On 12/29/21 14:00, [email protected] wrote:
On 12/29/21 13:48, [email protected] wrote:We have a particular machine that is having trouble resolving an AD group - "domain admins". The relevant log entries seem to be:(2021-12-29 13:40:17): [nss] [cache_req_search_cache] (0x0400): CR #152: Looking up [domain [email protected]] in cache (2021-12-29 13:40:17): [nss] [sysdb_search_override_by_name] (0x0400): No user override found for name [domain [email protected]]. (2021-12-29 13:40:17): [nss] [sysdb_getgrnam_with_views] (0x4000): Group object [name=domain [email protected],cn=groups,cn=ad.nwra.com,cn=sysdb], contains ghost entries which must be resolved before overrides can be applied. (2021-12-29 13:40:17): [nss] [sysdb_getgrnam_with_views] (0x4000): Returning empty result. (2021-12-29 13:40:17): [nss] [cache_req_search_cache] (0x0400): CR #152: Object [domain [email protected]] was not found in cache (2021-12-29 13:40:17): [nss] [cache_req_search_ncache_add_to_domain] (0x0400): CR #152: Adding [domain [email protected]] to negative cache (2021-12-29 13:40:17): [nss] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/ad.nwra.com/domain [email protected]] to negative cache (2021-12-29 13:40:17): [nss] [cache_req_process_result] (0x0400): CR #152: Finished: Not found (2021-12-29 13:40:17): [nss] [sss_domain_get_state] (0x1000): Domain ad.nwra.com is Active (2021-12-29 13:40:17): [nss] [nss_protocol_done] (0x4000): Sending reply: not found on working systems we don't have the sysdb_getgrnam_with_views message. I'd rather not clear the sssd database. Is there anything else that can be done? 'sss_cache -g "domain admins"' does not help. We're using an IPA <-> AD trust.So, ldbsearch revealed: dn: name=domain [email protected],cn=groups,cn=ad.nwra.com,cn=sysdb ... ghost: [email protected] and: sss_cache -g 'domain [email protected]' did the trick of clearing that.
As a followup - is it reasonable for sssd to return an empty group in this situation?
-- Orion Poplawski he/him/his - surely the least important thing about me Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane [email protected] Boulder, CO 80301 https://www.nwra.com/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
