subject:"\[Freeipa\-users\] subdomain errors"

Re: [Freeipa-users] subdomain errors

2017-04-03 Thread Lachlan Musicman

On 4 April 2017 at 01:35, Alexander Bokovoy  wrote:

> On ma, 03 huhti 2017, Orion Poplawski wrote:
>
>> On 04/03/2017 09:03 AM, Orion Poplawski wrote:
>>
>>> On 04/03/2017 02:08 AM, Jakub Hrozek wrote:
>>>
 On Fri, Mar 31, 2017 at 05:08:13PM -0600, Orion Poplawski wrote:

>>>
>>> I'm seeing:
>>
>> [03/Apr/2017:09:07:34.269247507 -0600] sidgen_task_thread - [file
>> ipa_sidgen_task.c, line 194]: Sidgen task starts ...
>> [03/Apr/2017:09:07:34.273308903 -0600] find_sid_for_ldap_entry - [file
>> ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [24613] into an
>> unused
>> SID.
>> [03/Apr/2017:09:07:34.274521892 -0600] do_work - [file
>> ipa_sidgen_task.c, line
>> 154]: Cannot add SID to existing entry.
>> [03/Apr/2017:09:07:34.277196405 -0600] sidgen_task_thread - [file
>> ipa_sidgen_task.c, line 199]: Sidgen task finished [32].
>>
> Look at this list's archives, I've been giving recipes how to fix this
> in February.
>
> My IPA ranges are:
>>
>> # ipa idrange-find
>> 
>> 2 ranges matched
>> 
>>  Range name: AD.NWRA.COM_id_range
>>  First Posix ID of the range: 2
>>  Number of IDs in the range: 2
>>  First RID of the corresponding RID range: 0
>>  Domain SID of the trusted domain: S-1-5-21-89655523-1570529619-2
>> 103694531
>>  Range type: Active Directory domain range
>>
>>  Range name: NWRA.COM_id_range
>>  First Posix ID of the range: 8000
>>  Number of IDs in the range: 2000
>>  First RID of the corresponding RID range: 1000
>>  First RID of the secondary RID range: 1
>>  Range type: local domain range
>> 
>> Number of entries returned 2
>> 
>>
>> So I've been creating these local posix IPA groups for HBAC access (as
>> well as
>> file storage) with the same gid as that assigned to the AD user.  Perhaps
>> that
>> is a problem?
>>
> Yes, that is a problem. But HBAC group is not a problem because HBAC
> group is not a POSIX IPA group at all, it is even stored in a different
> subtree than user groups.
>
>
Can you expand on this please? In what way is this a problem?

We also have local posix IPA groups with the same gid as that assigned to
the AD user (for historical reasons to do with samba shares on networked
disks).

We don't use those groups for HBAC though, we use AD group membership
through external groups for HBAC. (I use the term "we use HBAC" loosely -
it's still in testing :) )

cheers
L.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] subdomain errors

2017-04-03 Thread Alexander Bokovoy


On ma, 03 huhti 2017, Orion Poplawski wrote:

On 04/03/2017 09:03 AM, Orion Poplawski wrote:

On 04/03/2017 02:08 AM, Jakub Hrozek wrote:

On Fri, Mar 31, 2017 at 05:08:13PM -0600, Orion Poplawski wrote:

I seem to be having some issues with users/groups that may be leading to
errors in the subdomain status.  Can anyone parse this for me?

(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr]
(0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)]
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr]
(0x0080): Cannot set ts attrs for
name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb


This can be ignored, it's just a minor performance annoyance we track
upstream.


Figured something like that, but thanks.


(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr]
(0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)]
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr]
(0x0080): Cannot set ts attrs for
name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
[ipa_initgr_get_overrides_step] (0x0040): The group
name=u...@nwra.com,cn=groups,cn=nwra.com,cn=sysdb has no UUID attribute
objectSIDString, error!


But this seems strange. Before you sanitized (presumably?) the logs, did
the DN name=u...@nwra.com,cn=groups,cn=nwra.com,cn=sysdb correspond to
an IPA object?


Yes, it's an IPA group used for HBAC access.


Did you run the sidgen task when setting up trusts or did you make sure
all replicas are either trust controllers or trust agents? Does the
entry on the IPA LDAP side have ipaNTSecurityIdentifier attribute?


I suspect the sidgen task has not been run, as I'm not really sure what that
is.  I have belatedly installed and run ipa-adtrust-install on all of our IPA
servers, though a couple ran without that for a while.  It does not look like
that group has an ipaNTSecurityIdentifier atribute.


I'm seeing:

[03/Apr/2017:09:07:34.269247507 -0600] sidgen_task_thread - [file
ipa_sidgen_task.c, line 194]: Sidgen task starts ...
[03/Apr/2017:09:07:34.273308903 -0600] find_sid_for_ldap_entry - [file
ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [24613] into an unused
SID.
[03/Apr/2017:09:07:34.274521892 -0600] do_work - [file ipa_sidgen_task.c, line
154]: Cannot add SID to existing entry.
[03/Apr/2017:09:07:34.277196405 -0600] sidgen_task_thread - [file
ipa_sidgen_task.c, line 199]: Sidgen task finished [32].

Look at this list's archives, I've been giving recipes how to fix this
in February.


My IPA ranges are:

# ipa idrange-find

2 ranges matched

 Range name: AD.NWRA.COM_id_range
 First Posix ID of the range: 2
 Number of IDs in the range: 2
 First RID of the corresponding RID range: 0
 Domain SID of the trusted domain: S-1-5-21-89655523-1570529619-2103694531
 Range type: Active Directory domain range

 Range name: NWRA.COM_id_range
 First Posix ID of the range: 8000
 Number of IDs in the range: 2000
 First RID of the corresponding RID range: 1000
 First RID of the secondary RID range: 1
 Range type: local domain range

Number of entries returned 2


So I've been creating these local posix IPA groups for HBAC access (as well as
file storage) with the same gid as that assigned to the AD user.  Perhaps that
is a problem?

Yes, that is a problem. But HBAC group is not a problem because HBAC
group is not a POSIX IPA group at all, it is even stored in a different
subtree than user groups.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] subdomain errors

2017-04-03 Thread Orion Poplawski

On 04/03/2017 09:03 AM, Orion Poplawski wrote:
> On 04/03/2017 02:08 AM, Jakub Hrozek wrote:
>> On Fri, Mar 31, 2017 at 05:08:13PM -0600, Orion Poplawski wrote:
>>> I seem to be having some issues with users/groups that may be leading to
>>> errors in the subdomain status.  Can anyone parse this for me?
>>>
>>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr]
>>> (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object 
>>> (32)]
>>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr]
>>> (0x0080): Cannot set ts attrs for
>>> name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb
>>
>> This can be ignored, it's just a minor performance annoyance we track
>> upstream.
> 
> Figured something like that, but thanks.
> 
>>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr]
>>> (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object 
>>> (32)]
>>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr]
>>> (0x0080): Cannot set ts attrs for
>>> name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb
>>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
>>> [ipa_initgr_get_overrides_step] (0x0040): The group
>>> name=u...@nwra.com,cn=groups,cn=nwra.com,cn=sysdb has no UUID attribute
>>> objectSIDString, error!
>>
>> But this seems strange. Before you sanitized (presumably?) the logs, did
>> the DN name=u...@nwra.com,cn=groups,cn=nwra.com,cn=sysdb correspond to
>> an IPA object?
> 
> Yes, it's an IPA group used for HBAC access.
> 
>> Did you run the sidgen task when setting up trusts or did you make sure
>> all replicas are either trust controllers or trust agents? Does the
>> entry on the IPA LDAP side have ipaNTSecurityIdentifier attribute?
> 
> I suspect the sidgen task has not been run, as I'm not really sure what that
> is.  I have belatedly installed and run ipa-adtrust-install on all of our IPA
> servers, though a couple ran without that for a while.  It does not look like
> that group has an ipaNTSecurityIdentifier atribute.

I'm seeing:

[03/Apr/2017:09:07:34.269247507 -0600] sidgen_task_thread - [file
ipa_sidgen_task.c, line 194]: Sidgen task starts ...
[03/Apr/2017:09:07:34.273308903 -0600] find_sid_for_ldap_entry - [file
ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [24613] into an unused
SID.
[03/Apr/2017:09:07:34.274521892 -0600] do_work - [file ipa_sidgen_task.c, line
154]: Cannot add SID to existing entry.
[03/Apr/2017:09:07:34.277196405 -0600] sidgen_task_thread - [file
ipa_sidgen_task.c, line 199]: Sidgen task finished [32].

My IPA ranges are:

# ipa idrange-find

2 ranges matched

  Range name: AD.NWRA.COM_id_range
  First Posix ID of the range: 2
  Number of IDs in the range: 2
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-89655523-1570529619-2103694531
  Range type: Active Directory domain range

  Range name: NWRA.COM_id_range
  First Posix ID of the range: 8000
  Number of IDs in the range: 2000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 1
  Range type: local domain range

Number of entries returned 2


So I've been creating these local posix IPA groups for HBAC access (as well as
file storage) with the same gid as that assigned to the AD user.  Perhaps that
is a problem?


-- 
Orion Poplawski
Technical Manager  720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane   or...@nwra.com
Boulder, CO 80301   http://www.nwra.com

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] subdomain errors

2017-04-03 Thread Orion Poplawski

On 04/03/2017 02:08 AM, Jakub Hrozek wrote:
> On Fri, Mar 31, 2017 at 05:08:13PM -0600, Orion Poplawski wrote:
>> I seem to be having some issues with users/groups that may be leading to
>> errors in the subdomain status.  Can anyone parse this for me?
>>
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr]
>> (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object 
>> (32)]
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr]
>> (0x0080): Cannot set ts attrs for
>> name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb
> 
> This can be ignored, it's just a minor performance annoyance we track
> upstream.

Figured something like that, but thanks.

>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr]
>> (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object 
>> (32)]
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr]
>> (0x0080): Cannot set ts attrs for
>> name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
>> [ipa_initgr_get_overrides_step] (0x0040): The group
>> name=u...@nwra.com,cn=groups,cn=nwra.com,cn=sysdb has no UUID attribute
>> objectSIDString, error!
> 
> But this seems strange. Before you sanitized (presumably?) the logs, did
> the DN name=u...@nwra.com,cn=groups,cn=nwra.com,cn=sysdb correspond to
> an IPA object?

Yes, it's an IPA group used for HBAC access.

> Did you run the sidgen task when setting up trusts or did you make sure
> all replicas are either trust controllers or trust agents? Does the
> entry on the IPA LDAP side have ipaNTSecurityIdentifier attribute?

I suspect the sidgen task has not been run, as I'm not really sure what that
is.  I have belatedly installed and run ipa-adtrust-install on all of our IPA
servers, though a couple ran without that for a while.  It does not look like
that group has an ipaNTSecurityIdentifier atribute.

>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
>> [ipa_id_get_groups_overrides_done] (0x0040): IPA resolve user groups 
>> overrides
>> failed [22].
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done]
>> (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument.
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_subdomain_account_done]
>> (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument.
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [dp_reply_std_set] (0x0080):
>> DP Error is OK on failed request?
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr]
>> (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object 
>> (32)]
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr]
>> (0x0080): Cannot set ts attrs for
>> name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
>> [ipa_initgr_get_overrides_step] (0x0040): The group
>> name=u...@nwra.com,cn=groups,cn=nwra.com,cn=sysdb has no UUID attribute
>> objectSIDString, error!
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
>> [ipa_id_get_groups_overrides_done] (0x0040): IPA resolve user groups 
>> overrides
>> failed [22].
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done]
>> (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument.
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_subdomain_account_done]
>> (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument.
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [dp_reply_std_set] (0x0080):
>> DP Error is OK on failed request?
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
>> [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID
>> S-1-5-32-545
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr]
>> (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object 
>> (32)]
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr]
>> (0x0080): Cannot set ts attrs for
>> name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
>> [ipa_add_ad_memberships_get_next] (0x0020): There are unresolved external
>> group memberships even after all groups have been looked up on the LDAP 
>> server.
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
>> [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending 
>> request
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done]
>> (0x0080): Sudomain lookup failed, will try to reset sudomain..
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [be_fo_reset_svc] (0x0080):
>> Cannot retrieve service [ad.nwra.com]
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done]
>> (0x0040): ipa_get_*_acct request failed: [1432158270]: Subdomain is inactive.
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]

Re: [Freeipa-users] subdomain errors

2017-04-03 Thread Jakub Hrozek

On Fri, Mar 31, 2017 at 05:08:13PM -0600, Orion Poplawski wrote:
> I seem to be having some issues with users/groups that may be leading to
> errors in the subdomain status.  Can anyone parse this for me?
> 
> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr]
> (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object 
> (32)]
> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr]
> (0x0080): Cannot set ts attrs for
> name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb

This can be ignored, it's just a minor performance annoyance we track
upstream.

> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr]
> (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object 
> (32)]
> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr]
> (0x0080): Cannot set ts attrs for
> name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb
> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
> [ipa_initgr_get_overrides_step] (0x0040): The group
> name=u...@nwra.com,cn=groups,cn=nwra.com,cn=sysdb has no UUID attribute
> objectSIDString, error!

But this seems strange. Before you sanitized (presumably?) the logs, did
the DN name=u...@nwra.com,cn=groups,cn=nwra.com,cn=sysdb correspond to
an IPA object?

Did you run the sidgen task when setting up trusts or did you make sure
all replicas are either trust controllers or trust agents? Does the
entry on the IPA LDAP side have ipaNTSecurityIdentifier attribute?

> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
> [ipa_id_get_groups_overrides_done] (0x0040): IPA resolve user groups overrides
> failed [22].
> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done]
> (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument.
> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_subdomain_account_done]
> (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument.
> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [dp_reply_std_set] (0x0080):
> DP Error is OK on failed request?
> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr]
> (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object 
> (32)]
> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr]
> (0x0080): Cannot set ts attrs for
> name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb
> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
> [ipa_initgr_get_overrides_step] (0x0040): The group
> name=u...@nwra.com,cn=groups,cn=nwra.com,cn=sysdb has no UUID attribute
> objectSIDString, error!
> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
> [ipa_id_get_groups_overrides_done] (0x0040): IPA resolve user groups overrides
> failed [22].
> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done]
> (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument.
> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_subdomain_account_done]
> (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument.
> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [dp_reply_std_set] (0x0080):
> DP Error is OK on failed request?
> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
> [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID
> S-1-5-32-545
> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr]
> (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object 
> (32)]
> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr]
> (0x0080): Cannot set ts attrs for
> name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb
> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
> [ipa_add_ad_memberships_get_next] (0x0020): There are unresolved external
> group memberships even after all groups have been looked up on the LDAP 
> server.
> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
> [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request
> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done]
> (0x0080): Sudomain lookup failed, will try to reset sudomain..
> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [be_fo_reset_svc] (0x0080):
> Cannot retrieve service [ad.nwra.com]
> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done]
> (0x0040): ipa_get_*_acct request failed: [1432158270]: Subdomain is inactive.
> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_subdomain_account_done]
> (0x0040): ipa_get_*_acct request failed: [1432158270]: Subdomain is inactive.
> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [dp_reply_std_set] (0x0080):
> DP Error is OK on failed request?
> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
> [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request
> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done]
> (0x0080): Sudomain lookup failed, will try to reset sudomain..
> (Fri Mar 31 16:54:26 2017)

[Freeipa-users] subdomain errors

2017-03-31 Thread Orion Poplawski

I seem to be having some issues with users/groups that may be leading to
errors in the subdomain status.  Can anyone parse this for me?

(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr]
(0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)]
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr]
(0x0080): Cannot set ts attrs for
name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr]
(0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)]
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr]
(0x0080): Cannot set ts attrs for
name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
[ipa_initgr_get_overrides_step] (0x0040): The group
name=u...@nwra.com,cn=groups,cn=nwra.com,cn=sysdb has no UUID attribute
objectSIDString, error!
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
[ipa_id_get_groups_overrides_done] (0x0040): IPA resolve user groups overrides
failed [22].
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done]
(0x0040): ipa_get_*_acct request failed: [22]: Invalid argument.
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_subdomain_account_done]
(0x0040): ipa_get_*_acct request failed: [22]: Invalid argument.
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [dp_reply_std_set] (0x0080):
DP Error is OK on failed request?
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr]
(0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)]
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr]
(0x0080): Cannot set ts attrs for
name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
[ipa_initgr_get_overrides_step] (0x0040): The group
name=u...@nwra.com,cn=groups,cn=nwra.com,cn=sysdb has no UUID attribute
objectSIDString, error!
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
[ipa_id_get_groups_overrides_done] (0x0040): IPA resolve user groups overrides
failed [22].
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done]
(0x0040): ipa_get_*_acct request failed: [22]: Invalid argument.
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_subdomain_account_done]
(0x0040): ipa_get_*_acct request failed: [22]: Invalid argument.
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [dp_reply_std_set] (0x0080):
DP Error is OK on failed request?
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
[sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID
S-1-5-32-545
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr]
(0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)]
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr]
(0x0080): Cannot set ts attrs for
name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
[ipa_add_ad_memberships_get_next] (0x0020): There are unresolved external
group memberships even after all groups have been looked up on the LDAP server.
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
[ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done]
(0x0080): Sudomain lookup failed, will try to reset sudomain..
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [be_fo_reset_svc] (0x0080):
Cannot retrieve service [ad.nwra.com]
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done]
(0x0040): ipa_get_*_acct request failed: [1432158270]: Subdomain is inactive.
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_subdomain_account_done]
(0x0040): ipa_get_*_acct request failed: [1432158270]: Subdomain is inactive.
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [dp_reply_std_set] (0x0080):
DP Error is OK on failed request?
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
[ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done]
(0x0080): Sudomain lookup failed, will try to reset sudomain..
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [be_fo_reset_svc] (0x0080):
Cannot retrieve service [ad.nwra.com]
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done]
(0x0040): ipa_get_*_acct request failed: [1432158270]: Subdomain is inactive.
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_subdomain_account_done]
(0x0040): ipa_get_*_acct request failed: [1432158270]: Subdomain is inactive.
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [dp_reply_std_set] (0x0080):
DP Error is OK on failed request?
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
[ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request

-- 
Orion Poplawski
Technical Manager

Re: [Freeipa-users] subdomain errors

Re: [Freeipa-users] subdomain errors

Re: [Freeipa-users] subdomain errors

Re: [Freeipa-users] subdomain errors

Re: [Freeipa-users] subdomain errors

[Freeipa-users] subdomain errors

6 matches

Site Navigation

Mail list logo

Footer information