[SSSD] [sssd PR#248][opened] IPA: Improve s2n debug message for missing ipaNTSecurityIdentifier

Tue, 25 Apr 2017 10:13:10 -0700 

   URL: https://github.com/SSSD/sssd/pull/248
Author: justin-stephenson
 Title: #248: IPA: Improve s2n debug message for missing ipaNTSecurityIdentifier
Action: opened

PR body:
"""
This patch is piggyback


This patch improves the log message to be more information for
the SSSD user troubleshooting issues.

If the IDM POSIX group used for AD trust HBAC/SUDO operation is missing
the ipaNTSecurityIdentifier it can cause client s2n operations failures
resolving the group which resulted in the inability to login for the AD
user.
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/248/head:pr248
git checkout pr248

From 7fea36a4aa3fb0c1edea54ecd37bcfa99af72a5b Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstep...@redhat.com>
Date: Tue, 25 Apr 2017 13:02:10 -0400
Subject: [PATCH] IPA: Improve s2n debug message for missing
 ipaNTSecurityIdentifier

This patch improves the log message to be more information for
the SSSD user troubleshooting issues.

If the IDM POSIX group used for AD trust HBAC/SUDO operation is missing
the ipaNTSecurityIdentifier it can cause client s2n operations failures
resolving the group which resulted in the inability to login for the AD
user.
---
 src/providers/ipa/ipa_s2n_exop.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index 55ec904..0608e81 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -2580,7 +2580,9 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
     ret = sysdb_attrs_get_string(attrs->sysdb_attrs, SYSDB_SID_STR, &sid_str);
     if (ret != EOK) {
         DEBUG(SSSDBG_CRIT_FAILURE,
-              "Cannot find SID of object with override.\n");
+              "Object [%s] has no SID, please check the "
+              "ipaNTSecurityIdentifier attribute on the server-side.\n",
+              attrs->a.name);
         goto done;
     }
 

_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

Reply via email to