain.at]] [ipa_s2n_get_user_done] 
(0x0040): s2n exop request failed.
(2021-07-02 14:26:01): [be[ipatest.mydomain.at]] [ipa_s2n_get_user_done] 
(0x0040): s2n exop request failed.
(2021-07-02 14:26:07): [be[ipatest.mydomain.at]] [ipa_s2n_get_user_done] 
(0x0040): s2n exop request failed.
(2021-07-02 14:26:13): [be[ipatest.mydomain.at]] [ipa_s2n_exop_done] 
(0x0040): ldap_extended_operation result: No such object(32), (null).
(2021-07-02 14:26:13): [be[ipatest.mydomain.at]] [ipa_s2n_exop_done] 
(0x0040): ldap_extended_operation result: No such object(32), (null).

What is this error no. 17 "file exists"?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure