Hi, a similar issue was already seen in other customer cases, and the advice was to look for an entry with nameAlias: <groupname> in the cache. The issue was resolved by removing this additional group. HTH, flo
On Tue, Jul 13, 2021 at 11:14 AM iulian roman via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello everybody, > > In the client logs I get the error bellow when querying AD users: > > [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: Time limit > exceeded(3), (null). > (Tue Jul 13 10:47:46 2021) [sssd[be[ipa.example.com]]] > [ipa_s2n_exop_done] (0x0040): ldap_extended_operation failed, server logs > might contain more details. > (Tue Jul 13 10:47:46 2021) [sssd[be[ipa.example.com]]] > [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. > (Tue Jul 13 10:47:46 2021) [sssd[be[ipa.example.com]]] > [ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: > [1432158229]: Network I/O Error. > > I've enabled nss debug on the server, and for that timestamp, the error is: > > (2021-07-13 10:47:46): [nss] [cache_req_search_cache] (0x0020): CR #415: > Multiple objects were found when only one was expected! > (2021-07-13 10:47:46): [nss] [cache_req_process_result] (0x0400): CR #415: > Finished: Error 1432158305: Multiple objects were found when only one was > expected > (2021-07-13 10:47:46): [nss] [nss_protocol_done] (0x4000): Sending reply: > error [1432158305]: Multiple objects were found when only one was expected > (2021-07-13 10:47:46): [nss] [client_recv] (0x0200): Client disconnected! > (2021-07-13 10:47:46): [nss] [client_close_fn] (0x2000): Terminated client > [0x55930a1916f0][12] > > The GID it is trying to search corresponds to "Domain Users" group from > AD (GID:1768200513), which is the default primary group for all users. > > ldbsearch against the cache shows only one dn: entry for the "Domain > Users". Nevertheless , when running groups command for any user, it > displays: > "cannot find name for group ID 1768200513 " > getent group 1768200513 does not resolve the group name to "Domain Users" > either. > > Any hint or help would be really appreciated. > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure