> On Fri, Nov 15, 2019 at 10:58:17AM -0000, Jamal Mahmoud wrote: > > Ok, do you know if the LDAP attributes uidNumber and gidNumber are > replicated to the Global Catalog in your environment? By default they > are not. > > You can check this manually as well with ldapsearch on the Global > Catalog port 3268: > > ldapsearch -H ldap://your-ad-dc.your.ad.domain:3268 -b > 'DC=your,DC=ad,DC=domain' samAccountName=groupname > > If gidNumber is missing in the Global Catalog object please try if > setting > > ad_enable_gc = False > > in the [domain/...] section of sssd.conf makes the group lookup more > reliable. > > bye, > Sumit Hi Sumit,
After adding in the ad_enable_gc=false, it doesn't seem to stop the errors we are getting, the last problem we got (today) was a logged in user had only his uid and the primary GID, not sure if this is a different issue but i'm starting to get the feeling that there is something misconfigured on our SSSD client setup. Although, since I rolled this out, the machines with the new config did not get the "non-POSIX POSIX group in the cache" problem we've been discussing, so it may be solved, or coincedentally the specific error hasn't come up again. As an aside, I've noticed that when the backend fetches new data for the cache, sometimes it will just update the ts_cache and sometimes it will update both the cache and the ts_cache. What determines this behaviour? I'm asking because when the cache fetches and updates, it actually fixes the problem when it updates the cache but when it only changes the ts_cache the issue remains, i've added a couple of examples to explain: Updates both cache and ts_cache [sdap_save_group] (0x0400): Storing info for group [email protected] [sysdb_set_entry_attr] (0x0200): Entry [[email protected],cn=groups,cn=domain.com,cn=sysdb] has set [cache, ts_cache] attrs. Updates only the ts_cache: [sdap_save_group] (0x0400): Storing info for group [email protected] [sysdb_store_group] (0x1000): The group record of [email protected] did not change, only updated the timestamp cache Realistically it should see that the incoming data is different to the cached data no? Sorry for the heavy message, please let me know if you need any specifics and I'll be glad to provide. Really appreciate the time you're giving to help us out. Kind Regards, Jamal _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
