Re: [Freeipa-users] subdomain errors
On 4 April 2017 at 01:35, Alexander Bokovoywrote: > On ma, 03 huhti 2017, Orion Poplawski wrote: > >> On 04/03/2017 09:03 AM, Orion Poplawski wrote: >> >>> On 04/03/2017 02:08 AM, Jakub Hrozek wrote: >>> On Fri, Mar 31, 2017 at 05:08:13PM -0600, Orion Poplawski wrote: >>> >>> I'm seeing: >> >> [03/Apr/2017:09:07:34.269247507 -0600] sidgen_task_thread - [file >> ipa_sidgen_task.c, line 194]: Sidgen task starts ... >> [03/Apr/2017:09:07:34.273308903 -0600] find_sid_for_ldap_entry - [file >> ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [24613] into an >> unused >> SID. >> [03/Apr/2017:09:07:34.274521892 -0600] do_work - [file >> ipa_sidgen_task.c, line >> 154]: Cannot add SID to existing entry. >> [03/Apr/2017:09:07:34.277196405 -0600] sidgen_task_thread - [file >> ipa_sidgen_task.c, line 199]: Sidgen task finished [32]. >> > Look at this list's archives, I've been giving recipes how to fix this > in February. > > My IPA ranges are: >> >> # ipa idrange-find >> >> 2 ranges matched >> >> Range name: AD.NWRA.COM_id_range >> First Posix ID of the range: 2 >> Number of IDs in the range: 2 >> First RID of the corresponding RID range: 0 >> Domain SID of the trusted domain: S-1-5-21-89655523-1570529619-2 >> 103694531 >> Range type: Active Directory domain range >> >> Range name: NWRA.COM_id_range >> First Posix ID of the range: 8000 >> Number of IDs in the range: 2000 >> First RID of the corresponding RID range: 1000 >> First RID of the secondary RID range: 1 >> Range type: local domain range >> >> Number of entries returned 2 >> >> >> So I've been creating these local posix IPA groups for HBAC access (as >> well as >> file storage) with the same gid as that assigned to the AD user. Perhaps >> that >> is a problem? >> > Yes, that is a problem. But HBAC group is not a problem because HBAC > group is not a POSIX IPA group at all, it is even stored in a different > subtree than user groups. > > Can you expand on this please? In what way is this a problem? We also have local posix IPA groups with the same gid as that assigned to the AD user (for historical reasons to do with samba shares on networked disks). We don't use those groups for HBAC though, we use AD group membership through external groups for HBAC. (I use the term "we use HBAC" loosely - it's still in testing :) ) cheers L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] subdomain errors
On ma, 03 huhti 2017, Orion Poplawski wrote: On 04/03/2017 09:03 AM, Orion Poplawski wrote: On 04/03/2017 02:08 AM, Jakub Hrozek wrote: On Fri, Mar 31, 2017 at 05:08:13PM -0600, Orion Poplawski wrote: I seem to be having some issues with users/groups that may be leading to errors in the subdomain status. Can anyone parse this for me? (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr] (0x0080): Cannot set ts attrs for name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb This can be ignored, it's just a minor performance annoyance we track upstream. Figured something like that, but thanks. (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr] (0x0080): Cannot set ts attrs for name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_initgr_get_overrides_step] (0x0040): The group name=u...@nwra.com,cn=groups,cn=nwra.com,cn=sysdb has no UUID attribute objectSIDString, error! But this seems strange. Before you sanitized (presumably?) the logs, did the DN name=u...@nwra.com,cn=groups,cn=nwra.com,cn=sysdb correspond to an IPA object? Yes, it's an IPA group used for HBAC access. Did you run the sidgen task when setting up trusts or did you make sure all replicas are either trust controllers or trust agents? Does the entry on the IPA LDAP side have ipaNTSecurityIdentifier attribute? I suspect the sidgen task has not been run, as I'm not really sure what that is. I have belatedly installed and run ipa-adtrust-install on all of our IPA servers, though a couple ran without that for a while. It does not look like that group has an ipaNTSecurityIdentifier atribute. I'm seeing: [03/Apr/2017:09:07:34.269247507 -0600] sidgen_task_thread - [file ipa_sidgen_task.c, line 194]: Sidgen task starts ... [03/Apr/2017:09:07:34.273308903 -0600] find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [24613] into an unused SID. [03/Apr/2017:09:07:34.274521892 -0600] do_work - [file ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry. [03/Apr/2017:09:07:34.277196405 -0600] sidgen_task_thread - [file ipa_sidgen_task.c, line 199]: Sidgen task finished [32]. Look at this list's archives, I've been giving recipes how to fix this in February. My IPA ranges are: # ipa idrange-find 2 ranges matched Range name: AD.NWRA.COM_id_range First Posix ID of the range: 2 Number of IDs in the range: 2 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-89655523-1570529619-2103694531 Range type: Active Directory domain range Range name: NWRA.COM_id_range First Posix ID of the range: 8000 Number of IDs in the range: 2000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 1 Range type: local domain range Number of entries returned 2 So I've been creating these local posix IPA groups for HBAC access (as well as file storage) with the same gid as that assigned to the AD user. Perhaps that is a problem? Yes, that is a problem. But HBAC group is not a problem because HBAC group is not a POSIX IPA group at all, it is even stored in a different subtree than user groups. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] subdomain errors
On 04/03/2017 09:03 AM, Orion Poplawski wrote: > On 04/03/2017 02:08 AM, Jakub Hrozek wrote: >> On Fri, Mar 31, 2017 at 05:08:13PM -0600, Orion Poplawski wrote: >>> I seem to be having some issues with users/groups that may be leading to >>> errors in the subdomain status. Can anyone parse this for me? >>> >>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr] >>> (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object >>> (32)] >>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr] >>> (0x0080): Cannot set ts attrs for >>> name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb >> >> This can be ignored, it's just a minor performance annoyance we track >> upstream. > > Figured something like that, but thanks. > >>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr] >>> (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object >>> (32)] >>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr] >>> (0x0080): Cannot set ts attrs for >>> name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb >>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] >>> [ipa_initgr_get_overrides_step] (0x0040): The group >>> name=u...@nwra.com,cn=groups,cn=nwra.com,cn=sysdb has no UUID attribute >>> objectSIDString, error! >> >> But this seems strange. Before you sanitized (presumably?) the logs, did >> the DN name=u...@nwra.com,cn=groups,cn=nwra.com,cn=sysdb correspond to >> an IPA object? > > Yes, it's an IPA group used for HBAC access. > >> Did you run the sidgen task when setting up trusts or did you make sure >> all replicas are either trust controllers or trust agents? Does the >> entry on the IPA LDAP side have ipaNTSecurityIdentifier attribute? > > I suspect the sidgen task has not been run, as I'm not really sure what that > is. I have belatedly installed and run ipa-adtrust-install on all of our IPA > servers, though a couple ran without that for a while. It does not look like > that group has an ipaNTSecurityIdentifier atribute. I'm seeing: [03/Apr/2017:09:07:34.269247507 -0600] sidgen_task_thread - [file ipa_sidgen_task.c, line 194]: Sidgen task starts ... [03/Apr/2017:09:07:34.273308903 -0600] find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [24613] into an unused SID. [03/Apr/2017:09:07:34.274521892 -0600] do_work - [file ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry. [03/Apr/2017:09:07:34.277196405 -0600] sidgen_task_thread - [file ipa_sidgen_task.c, line 199]: Sidgen task finished [32]. My IPA ranges are: # ipa idrange-find 2 ranges matched Range name: AD.NWRA.COM_id_range First Posix ID of the range: 2 Number of IDs in the range: 2 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-89655523-1570529619-2103694531 Range type: Active Directory domain range Range name: NWRA.COM_id_range First Posix ID of the range: 8000 Number of IDs in the range: 2000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 1 Range type: local domain range Number of entries returned 2 So I've been creating these local posix IPA groups for HBAC access (as well as file storage) with the same gid as that assigned to the AD user. Perhaps that is a problem? -- Orion Poplawski Technical Manager 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 http://www.nwra.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] subdomain errors
On 04/03/2017 02:08 AM, Jakub Hrozek wrote: > On Fri, Mar 31, 2017 at 05:08:13PM -0600, Orion Poplawski wrote: >> I seem to be having some issues with users/groups that may be leading to >> errors in the subdomain status. Can anyone parse this for me? >> >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr] >> (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object >> (32)] >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr] >> (0x0080): Cannot set ts attrs for >> name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb > > This can be ignored, it's just a minor performance annoyance we track > upstream. Figured something like that, but thanks. >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr] >> (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object >> (32)] >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr] >> (0x0080): Cannot set ts attrs for >> name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] >> [ipa_initgr_get_overrides_step] (0x0040): The group >> name=u...@nwra.com,cn=groups,cn=nwra.com,cn=sysdb has no UUID attribute >> objectSIDString, error! > > But this seems strange. Before you sanitized (presumably?) the logs, did > the DN name=u...@nwra.com,cn=groups,cn=nwra.com,cn=sysdb correspond to > an IPA object? Yes, it's an IPA group used for HBAC access. > Did you run the sidgen task when setting up trusts or did you make sure > all replicas are either trust controllers or trust agents? Does the > entry on the IPA LDAP side have ipaNTSecurityIdentifier attribute? I suspect the sidgen task has not been run, as I'm not really sure what that is. I have belatedly installed and run ipa-adtrust-install on all of our IPA servers, though a couple ran without that for a while. It does not look like that group has an ipaNTSecurityIdentifier atribute. >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] >> [ipa_id_get_groups_overrides_done] (0x0040): IPA resolve user groups >> overrides >> failed [22]. >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done] >> (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument. >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_subdomain_account_done] >> (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument. >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [dp_reply_std_set] (0x0080): >> DP Error is OK on failed request? >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr] >> (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object >> (32)] >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr] >> (0x0080): Cannot set ts attrs for >> name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] >> [ipa_initgr_get_overrides_step] (0x0040): The group >> name=u...@nwra.com,cn=groups,cn=nwra.com,cn=sysdb has no UUID attribute >> objectSIDString, error! >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] >> [ipa_id_get_groups_overrides_done] (0x0040): IPA resolve user groups >> overrides >> failed [22]. >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done] >> (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument. >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_subdomain_account_done] >> (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument. >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [dp_reply_std_set] (0x0080): >> DP Error is OK on failed request? >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] >> [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID >> S-1-5-32-545 >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr] >> (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object >> (32)] >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr] >> (0x0080): Cannot set ts attrs for >> name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] >> [ipa_add_ad_memberships_get_next] (0x0020): There are unresolved external >> group memberships even after all groups have been looked up on the LDAP >> server. >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] >> [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending >> request >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done] >> (0x0080): Sudomain lookup failed, will try to reset sudomain.. >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [be_fo_reset_svc] (0x0080): >> Cannot retrieve service [ad.nwra.com] >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done] >> (0x0040): ipa_get_*_acct request failed: [1432158270]: Subdomain is inactive. >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
Re: [Freeipa-users] subdomain errors
On Fri, Mar 31, 2017 at 05:08:13PM -0600, Orion Poplawski wrote: > I seem to be having some issues with users/groups that may be leading to > errors in the subdomain status. Can anyone parse this for me? > > (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr] > (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object > (32)] > (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr] > (0x0080): Cannot set ts attrs for > name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb This can be ignored, it's just a minor performance annoyance we track upstream. > (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr] > (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object > (32)] > (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr] > (0x0080): Cannot set ts attrs for > name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb > (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] > [ipa_initgr_get_overrides_step] (0x0040): The group > name=u...@nwra.com,cn=groups,cn=nwra.com,cn=sysdb has no UUID attribute > objectSIDString, error! But this seems strange. Before you sanitized (presumably?) the logs, did the DN name=u...@nwra.com,cn=groups,cn=nwra.com,cn=sysdb correspond to an IPA object? Did you run the sidgen task when setting up trusts or did you make sure all replicas are either trust controllers or trust agents? Does the entry on the IPA LDAP side have ipaNTSecurityIdentifier attribute? > (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] > [ipa_id_get_groups_overrides_done] (0x0040): IPA resolve user groups overrides > failed [22]. > (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done] > (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument. > (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_subdomain_account_done] > (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument. > (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [dp_reply_std_set] (0x0080): > DP Error is OK on failed request? > (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr] > (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object > (32)] > (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr] > (0x0080): Cannot set ts attrs for > name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb > (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] > [ipa_initgr_get_overrides_step] (0x0040): The group > name=u...@nwra.com,cn=groups,cn=nwra.com,cn=sysdb has no UUID attribute > objectSIDString, error! > (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] > [ipa_id_get_groups_overrides_done] (0x0040): IPA resolve user groups overrides > failed [22]. > (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done] > (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument. > (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_subdomain_account_done] > (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument. > (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [dp_reply_std_set] (0x0080): > DP Error is OK on failed request? > (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] > [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID > S-1-5-32-545 > (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr] > (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object > (32)] > (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr] > (0x0080): Cannot set ts attrs for > name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb > (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] > [ipa_add_ad_memberships_get_next] (0x0020): There are unresolved external > group memberships even after all groups have been looked up on the LDAP > server. > (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] > [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request > (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done] > (0x0080): Sudomain lookup failed, will try to reset sudomain.. > (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [be_fo_reset_svc] (0x0080): > Cannot retrieve service [ad.nwra.com] > (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done] > (0x0040): ipa_get_*_acct request failed: [1432158270]: Subdomain is inactive. > (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_subdomain_account_done] > (0x0040): ipa_get_*_acct request failed: [1432158270]: Subdomain is inactive. > (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [dp_reply_std_set] (0x0080): > DP Error is OK on failed request? > (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] > [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request > (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done] > (0x0080): Sudomain lookup failed, will try to reset sudomain.. > (Fri Mar 31 16:54:26 2017)
[Freeipa-users] subdomain errors
I seem to be having some issues with users/groups that may be leading to errors in the subdomain status. Can anyone parse this for me? (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr] (0x0080): Cannot set ts attrs for name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr] (0x0080): Cannot set ts attrs for name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_initgr_get_overrides_step] (0x0040): The group name=u...@nwra.com,cn=groups,cn=nwra.com,cn=sysdb has no UUID attribute objectSIDString, error! (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_id_get_groups_overrides_done] (0x0040): IPA resolve user groups overrides failed [22]. (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done] (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument. (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument. (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [dp_reply_std_set] (0x0080): DP Error is OK on failed request? (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr] (0x0080): Cannot set ts attrs for name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_initgr_get_overrides_step] (0x0040): The group name=u...@nwra.com,cn=groups,cn=nwra.com,cn=sysdb has no UUID attribute objectSIDString, error! (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_id_get_groups_overrides_done] (0x0040): IPA resolve user groups overrides failed [22]. (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done] (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument. (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument. (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [dp_reply_std_set] (0x0080): DP Error is OK on failed request? (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-32-545 (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr] (0x0080): Cannot set ts attrs for name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_add_ad_memberships_get_next] (0x0020): There are unresolved external group memberships even after all groups have been looked up on the LDAP server. (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done] (0x0080): Sudomain lookup failed, will try to reset sudomain.. (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [be_fo_reset_svc] (0x0080): Cannot retrieve service [ad.nwra.com] (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done] (0x0040): ipa_get_*_acct request failed: [1432158270]: Subdomain is inactive. (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: [1432158270]: Subdomain is inactive. (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [dp_reply_std_set] (0x0080): DP Error is OK on failed request? (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done] (0x0080): Sudomain lookup failed, will try to reset sudomain.. (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [be_fo_reset_svc] (0x0080): Cannot retrieve service [ad.nwra.com] (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done] (0x0040): ipa_get_*_acct request failed: [1432158270]: Subdomain is inactive. (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: [1432158270]: Subdomain is inactive. (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [dp_reply_std_set] (0x0080): DP Error is OK on failed request? (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request -- Orion Poplawski Technical Manager