On 20 March 2017 at 19:38, Martin Basti <mba...@redhat.com> wrote:

> On 19.03.2017 22:58, Lachlan Musicman wrote:
> Hi,
> I've reported a bug against SSSD and Lukas has pointed to a number of
> FreeIPA errors in our logs.
> I've can't find any information on how I might fix these errors or what I
> might do to mitigate them. Any pointers appreciated:
> First error:
> [sssd[be[unixdev.domain.org.au]]] [ipa_sudo_fetch_rules_done] (0x0040):
> Received 1 sudo rules
> [sssd[be[unixdev.domain.org.au]]] [sysdb_mod_group_member] (0x0080):
> ldb_modify failed: [No such attribute](16)[attribute 'member': no matching
> attribute value while deleting attribute on 'name=ipa_bioinf_staff@
> unixdev.domain.org.au,cn=groups,cn=unixdev.domain.org.au,cn=sysdb']
> [sssd[be[unixdev.domain.org.au]]] [sysdb_error_to_errno] (0x0020): LDB
> returned unexpected error: [No such attribute]
> [sssd[be[unixdev.domain.org.au]]] [sysdb_update_members_ex] (0x0020):
> Could not remove member [simpsonlach...@domain.org.au] from group [name=
> ipa_bioinf_st...@unixdev.domain.org.au,cn=groups,cn=unixdev.domain.org.au,cn=sysdb].
> Skipping
> Second error is long list of errors that look like
> [sssd[be]] [get_ipa_groupname] (0x0020): Expected cn in second component,
> got OU
> [sssd[be]] [get_ipa_groupname] (0x0020): Expected groups second component,
> got Users
> I don't know enough about AD to speak meaningfully to these, but a quick
> google shows that a group can have cn=Users as it's second component ( see
> here for example https://technet.microsoft.com/
> en-us/library/dn579255%28v=ws.11%29.aspx )
> Is there an LDAP query that I need to define or add to the IPA server?
> cheers
> L.
> Hello,
> can you describe your deployment more? Your DNs doesn't look like created
> by FreeIPA
> This is not how FreeIPA's DIT looks 'name=ipa_bioinf_staff@
> unixdev.domain.org.au,cn=groups,cn=unixdev.domain.org.au,cn=sysdb'

DNS isn't done by FreeIPA - it's all in AD. With a one way trust and all
users and groups managed by AD - except for overrides and external groups
for HBAC - everything is in AD.

As for the FreeIPA DIT - that is a group created in FreeIPA (through the
GUI iirc). I haven't done anything particularly special to make it look
like that (with the domain inside the cn). Unless it's a strange confluence
of configurations that has created a situation that would make that happen.


So, wrt to your question, what can I give you/what were you after?
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to