On Пан, 25 сак 2024, Natxo Asenjo wrote:
On Mon, Mar 25, 2024 at 1:49 PM Alexander Bokovoy <[email protected]>
wrote:
Here we can see ID 2000 cannot be mapped to any domain and thus the ID
cannot be resolved:
(2024-03-25 11:17:07): [be[idm.domain.local]] [sss_domain_get_state]
(0x1000): [RID#150] Domain idm.domain.local is Active
(2024-03-25 11:17:07): [be[idm.domain.local]] [sss_domain_get_state]
(0x1000): [RID#150] Domain domain.local is Active
(2024-03-25 11:17:07): [be[idm.domain.local]]
[ipa_srv_ad_acct_lookup_step] (0x0400): [RID#150] Looking up AD account
(2024-03-25 11:17:07): [be[idm.domain.local]] [sss_domain_get_state]
(0x1000): [RID#150] Domain idm.domain.local is Active
(2024-03-25 11:17:07): [be[idm.domain.local]] [sss_domain_get_state]
(0x1000): [RID#150] Domain domain.local is Active
(2024-03-25 11:17:07): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#150] Mapping ID [2000] to SID failed: [IDMAP domain not
found]
(2024-03-25 11:17:07): [be[idm.domain.local]] [ad_handle_acct_info_send]
(0x0400): [RID#150] This ID is from different domain
(2024-03-25 11:17:07): [be[idm.domain.local]] [sysdb_search_user_by_uid]
(0x0400): [RID#150] No such entry
(2024-03-25 11:17:07): [be[idm.domain.local]] [get_object_from_cache]
(0x0200): [RID#150] Object wasn't found in cache
(2024-03-25 11:17:07): [be[idm.domain.local]]
[ipa_get_ad_acct_ad_part_done] (0x0080): [RID#150] Object not found, ending
request
(2024-03-25 11:17:07): [be[idm.domain.local]] [sdap_id_op_destroy]
(0x4000): [RID#150] releasing operation connection
(2024-03-25 11:17:07): [be[idm.domain.local]] [sdap_id_conn_data_idle]
(0x4000): [RID#150] Marking connection as idle
Can you give more details about this ID?
is this a local user account ?
On both client and server involved in this problem:
# id -nu 2000
id: ‘2000’: no such user
Or I am misunderstanding your question, if so, apologies?
There are quite a few IDs that get the same treatment:
(2024-03-25 11:17:07): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#146] Mapping ID [65535] to SID failed: [IDMAP domain not found]
(2024-03-25 11:17:07): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#148] Mapping ID [1001] to SID failed: [IDMAP domain not found]
(2024-03-25 11:17:07): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#150] Mapping ID [2000] to SID failed: [IDMAP domain not found]
(2024-03-25 11:17:07): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#152] Mapping ID [1200] to SID failed: [IDMAP domain not found]
(2024-03-25 11:17:11): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#154] Mapping ID [2000] to SID failed: [IDMAP domain not found]
(2024-03-25 11:17:13): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#156] Mapping ID [101] to SID failed: [IDMAP domain not found]
(2024-03-25 11:17:13): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#158] Mapping ID [103] to SID failed: [IDMAP domain not found]
(2024-03-25 11:17:19): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#160] Mapping ID [65532] to SID failed: [IDMAP domain not found]
(2024-03-25 11:17:29): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#162] Mapping ID [101] to SID failed: [IDMAP domain not found]
(2024-03-25 11:17:29): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#164] Mapping ID [103] to SID failed: [IDMAP domain not found]
(2024-03-25 11:17:37): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#166] Mapping ID [65532] to SID failed: [IDMAP domain not found]
(2024-03-25 11:17:45): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#168] Mapping ID [101] to SID failed: [IDMAP domain not found]
(2024-03-25 11:17:45): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#170] Mapping ID [103] to SID failed: [IDMAP domain not found]
(2024-03-25 11:17:46): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#172] Mapping ID [65535] to SID failed: [IDMAP domain not found]
(2024-03-25 11:17:46): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#174] Mapping ID [1001] to SID failed: [IDMAP domain not found]
(2024-03-25 11:17:46): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#176] Mapping ID [2000] to SID failed: [IDMAP domain not found]
By the code mark, it is in AD provider:
$ git grep ad_account_can_shortcut
src/providers/ad/ad_id.c:static bool ad_account_can_shortcut(struct
sdap_idmap_ctx *idmap_ctx,
src/providers/ad/ad_id.c: shortcut =
ad_account_can_shortcut(ctx->opts->idmap_ctx,
so it attempts to perform ID to name translation but fails to see if
this ID matches the AD domain's ID range.
If you have full SSSD logs from both client and IPA server at the same
time, those would be helpful.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
