On Mon, Mar 25, 2024 at 2:50 PM Alexander Bokovoy <abokovoy(a)redhat.com>
wrote:
On Пан, 25 сак 2024, Natxo Asenjo wrote:
>On Mon, Mar 25, 2024 at 1:49 PM Alexander Bokovoy <abokovoy(a)redhat.com>
>wrote:
>> Can you give more details about this ID?
>>
>
>is this a local user account ?
>
>On both client and server involved in this problem:
>
># id -nu 2000
>id: ‘2000’: no such user
>
>Or I am misunderstanding your question, if so, apologies?
There are quite a few IDs that get the same treatment:
(2024-03-25 11:17:07): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#146] Mapping ID [65535] to SID failed: [IDMAP domain not
found]
(2024-03-25 11:17:07): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#148] Mapping ID [1001] to SID failed: [IDMAP domain not
found]
(2024-03-25 11:17:07): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#150] Mapping ID [2000] to SID failed: [IDMAP domain not
found]
(2024-03-25 11:17:07): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#152] Mapping ID [1200] to SID failed: [IDMAP domain not
found]
(2024-03-25 11:17:11): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#154] Mapping ID [2000] to SID failed: [IDMAP domain not
found]
(2024-03-25 11:17:13): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#156] Mapping ID [101] to SID failed: [IDMAP domain not found]
(2024-03-25 11:17:13): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#158] Mapping ID [103] to SID failed: [IDMAP domain not found]
(2024-03-25 11:17:19): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#160] Mapping ID [65532] to SID failed: [IDMAP domain not
found]
(2024-03-25 11:17:29): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#162] Mapping ID [101] to SID failed: [IDMAP domain not found]
(2024-03-25 11:17:29): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#164] Mapping ID [103] to SID failed: [IDMAP domain not found]
(2024-03-25 11:17:37): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#166] Mapping ID [65532] to SID failed: [IDMAP domain not
found]
(2024-03-25 11:17:45): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#168] Mapping ID [101] to SID failed: [IDMAP domain not found]
(2024-03-25 11:17:45): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#170] Mapping ID [103] to SID failed: [IDMAP domain not found]
(2024-03-25 11:17:46): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#172] Mapping ID [65535] to SID failed: [IDMAP domain not
found]
(2024-03-25 11:17:46): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#174] Mapping ID [1001] to SID failed: [IDMAP domain not
found]
(2024-03-25 11:17:46): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#176] Mapping ID [2000] to SID failed: [IDMAP domain not
found]
By the code mark, it is in AD provider:
$ git grep ad_account_can_shortcut
src/providers/ad/ad_id.c:static bool ad_account_can_shortcut(struct
sdap_idmap_ctx *idmap_ctx,
src/providers/ad/ad_id.c: shortcut =
ad_account_can_shortcut(ctx->opts->idmap_ctx,
so it attempts to perform ID to name translation but fails to see if
this ID matches the AD domain's ID range.
If you have full SSSD logs from both client and IPA server at the same
time, those would be helpful.
Of course. If you don't mind I will not sanitize them and send them
directly to you. That will prevent search/replace errors on my part.
I will make 2 tarballs, one for client, one for server, and send them
directly, if it's ok.
Thanks for your assistance.
--
regards,
Natxo