On (22/08/17 10:23), Lukas Slebodnik wrote: >On (22/08/17 14:48), Lachlan Musicman wrote: >>On 22 August 2017 at 08:33, Lachlan Musicman <[email protected]> wrote: >> >>> On 22 August 2017 at 00:46, Jakub Hrozek <[email protected]> wrote: >>> >>>> On Mon, Aug 21, 2017 at 10:24:50AM +1000, Lachlan Musicman wrote: >>>> > On 18 August 2017 at 17:33, Jakub Hrozek <[email protected]> wrote: >>>> > >>>> > Hmmm. Weird. We are still seeing the "AD group not reflected in cache" >>>> > problem and am not seeing evidence of SSSD updating from the IPA server >>>> on >>>> > request (via login from other machine, via id command). >>>> >>> >> >>Just to follow up on this, I've done a comparative test. >> >>On a machine in which <user> comes up correctly (all groups, properly >>over-written by ipa's idview) and one in which the same <user> does not. >>Note that both machines are on the same network, run the same OS and SSSD >>versions. >> >>When I run the following on both servers: >> >>sss_cache -u <user> >>'id <user>’ >> >>On the sssd client that returns the correct data, sssd_<domain>.log shows: >> >>.... >>(Tue Aug 22 13:13:17 2017) [sssd[be[sub.domain.com]]] >>[sss_domain_get_state] (0x1000): Domain sub.domain.com is Active >>(Tue Aug 22 13:13:17 2017) [sssd[be[sub.domain.com]]] >>[sss_domain_get_state] (0x1000): Domain sub.domain.com is Active >>(Tue Aug 22 13:13:17 2017) [sssd[be[sub.domain.com]]] >>[sysdb_set_entry_attr] (0x0200): Entry >>[name=<user>,cn=users,cn=domain.com,cn=sysdb] >>has set [ts_cache] attrs. >>(Tue Aug 22 13:13:17 2017) [sssd[be[sub.domain.com]]] [dp_req_done] >>(0x0400): DP Request [Account #5760]: Request handler finished [0]: Success >>(Tue Aug 22 13:13:17 2017) [sssd[be[sub.domain.com]]] [_dp_req_recv] >>(0x0400): DP Request [Account #5760]: Receiving request data. >>.... >> >> >>On the sssd client which does *not* return the correct data, >>sssd_<domain>.log shows: >> >>.... >>(Tue Aug 22 12:54:25 2017) [sssd[be[sub.domain.com]]] >>[sss_domain_get_state] (0x1000): Domain sub.domain.com is Active >>(Tue Aug 22 12:54:25 2017) [sssd[be[sub.domain.com]]] >>[sss_domain_get_state] (0x1000): Domain sub.domain.com is Active >>(Tue Aug 22 12:54:25 2017) [sssd[be[sub.domain.com]]] >>[sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such >>object](32)[ldb_wait: No such object (32)] >>(Tue Aug 22 12:54:25 2017) [sssd[be[sub.domain.com]]] >>[sysdb_set_cache_entry_attr] (0x0400): No such entry >>(Tue Aug 22 12:54:25 2017) [sssd[be[sub.domain.com]]] >>[sysdb_set_entry_attr] (0x0080): Cannot set attrs for >>name=<user>,cn=users,cn=domain.com,cn=sysdb, 2 [No such file or directory] >>(Tue Aug 22 12:54:25 2017) [sssd[be[sub.domain.com]]] [sysdb_store_user] >>(0x0040): Cache update failed: 2 >>(Tue Aug 22 12:54:25 2017) [sssd[be[sub.domain.com]]] [sysdb_store_user] >>(0x0400): Error: 2 (No such file or directory) >>(Tue Aug 22 12:54:25 2017) [sssd[be[sub.domain.com]]] >>[ipa_s2n_save_objects] (0x0040): sysdb_store_user failed [2]: No such file >>or directory >>(Tue Aug 22 12:54:25 2017) [sssd[be[sub.domain.com]]] >>[ipa_s2n_get_user_done] (0x0040): ipa_s2n_save_objects failed. >>(Tue Aug 22 12:54:25 2017) [sssd[be[sub.domain.com]]] [dp_req_done] >>(0x0400): DP Request [Account #400]: Request handler finished [0]: Success >>(Tue Aug 22 12:54:25 2017) [sssd[be[sub.domain.com]]] [_dp_req_recv] >>(0x0400): DP Request [Account #400]: Receiving request data. >>(Tue Aug 22 12:54:25 2017) [sssd[be[sub.domain.com]]] >>[dp_req_reply_list_success] (0x0400): DP Request [Account #400]: Finished. >>Success. >>(Tue Aug 22 12:54:25 2017) [sssd[be[sub.domain.com]]] [dp_req_reply_std] >>(0x1000): DP Request [Account #400]: Returning [Success]: 0,0,Success >>(Tue Aug 22 12:54:25 2017) [sssd[be[sub.domain.com]]] >>[dp_table_value_destructor] (0x0400): Removing >>[0:1:0x0001:1::domain.com:name=<user>] >>from reply table >>(Tue Aug 22 12:54:25 2017) [sssd[be[sub.domain.com]]] [dp_req_destructor] >>(0x0400): DP Request [Account #400]: Request removed. >>(Tue Aug 22 12:54:25 2017) [sssd[be[sub.domain.com]]] [dp_req_destructor] >>(0x0400): Number of active DP request: 0 >>.... >> >> >>The difference is >> >>[sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such >>object](32)[ldb_wait: No such object (32)] >> > >It is a bug in processing group hierarchy in sssd. > >It would be good if you could provide a minimal reproducer >because I expect you cannot dump whole directory server for us :-) :-) :-) > Another possible solution would be to enable debugging for ldb functions. So we might see also action and not only result.
curl -O /usr/local/lib64/sss_ldb_debug.so https://lslebodn.fedorapeople.org/sss_ldb_debug/sss_ldb_debug.so echo "LD_PRELOAD=/usr/local/lib64/sss_ldb_debug.so" >> /etc/sysconfig/sssd * clear sssd cache and old sssd log files; rm -f /var/lib/sssd/db/* /var/log/sssd/* * increase debug_level in domain section * restart sssd * reproduce problem An provide sanitized log files. Feel free to send them privately if you do not want to send them to mailing list. LS _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
