Am Fri, Jul 02, 2021 at 02:32:19PM +0200 schrieb Ronald Wimmer via FreeIPA-users:
On 01.07.21 18:00, Sumit Bose via FreeIPA-users wrote:
> Am Wed, Jun 30, 2021 at 01:29:48PM +0200 schrieb Ronald Wimmer via FreeIPA-users:
> > On 30.06.21 13:26, Sumit Bose via FreeIPA-users wrote:
> > > Am Wed, Jun 30, 2021 at 12:13:54PM +0200 schrieb Ronald Wimmer via
FreeIPA-users:
> > > > Today I set up an IPA test web application in our IPA test
environment. I
> > > > figured out that my AD user was resolved but the user of my colleague
was
> > > > not. (getent passwd userA/userB)
> > > >
> > > > I stopped SSSD, cleared the cache with 'rm -rf
/var/lib/sss/db/*' and
> > > > started SSSD again. After that I could not resolve any AD user. The
sssd
> > > > logs showed an Network I/O error:
> > > >
> > > > ==> /var/log/sssd/sssd_ipatest.mydomain.at.log <==
> > > > (2021-06-30 11:46:14): [be[ipatest.mydomain.at]] [ipa_s2n_exop_done]
> > > > (0x0040): ldap_extended_operation result: Operations error(1), Failed
to
> > > > handle the request.
> > > > .
> > > > (2021-06-30 11:46:14): [be[ipatest.mydomain.at]] [ipa_s2n_exop_done]
> > > > (0x0040): ldap_extended_operation failed, server logs might contain
more
> > > > details.
> > >
> > > Hi,
> > >
> > > you should check on the IPA servers if the users and all the
> > > group-memberships can be resolved properly, i.e. 'id
aduser(a)AD.DOMAIN'
> > > should display the user and all its groups with both name and ID. If
> > > some groups are only listed by GID you should check why the IPA server
> > > cannot resolve the name.
> >
> > Resolving the users on an IPA server works properly.
>
> Hi,
>
> I'm afraid in this case you should point the client to a dedicated
> server and check the SSSD nss logs for issues while the client is
> sending the request to the server. If this does not give a hint then
> enabling plugin debugging in the 389ds LDAP server might help.
(2021-07-02 14:25:45): [nss] [sss_ncache_check_str] (0x2000): Checking
negative cache for
[NCE/USER/someaddomain.mydomain.at/myaduser(a)someaddomain.mydomain.at]
(2021-07-02 14:25:45): [nss] [cache_req_search_ncache] (0x0400): CR #2:
[myaduser(a)someaddomain.mydomain.at] is not present in negative cache
(2021-07-02 14:25:45): [nss] [cache_req_search_cache] (0x0400): CR #2:
Looking up [myaduser(a)someaddomain.mydomain.at] in cache
(2021-07-02 14:25:45): [nss] [cache_req_search_cache] (0x0400): CR #2:
Object [myaduser(a)someaddomain.mydomain.at] was not found in cache
(2021-07-02 14:25:45): [nss] [cache_req_search_dp] (0x0400): CR #2: Looking
up [myaduser(a)someaddomain.mydomain.at] in data provider
(2021-07-02 14:25:45): [nss] [sss_dp_get_account_send] (0x0400): Creating
request for
[someaddomain.mydomain.at][0x1][BE_REQ_USER][name=myaduser@someaddomain.mydomain.at:-]
(2021-07-02 14:25:49): [nss] [sbus_dispatch] (0x4000): Dispatching.
(2021-07-02 14:25:49): [nss] [cache_req_common_process_dp_reply] (0x0040):
CR #2: Data Provider Error: 3, 17, File exists
(2021-07-02 14:25:49): [nss] [cache_req_common_process_dp_reply] (0x0400):
CR #2: Due to an error we will return cached data
(2021-07-02 14:25:29): [be[ipatest.mydomain.at]] [server_setup] (0x0040):
Starting with debug level = 0x0070
(2021-07-02 14:25:49): [be[ipatest.mydomain.at]]
[sysdb_set_cache_entry_attr] (0x0040): Error: 17 (File exists)
(2021-07-02 14:25:49): [be[ipatest.mydomain.at]]
[sysdb_set_cache_entry_attr] (0x0040): Error: 17 (File exists)
(2021-07-02 14:25:49): [be[ipatest.mydomain.at]] [sysdb_store_new_group]
(0x0040): sysdb_add_group failed (while renaming group) for:
myaduser(a)someaddomain.mydomain.at [1073895519].
(2021-07-02 14:25:49): [be[ipatest.mydomain.at]] [sysdb_store_group]
(0x0040): Cache update failed: 17
(2021-07-02 14:25:49): [be[ipatest.mydomain.at]] [ipa_s2n_save_objects]
(0x0040): sysdb_store_group failed.
(2021-07-02 14:25:49): [be[ipatest.mydomain.at]]
[ipa_s2n_get_list_save_step] (0x0040): ipa_s2n_save_objects failed.
(2021-07-02 14:25:49): [be[ipatest.mydomain.at]] [ipa_s2n_get_list_next]
(0x0040): ipa_s2n_get_list_save_step failed.
(2021-07-02 14:25:49): [be[ipatest.mydomain.at]] [ipa_s2n_get_list_done]
(0x0040): s2n get_fqlist request failed.
(2021-07-02 14:25:49): [be[ipatest.mydomain.at]]
[ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: [17]:
File exists.
(2021-07-02 14:25:55): [be[ipatest.mydomain.at]] [ipa_s2n_get_user_done]
(0x0040): s2n exop request failed.
(2021-07-02 14:26:01): [be[ipatest.mydomain.at]] [ipa_s2n_get_user_done]
(0x0040): s2n exop request failed.
(2021-07-02 14:26:07): [be[ipatest.mydomain.at]] [ipa_s2n_get_user_done]
(0x0040): s2n exop request failed.
(2021-07-02 14:26:13): [be[ipatest.mydomain.at]] [ipa_s2n_exop_done]
(0x0040): ldap_extended_operation result: No such object(32), (null).
(2021-07-02 14:26:13): [be[ipatest.mydomain.at]] [ipa_s2n_exop_done]
(0x0040): ldap_extended_operation result: No such object(32), (null).
What is this error no. 17 "file exists"?
Hi,
it looks like SSSD tries to add the primary group of the user to the
cache directly but a group with the same name already exists. Can you
send the full domain logs covering this request?
bye,
Sumit
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure