Am Thu, Jun 17, 2021 at 01:59:13PM -0000 schrieb iulian roman: > Hello everybody, > > I have an issue with listing the AD users part of Default Trust View (all > users have the uid overriden ) from an ipa client which is running sssd > 2.2.3. The same setup works properly on Ubuntu systems with sssd 1.16.1 and > Idm servers with sssd version 2.4.0. I have enabled all tracing on the > clients and it seems that the issue is when it tries to write the cache : > > (Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_store_user] (0x1000): > User [email protected] does not exist. > (Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_add_user] (0x0040): > Group named [email protected] already exists in an MPG domain > (Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_add_user] (0x0400): > Error: 17 (File exists) > (Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_search_user_by_uid] > (0x0400): No such entry > (Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_delete_user] > (0x0400): Error: 2 (No such file or directory) > (Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_store_user] (0x0040): > Cache update failed: 17 > (Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_store_user] (0x0400): > Error: 17 (File exists) > (Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_search_group_by_gid] > (0x0400): No such entry > (Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_delete_group] > (0x0400): Error: 2 (No such file or directory) > (Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [ipa_s2n_save_objects] > (0x0040): sysdb_delete_group failed for MPG group [2]: No such file or > directory > (Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [ipa_s2n_get_user_done] > (0x0040): ipa_s2n_save_objects failed. > > The query works properly for trust users which do not have uid overriden . > getent group works properly but getent passwd does not display anything.
Hi, I'm sorry I didn't reply in time on the freeipa-users list. From the log snippet it looks like you have overwritten a user or a group name so that a user and a group will have the same name. This does not work with the idrange type 'ipa-ad-trust' where UIDs and GIDs are generated automatically and a "user-private-group" is created in the fly. This "user-private-group" is the primary group of the user and will have the same name as the user and the GID is numerically the same as the UID of the user. This means we restrict the name and ID space which are typically independent on the Linux/UNIX/Posix side. This works fine with AD and automatic ID generation because on AD users and groups are using the same name and ID space as well. For id-overrides this restrictions must be observed as well. With very recent versions of FreeIPA and SSSD the primary group can be configured more flexible, see https://pagure.io/freeipa/issue/8807 and https://github.com/SSSD/sssd/issues/4216 for more details. But the related patches might not be available on all platforms. HTH bye, Sumit > > I am in a point where I am clueless therefore any hint/suggestion would be > really appreciated. > I have posted the issue on the freeipa-users list as well but I thought that > being an sssd issue maybe is more appropriate to have it here. > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
