Am Sun, Jan 09, 2022 at 04:39:14PM -0700 schrieb Orion Poplawski: > On 1/3/22 08:47, Sumit Bose wrote: > > Am Thu, Dec 30, 2021 at 07:59:22AM -0700 schrieb Orion Poplawski: > > > On 12/29/21 14:00, [email protected] wrote: > > > > On 12/29/21 13:48, [email protected] wrote: > > > > > We have a particular machine that is having trouble resolving an AD > > > > > group - > > > > > "domain admins". The relevant log entries seem to be: > > > > > > > > > > (2021-12-29 13:40:17): [nss] [cache_req_search_cache] (0x0400): CR > > > > > #152: > > > > > Looking up [domain [email protected]] in cache > > > > > (2021-12-29 13:40:17): [nss] [sysdb_search_override_by_name] > > > > > (0x0400): No user > > > > > override found for name [domain [email protected]]. > > > > > (2021-12-29 13:40:17): [nss] [sysdb_getgrnam_with_views] (0x4000): > > > > > Group > > > > > object [name=domain > > > > > [email protected],cn=groups,cn=ad.nwra.com,cn=sysdb], > > > > > contains ghost entries which must be resolved before overrides can be > > > > > applied. > > > > > (2021-12-29 13:40:17): [nss] [sysdb_getgrnam_with_views] (0x4000): > > > > > Returning > > > > > empty result. > > > > > (2021-12-29 13:40:17): [nss] [cache_req_search_cache] (0x0400): CR > > > > > #152: > > > > > Object [domain [email protected]] was not found in cache > > > > > (2021-12-29 13:40:17): [nss] [cache_req_search_ncache_add_to_domain] > > > > > (0x0400): > > > > > CR #152: Adding [domain [email protected]] to negative cache > > > > > (2021-12-29 13:40:17): [nss] [sss_ncache_set_str] (0x0400): Adding > > > > > [NCE/GROUP/ad.nwra.com/domain [email protected]] to negative cache > > > > > (2021-12-29 13:40:17): [nss] [cache_req_process_result] (0x0400): CR > > > > > #152: > > > > > Finished: Not found > > > > > (2021-12-29 13:40:17): [nss] [sss_domain_get_state] (0x1000): Domain > > > > > ad.nwra.com is Active > > > > > (2021-12-29 13:40:17): [nss] [nss_protocol_done] (0x4000): Sending > > > > > reply: not > > > > > found > > > > > > > > > > on working systems we don't have the sysdb_getgrnam_with_views > > > > > message. I'd > > > > > rather not clear the sssd database. Is there anything else that can > > > > > be done? > > > > > 'sss_cache -g "domain admins"' does not help. > > > > > > > > > > We're using an IPA <-> AD trust. > > > > > > > > So, ldbsearch revealed: > > > > > > > > > > > > dn: name=domain [email protected],cn=groups,cn=ad.nwra.com,cn=sysdb > > > > ... > > > > ghost: [email protected] > > > > > > > > and: > > > > > > > > sss_cache -g 'domain [email protected]' > > > > > > > > did the trick of clearing that. > > > > > > As a followup - is it reasonable for sssd to return an empty group in this > > > situation? > > > > Hi, > > > > are you using 'ignore_group_members = True' in sssd.conf? > > No.
Hi, then I think SSSD should not return an empty group because applications checking group members might get confused. Is there something special about '[email protected]'? Can you resolve the user on IPA clients and servers? Does 'id [email protected]' show all group the user is a member of with name and GID on IPA clients and servers or is sometimes a group name missing and only the GID shown? bye, Sumit > > > -- > Orion Poplawski > he/him/his - surely the least important thing about me > Manager of NWRA Technical Systems 720-772-5637 > NWRA, Boulder/CoRA Office FAX: 303-415-9702 > 3380 Mitchell Lane [email protected] > Boulder, CO 80301 https://www.nwra.com/ _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
