----- Original Message -----
From: "Lachlan Musicman" <data...@gmail.com>
To: "Martin Basti" <mba...@redhat.com>
Cc: freeipa-users@redhat.com
Sent: Monday, March 20, 2017 5:16:48 AM
Subject: Re: [Freeipa-users] Errors in IPA logs

On 20 March 2017 at 19:38, Martin Basti <mba...@redhat.com> wrote:

> On 19.03.2017 22:58, Lachlan Musicman wrote:
> Hi,
> I've reported a bug against SSSD and Lukas has pointed to a number of
> FreeIPA errors in our logs.
> I've can't find any information on how I might fix these errors or what I
> might do to mitigate them. Any pointers appreciated:
> First error:
> [sssd[be[unixdev.domain.org.au]]] [ipa_sudo_fetch_rules_done] (0x0040):
> Received 1 sudo rules
> [sssd[be[unixdev.domain.org.au]]] [sysdb_mod_group_member] (0x0080):
> ldb_modify failed: [No such attribute](16)[attribute 'member': no matching
> attribute value while deleting attribute on 'name=ipa_bioinf_staff@
> unixdev.domain.org.au,cn=groups,cn=unixdev.domain.org.au,cn=sysdb']
> [sssd[be[unixdev.domain.org.au]]] [sysdb_error_to_errno] (0x0020): LDB
> returned unexpected error: [No such attribute]
> [sssd[be[unixdev.domain.org.au]]] [sysdb_update_members_ex] (0x0020):
> Could not remove member [simpsonlach...@domain.org.au] from group [name=
> ipa_bioinf_st...@unixdev.domain.org.au,cn=groups,cn=unixdev.domain.org.au,cn=sysdb].
> Skipping
> Second error is long list of errors that look like
> [sssd[be]] [get_ipa_groupname] (0x0020): Expected cn in second component,
> got OU
> [sssd[be]] [get_ipa_groupname] (0x0020): Expected groups second component,
> got Users
> I don't know enough about AD to speak meaningfully to these, but a quick
> google shows that a group can have cn=Users as it's second component ( see
> here for example https://technet.microsoft.com/
> en-us/library/dn579255%28v=ws.11%29.aspx )
> Is there an LDAP query that I need to define or add to the IPA server?
> cheers
> L.
> Hello,
> can you describe your deployment more? Your DNs doesn't look like created
> by FreeIPA
> This is not how FreeIPA's DIT looks 'name=ipa_bioinf_staff@
> unixdev.domain.org.au,cn=groups,cn=unixdev.domain.org.au,cn=sysdb'

DNS isn't done by FreeIPA - it's all in AD. With a one way trust and all
users and groups managed by AD - except for overrides and external groups
for HBAC - everything is in AD.

As for the FreeIPA DIT - that is a group created in FreeIPA (through the
GUI iirc). I haven't done anything particularly special to make it look
like that (with the domain inside the cn). Unless it's a strange confluence
of configurations that has created a situation that would make that happen.


So, wrt to your question, what can I give you/what were you after?

Ah sorry the DN is from SSSD cache, so that's why it looks different. So why 
Lukas redirects you to FreeIPA? You posted only SSSD logs.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to