On ma, 03 huhti 2017, Orion Poplawski wrote:
On 04/03/2017 09:03 AM, Orion Poplawski wrote:
On 04/03/2017 02:08 AM, Jakub Hrozek wrote:
On Fri, Mar 31, 2017 at 05:08:13PM -0600, Orion Poplawski wrote:
I seem to be having some issues with users/groups that may be leading to
errors in the subdomain status.  Can anyone parse this for me?

(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr]
(0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)]
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr]
(0x0080): Cannot set ts attrs for
name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb

This can be ignored, it's just a minor performance annoyance we track
upstream.

Figured something like that, but thanks.

(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr]
(0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)]
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr]
(0x0080): Cannot set ts attrs for
name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
[ipa_initgr_get_overrides_step] (0x0040): The group
name=u...@nwra.com,cn=groups,cn=nwra.com,cn=sysdb has no UUID attribute
objectSIDString, error!

But this seems strange. Before you sanitized (presumably?) the logs, did
the DN name=u...@nwra.com,cn=groups,cn=nwra.com,cn=sysdb correspond to
an IPA object?

Yes, it's an IPA group used for HBAC access.

Did you run the sidgen task when setting up trusts or did you make sure
all replicas are either trust controllers or trust agents? Does the
entry on the IPA LDAP side have ipaNTSecurityIdentifier attribute?

I suspect the sidgen task has not been run, as I'm not really sure what that
is.  I have belatedly installed and run ipa-adtrust-install on all of our IPA
servers, though a couple ran without that for a while.  It does not look like
that group has an ipaNTSecurityIdentifier atribute.

I'm seeing:

[03/Apr/2017:09:07:34.269247507 -0600] sidgen_task_thread - [file
ipa_sidgen_task.c, line 194]: Sidgen task starts ...
[03/Apr/2017:09:07:34.273308903 -0600] find_sid_for_ldap_entry - [file
ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [24613] into an unused
SID.
[03/Apr/2017:09:07:34.274521892 -0600] do_work - [file ipa_sidgen_task.c, line
154]: Cannot add SID to existing entry.
[03/Apr/2017:09:07:34.277196405 -0600] sidgen_task_thread - [file
ipa_sidgen_task.c, line 199]: Sidgen task finished [32].
Look at this list's archives, I've been giving recipes how to fix this
in February.

My IPA ranges are:

# ipa idrange-find
----------------
2 ranges matched
----------------
 Range name: AD.NWRA.COM_id_range
 First Posix ID of the range: 20000
 Number of IDs in the range: 20000
 First RID of the corresponding RID range: 0
 Domain SID of the trusted domain: S-1-5-21-89655523-1570529619-2103694531
 Range type: Active Directory domain range

 Range name: NWRA.COM_id_range
 First Posix ID of the range: 8000
 Number of IDs in the range: 2000
 First RID of the corresponding RID range: 1000
 First RID of the secondary RID range: 100000000
 Range type: local domain range
----------------------------
Number of entries returned 2
----------------------------

So I've been creating these local posix IPA groups for HBAC access (as well as
file storage) with the same gid as that assigned to the AD user.  Perhaps that
is a problem?
Yes, that is a problem. But HBAC group is not a problem because HBAC
group is not a POSIX IPA group at all, it is even stored in a different
subtree than user groups.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to