On Fri, Mar 31, 2017 at 04:07:16PM -0600, Orion Poplawski wrote: > I'm seeing messages like this: > > (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] > [ipa_add_ad_memberships_get_next] (0x0020): There are unresolved external > group memberships even after all groups have been looked up on the LDAP > server. > > and wondering it is anything to worry about. > > > Some context: > > (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups] > (0x2000): Search groups with filter: > (&(objectclass=group)(originalDN=ipaUniqueID=12d2026e-a5cd-11e5-a14e-00163e2d6456,cn=hbac,dc=nwra,dc=com)) > (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups] > (0x2000): No such entry > (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups] > (0x2000): Search groups with filter: > (&(objectclass=group)(originalDN=cn=nwra,cn=groups,cn=accounts,dc=nwra,dc=com)) > (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [merge_msg_ts_attrs] (0x2000): > No such DN in the timestamp cache: > name=n...@nwra.com,cn=groups,cn=nwra.com,cn=sysdb > (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_merge_res_ts_attrs] > (0x2000): TS cache doesn't contain this DN, skipping > (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_groups_next_base] > (0x0400): Searching for groups with base [cn=accounts,dc=nwra,dc=com] > (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_print_server] (0x2000): > Searching 10.10.41.4:389 > (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step] > (0x0400): calling ldap_search_ext with > [(&(cn=12d2026e-a5cd-11e5-a14e-00163e2d6456)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=nwra,dc=com].
I think this might be the reason why SSSD reports unresolved memberships. It'trying to resolve the group using the cn attribute, ut the object's RDN attribute seems to be ipaUniqueID. So I don't think this is harmful, just confusing. Can you please check what the object is on the IPA side with this ipaUniqueID? Could you describe the hierarchy so I can set up and reproduce something similar locally? > (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [objectClass] > (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [posixGroup] > (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [cn] > (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [userPassword] > (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [gidNumber] > (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [member] > (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [ipaUniqueID] > (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] > (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [modifyTimestamp] > (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [entryUSN] > (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [ipaExternalMember] > (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step] > (0x2000): ldap_search_ext called, msgid = 17 > (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_op_add] (0x2000): New > operation 17 timeout 6 > (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_process_result] > (0x2000): Trace: sh[0x7fc2ae9e9d90], connected[1], ops[0x7fc2aea403c0], > ldap[0x7fc2ae9b60b0] > (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_process_result] > (0x2000): Trace: end of ldap_result list > (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_process_result] > (0x2000): Trace: sh[0x7fc2ae9e9d90], connected[1], ops[0x7fc2aea403c0], > ldap[0x7fc2ae9b60b0] > (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_op_finished] > (0x0400): Search result: Success(0), no errmsg set > (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_op_destructor] (0x2000): > Operation 17 finished > (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_groups_process] > (0x0400): Search for groups, returned 0 results. > (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups] > (0x2000): Search groups with filter: > (&(objectclass=group)(originalDN=ipaUniqueID=12d2026e-a5cd-11e5-a14e-00163e2d6456,cn=hbac,dc=nwra,dc=com)) > (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups] > (0x2000): No such entry > (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] > [ipa_add_ad_memberships_get_next] (0x0020): There are unresolved external > group memberships even after all groups have been looked up on the LDAP > server. > > -- > Orion Poplawski > Technical Manager 720-772-5637 > NWRA, Boulder/CoRA Office FAX: 303-415-9702 > 3380 Mitchell Lane or...@nwra.com > Boulder, CO 80301 http://www.nwra.com > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project