On 19.03.2017 22:58, Lachlan Musicman wrote: > Hi, > > I've reported a bug against SSSD and Lukas has pointed to a number of > FreeIPA errors in our logs. > I've can't find any information on how I might fix these errors or > what I might do to mitigate them. Any pointers appreciated: > > First error: > > [sssd[be[unixdev.domain.org.au <http://unixdev.domain.org.au>]]] > [ipa_sudo_fetch_rules_done] (0x0040): Received 1 sudo rules > > [sssd[be[unixdev.domain.org.au <http://unixdev.domain.org.au>]]] > [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such > attribute](16)[attribute 'member': no matching attribute value while > deleting attribute on 'name=ipa_bioinf_st...@unixdev.domain.org.au > <mailto:ipa_bioinf_st...@unixdev.domain.org.au>,cn=groups,cn=unixdev.domain.org.au > <http://unixdev.domain.org.au>,cn=sysdb'] > > [sssd[be[unixdev.domain.org.au <http://unixdev.domain.org.au>]]] > [sysdb_error_to_errno] (0x0020): LDB returned unexpected error: [No > such attribute] > > [sssd[be[unixdev.domain.org.au <http://unixdev.domain.org.au>]]] > [sysdb_update_members_ex] (0x0020): Could not remove member > [simpsonlach...@domain.org.au <mailto:simpsonlach...@domain.org.au>] > from group [name=ipa_bioinf_st...@unixdev.domain.org.au > <mailto:ipa_bioinf_st...@unixdev.domain.org.au>,cn=groups,cn=unixdev.domain.org.au > <http://unixdev.domain.org.au>,cn=sysdb]. Skipping > > > > Second error is long list of errors that look like > > > [sssd[be]] [get_ipa_groupname] (0x0020): Expected cn in second > component, got OU > > [sssd[be]] [get_ipa_groupname] (0x0020): Expected groups second > component, got Users > > > I don't know enough about AD to speak meaningfully to these, but a > quick google shows that a group can have cn=Users as it's second > component ( see here for example > https://technet.microsoft.com/en-us/library/dn579255%28v=ws.11%29.aspx ) > > Is there an LDAP query that I need to define or add to the IPA server? > > cheers > L. > > > > ------ > The most dangerous phrase in the language is, "We've always done it > this way." > > - Grace Hopper > >
Hello, can you describe your deployment more? Your DNs doesn't look like created by FreeIPA This is not how FreeIPA's DIT looks 'name=ipa_bioinf_st...@unixdev.domain.org.au <mailto:ipa_bioinf_st...@unixdev.domain.org.au>,cn=groups,cn=unixdev.domain.org.au <http://unixdev.domain.org.au>,cn=sysdb' Martin
signature.asc
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project