On 04/03/2017 09:03 AM, Orion Poplawski wrote: > On 04/03/2017 02:08 AM, Jakub Hrozek wrote: >> On Fri, Mar 31, 2017 at 05:08:13PM -0600, Orion Poplawski wrote: >>> I seem to be having some issues with users/groups that may be leading to >>> errors in the subdomain status. Can anyone parse this for me? >>> >>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr] >>> (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object >>> (32)] >>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr] >>> (0x0080): Cannot set ts attrs for >>> [email protected],cn=users,cn=ad.nwra.com,cn=sysdb >> >> This can be ignored, it's just a minor performance annoyance we track >> upstream. > > Figured something like that, but thanks. > >>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr] >>> (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object >>> (32)] >>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr] >>> (0x0080): Cannot set ts attrs for >>> [email protected],cn=users,cn=ad.nwra.com,cn=sysdb >>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] >>> [ipa_initgr_get_overrides_step] (0x0040): The group >>> [email protected],cn=groups,cn=nwra.com,cn=sysdb has no UUID attribute >>> objectSIDString, error! >> >> But this seems strange. Before you sanitized (presumably?) the logs, did >> the DN [email protected],cn=groups,cn=nwra.com,cn=sysdb correspond to >> an IPA object? > > Yes, it's an IPA group used for HBAC access. > >> Did you run the sidgen task when setting up trusts or did you make sure >> all replicas are either trust controllers or trust agents? Does the >> entry on the IPA LDAP side have ipaNTSecurityIdentifier attribute? > > I suspect the sidgen task has not been run, as I'm not really sure what that > is. I have belatedly installed and run ipa-adtrust-install on all of our IPA > servers, though a couple ran without that for a while. It does not look like > that group has an ipaNTSecurityIdentifier atribute.
I'm seeing: [03/Apr/2017:09:07:34.269247507 -0600] sidgen_task_thread - [file ipa_sidgen_task.c, line 194]: Sidgen task starts ... [03/Apr/2017:09:07:34.273308903 -0600] find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [24613] into an unused SID. [03/Apr/2017:09:07:34.274521892 -0600] do_work - [file ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry. [03/Apr/2017:09:07:34.277196405 -0600] sidgen_task_thread - [file ipa_sidgen_task.c, line 199]: Sidgen task finished [32]. My IPA ranges are: # ipa idrange-find ---------------- 2 ranges matched ---------------- Range name: AD.NWRA.COM_id_range First Posix ID of the range: 20000 Number of IDs in the range: 20000 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-89655523-1570529619-2103694531 Range type: Active Directory domain range Range name: NWRA.COM_id_range First Posix ID of the range: 8000 Number of IDs in the range: 2000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range ---------------------------- Number of entries returned 2 ---------------------------- So I've been creating these local posix IPA groups for HBAC access (as well as file storage) with the same gid as that assigned to the AD user. Perhaps that is a problem? -- Orion Poplawski Technical Manager 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane [email protected] Boulder, CO 80301 http://www.nwra.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
