After upgrading our IPA servers AD user resolution seems to have stopped working.
id myADUser says: id: ‘myADUser’: no such user
Why? The log say:
==> /var/log/sssd/sssd_nss.log <== (2020-11-18 9:09:59): [nss] [accept_fd_handler] (0x0400): Client [0x55b92cb403e0][26] connected! (2020-11-18 9:09:59): [nss] [sss_cmd_get_version] (0x0200): Received client version [1]. (2020-11-18 9:09:59): [nss] [sss_cmd_get_version] (0x0200): Offered version [1]. (2020-11-18 9:09:59): [nss] [nss_getby_name] (0x0400): Input name: myADUser (2020-11-18 9:09:59): [nss] [cache_req_send] (0x0400): CR #0: New request 'User by name' (2020-11-18 9:09:59): [nss] [cache_req_process_input] (0x0400): CR #0: Parsing input name [myADUser] (2020-11-18 9:09:59): [nss] [sss_parse_name_for_domains] (0x0200): name 'myADUser' matched without domain, user is myADUser (2020-11-18 9:09:59): [nss] [nss_get_object_send] (0x0400): Client [0x55b92cb403e0][26]: sent cache request #0 (2020-11-18 9:09:59): [nss] [cache_req_set_name] (0x0400): CR #0: Setting name [myADUser] (2020-11-18 9:09:59): [nss] [cache_req_select_domains] (0x0400): CR #0: Performing a multi-domain search (2020-11-18 9:09:59): [nss] [cache_req_search_domains] (0x0400): CR #0: Search will check the cache and check the data provider (2020-11-18 9:09:59): [nss] [cache_req_set_domain] (0x0400): CR #0: Using domain [implicit_files] (2020-11-18 9:09:59): [nss] [cache_req_prepare_domain_data] (0x0400): CR #0: Preparing input data for domain [implicit_files] rules (2020-11-18 9:09:59): [nss] [cache_req_search_send] (0x0400): CR #0: Looking up myADUser@implicit_files (2020-11-18 9:09:59): [nss] [cache_req_search_ncache] (0x0400): CR #0: Checking negative cache for [myADUser@implicit_files] (2020-11-18 9:09:59): [nss] [cache_req_search_ncache] (0x0400): CR #0: [myADUser@implicit_files] is not present in negative cache (2020-11-18 9:09:59): [nss] [cache_req_search_cache] (0x0400): CR #0: Looking up [myADUser@implicit_files] in cache (2020-11-18 9:09:59): [nss] [cache_req_search_cache] (0x0400): CR #0: Object [myADUser@implicit_files] was not found in cache (2020-11-18 9:09:59): [nss] [cache_req_search_dp] (0x0400): CR #0: Looking up [myADUser@implicit_files] in data provider (2020-11-18 9:09:59): [nss] [cache_req_search_cache] (0x0400): CR #0: Looking up [myADUser@implicit_files] in cache (2020-11-18 9:09:59): [nss] [cache_req_search_cache] (0x0400): CR #0: Object [myADUser@implicit_files] was not found in cache (2020-11-18 9:09:59): [nss] [cache_req_search_ncache_add_to_domain] (0x0400): CR #0: Adding [myADUser@implicit_files] to negative cache (2020-11-18 9:09:59): [nss] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/implicit_files/myADUser@implicit_files] to negative cache (2020-11-18 9:09:59): [nss] [cache_req_set_domain] (0x0400): CR #0: Using domain [org.mydomain.at] (2020-11-18 9:09:59): [nss] [cache_req_prepare_domain_data] (0x0400): CR #0: Preparing input data for domain [org.mydomain.at] rules (2020-11-18 9:09:59): [nss] [cache_req_search_send] (0x0400): CR #0: Looking up myADUser@org.mydomain.at (2020-11-18 9:09:59): [nss] [cache_req_search_ncache] (0x0400): CR #0: Checking negative cache for [myADUser@org.mydomain.at] (2020-11-18 9:09:59): [nss] [cache_req_search_ncache] (0x0400): CR #0: [myADUser@org.mydomain.at] is not present in negative cache (2020-11-18 9:09:59): [nss] [cache_req_search_cache] (0x0400): CR #0: Looking up [myADUser@org.mydomain.at] in cache (2020-11-18 9:09:59): [nss] [cache_req_search_cache] (0x0400): CR #0: Object [myADUser@org.mydomain.at] was not found in cache (2020-11-18 9:09:59): [nss] [cache_req_search_dp] (0x0400): CR #0: Looking up [myADUser@org.mydomain.at] in data provider (2020-11-18 9:09:59): [nss] [sss_dp_get_account_send] (0x0400): Creating request for [org.mydomain.at][0x1][BE_REQ_USER][name=myADUser@org.mydomain.at:-]
==> /var/log/sssd/sssd_linux.mydomain.at.log <== (2020-11-18 9:09:59): [be[linux.mydomain.at]] [dp_get_account_info_send] (0x0200): Got request for [0x1][BE_REQ_USER][name=myADUser@org.mydomain.at] (2020-11-18 9:09:59): [be[linux.mydomain.at]] [dp_attach_req] (0x0400): DP Request [Account #1]: New request. Flags [0x0001]. (2020-11-18 9:09:59): [be[linux.mydomain.at]] [dp_attach_req] (0x0400): Number of active DP request: 1 (2020-11-18 9:09:59): [be[linux.mydomain.at]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=myADUser))][cn=Default Trust View,cn=views,cn=accounts,dc=linux,dc=mydomain,dc=at]. (2020-11-18 9:09:59): [be[linux.mydomain.at]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (2020-11-18 9:09:59): [be[linux.mydomain.at]] [ipa_s2n_get_acct_info_send] (0x0400): Sending request_type: [REQ_FULL_WITH_MEMBERS] for trust user [myADUser] to IPA server (2020-11-18 9:09:59): [be[linux.mydomain.at]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (2020-11-18 9:09:59): [be[linux.mydomain.at]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null). (2020-11-18 9:09:59): [be[linux.mydomain.at]] [sysdb_search_by_name] (0x0400): No such entry (2020-11-18 9:09:59): [be[linux.mydomain.at]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (2020-11-18 9:09:59): [be[linux.mydomain.at]] [dp_req_done] (0x0400): DP Request [Account #1]: Request handler finished [0]: Success (2020-11-18 9:09:59): [be[linux.mydomain.at]] [_dp_req_recv] (0x0400): DP Request [Account #1]: Receiving request data. (2020-11-18 9:09:59): [be[linux.mydomain.at]] [dp_req_destructor] (0x0400): DP Request [Account #1]: Request removed. (2020-11-18 9:09:59): [be[linux.mydomain.at]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (2020-11-18 9:09:59): [be[linux.mydomain.at]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.getAccountInfo: Success
==> /var/log/sssd/sssd_nss.log <== (2020-11-18 9:09:59): [nss] [cache_req_search_cache] (0x0400): CR #0: Looking up [myADUser@org.mydomain.at] in cache (2020-11-18 9:09:59): [nss] [cache_req_search_cache] (0x0400): CR #0: Object [myADUser@org.mydomain.at] was not found in cache (2020-11-18 9:09:59): [nss] [cache_req_search_ncache_add_to_domain] (0x0400): CR #0: Adding [myADUser@org.mydomain.at] to negative cache (2020-11-18 9:09:59): [nss] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/org.mydomain.at/myADUser@org.mydomain.at] to negative cache (2020-11-18 9:09:59): [nss] [cache_req_set_domain] (0x0400): CR #0: Using domain [linux.mydomain.at] (2020-11-18 9:09:59): [nss] [cache_req_prepare_domain_data] (0x0400): CR #0: Preparing input data for domain [linux.mydomain.at] rules (2020-11-18 9:09:59): [nss] [cache_req_search_send] (0x0400): CR #0: Looking up myADUser@linux.mydomain.at (2020-11-18 9:09:59): [nss] [cache_req_search_ncache] (0x0400): CR #0: Checking negative cache for [myADUser@linux.mydomain.at] (2020-11-18 9:09:59): [nss] [cache_req_search_ncache] (0x0400): CR #0: [myADUser@linux.mydomain.at] is not present in negative cache (2020-11-18 9:09:59): [nss] [cache_req_search_cache] (0x0400): CR #0: Looking up [myADUser@linux.mydomain.at] in cache (2020-11-18 9:09:59): [nss] [cache_req_search_cache] (0x0400): CR #0: Object [myADUser@linux.mydomain.at] was not found in cache (2020-11-18 9:09:59): [nss] [cache_req_search_dp] (0x0400): CR #0: Looking up [myADUser@linux.mydomain.at] in data provider (2020-11-18 9:09:59): [nss] [sss_dp_get_account_send] (0x0400): Creating request for [linux.mydomain.at][0x1][BE_REQ_USER][name=myADUser@linux.mydomain.at:-]
==> /var/log/sssd/sssd_linux.mydomain.at.log <== (2020-11-18 9:09:59): [be[linux.mydomain.at]] [dp_get_account_info_send] (0x0200): Got request for [0x1][BE_REQ_USER][name=myADUser@linux.mydomain.at] (2020-11-18 9:09:59): [be[linux.mydomain.at]] [dp_attach_req] (0x0400): DP Request [Account #2]: New request. Flags [0x0001]. (2020-11-18 9:09:59): [be[linux.mydomain.at]] [dp_attach_req] (0x0400): Number of active DP request: 1 (2020-11-18 9:09:59): [be[linux.mydomain.at]] [sdap_search_user_next_base] (0x0400): Searching for users with base [cn=accounts,dc=linux,dc=mydomain,dc=at] (2020-11-18 9:09:59): [be[linux.mydomain.at]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=myADUser)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=linux,dc=mydomain,dc=at]. (2020-11-18 9:09:59): [be[linux.mydomain.at]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (2020-11-18 9:09:59): [be[linux.mydomain.at]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results. (2020-11-18 9:09:59): [be[linux.mydomain.at]] [sysdb_search_by_name] (0x0400): No such entry (2020-11-18 9:09:59): [be[linux.mydomain.at]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (2020-11-18 9:09:59): [be[linux.mydomain.at]] [sysdb_search_by_name] (0x0400): No such entry (2020-11-18 9:09:59): [be[linux.mydomain.at]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (2020-11-18 9:09:59): [be[linux.mydomain.at]] [dp_req_done] (0x0400): DP Request [Account #2]: Request handler finished [0]: Success (2020-11-18 9:09:59): [be[linux.mydomain.at]] [_dp_req_recv] (0x0400): DP Request [Account #2]: Receiving request data. (2020-11-18 9:09:59): [be[linux.mydomain.at]] [dp_req_destructor] (0x0400): DP Request [Account #2]: Request removed. (2020-11-18 9:09:59): [be[linux.mydomain.at]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (2020-11-18 9:09:59): [be[linux.mydomain.at]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.getAccountInfo: Success
==> /var/log/sssd/sssd_nss.log <== (2020-11-18 9:09:59): [nss] [cache_req_search_cache] (0x0400): CR #0: Looking up [myADUser@linux.mydomain.at] in cache (2020-11-18 9:09:59): [nss] [cache_req_search_cache] (0x0400): CR #0: Object [myADUser@linux.mydomain.at] was not found in cache (2020-11-18 9:09:59): [nss] [cache_req_search_ncache_add_to_domain] (0x0400): CR #0: Adding [myADUser@linux.mydomain.at] to negative cache (2020-11-18 9:09:59): [nss] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/linux.mydomain.at/myADUser@linux.mydomain.at] to negative cache (2020-11-18 9:09:59): [nss] [cache_req_set_domain] (0x0400): CR #0: Using domain [buero.mydomain.at] (2020-11-18 9:09:59): [nss] [cache_req_prepare_domain_data] (0x0400): CR #0: Preparing input data for domain [buero.mydomain.at] rules (2020-11-18 9:09:59): [nss] [cache_req_search_send] (0x0400): CR #0: Looking up myADUser@buero.mydomain.at (2020-11-18 9:09:59): [nss] [cache_req_search_ncache] (0x0400): CR #0: Checking negative cache for [myADUser@buero.mydomain.at] (2020-11-18 9:09:59): [nss] [cache_req_search_ncache] (0x0400): CR #0: [myADUser@buero.mydomain.at] is not present in negative cache (2020-11-18 9:09:59): [nss] [cache_req_search_cache] (0x0400): CR #0: Looking up [myADUser@buero.mydomain.at] in cache (2020-11-18 9:09:59): [nss] [cache_req_search_cache] (0x0400): CR #0: Object [myADUser@buero.mydomain.at] was not found in cache (2020-11-18 9:09:59): [nss] [cache_req_search_dp] (0x0400): CR #0: Looking up [myADUser@buero.mydomain.at] in data provider (2020-11-18 9:09:59): [nss] [sss_dp_get_account_send] (0x0400): Creating request for [buero.mydomain.at][0x1][BE_REQ_USER][name=myADUser@buero.mydomain.at:-]
==> /var/log/sssd/sssd_linux.mydomain.at.log <== (2020-11-18 9:09:59): [be[linux.mydomain.at]] [dp_get_account_info_send] (0x0200): Got request for [0x1][BE_REQ_USER][name=myADUser@buero.mydomain.at] (2020-11-18 9:09:59): [be[linux.mydomain.at]] [dp_attach_req] (0x0400): DP Request [Account #3]: New request. Flags [0x0001]. (2020-11-18 9:09:59): [be[linux.mydomain.at]] [dp_attach_req] (0x0400): Number of active DP request: 1 (2020-11-18 9:09:59): [be[linux.mydomain.at]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=myADUser))][cn=Default Trust View,cn=views,cn=accounts,dc=linux,dc=mydomain,dc=at]. (2020-11-18 9:09:59): [be[linux.mydomain.at]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (2020-11-18 9:09:59): [be[linux.mydomain.at]] [ipa_s2n_get_acct_info_send] (0x0400): Sending request_type: [REQ_FULL_WITH_MEMBERS] for trust user [myADUser] to IPA server (2020-11-18 9:09:59): [be[linux.mydomain.at]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (2020-11-18 9:10:00): [be[linux.mydomain.at]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null). (2020-11-18 9:10:00): [be[linux.mydomain.at]] [sysdb_search_by_name] (0x0400): No such entry (2020-11-18 9:10:00): [be[linux.mydomain.at]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (2020-11-18 9:10:00): [be[linux.mydomain.at]] [dp_req_done] (0x0400): DP Request [Account #3]: Request handler finished [0]: Success (2020-11-18 9:10:00): [be[linux.mydomain.at]] [_dp_req_recv] (0x0400): DP Request [Account #3]: Receiving request data. (2020-11-18 9:10:00): [be[linux.mydomain.at]] [dp_req_destructor] (0x0400): DP Request [Account #3]: Request removed. (2020-11-18 9:10:00): [be[linux.mydomain.at]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (2020-11-18 9:10:00): [be[linux.mydomain.at]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.getAccountInfo: Success
==> /var/log/sssd/sssd_nss.log <== (2020-11-18 9:10:00): [nss] [cache_req_search_cache] (0x0400): CR #0: Looking up [myADUser@buero.mydomain.at] in cache (2020-11-18 9:10:00): [nss] [cache_req_search_cache] (0x0400): CR #0: Object [myADUser@buero.mydomain.at] was not found in cache (2020-11-18 9:10:00): [nss] [cache_req_search_ncache_add_to_domain] (0x0400): CR #0: Adding [myADUser@buero.mydomain.at] to negative cache (2020-11-18 9:10:00): [nss] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/buero.mydomain.at/myADUser@buero.mydomain.at] to negative cache (2020-11-18 9:10:00): [nss] [cache_req_set_domain] (0x0400): CR #0: Using domain [mydomain.at] (2020-11-18 9:10:00): [nss] [cache_req_prepare_domain_data] (0x0400): CR #0: Preparing input data for domain [mydomain.at] rules (2020-11-18 9:10:00): [nss] [cache_req_search_send] (0x0400): CR #0: Looking up myADUser@mydomain.at (2020-11-18 9:10:00): [nss] [cache_req_search_ncache] (0x0400): CR #0: Checking negative cache for [myADUser@mydomain.at] (2020-11-18 9:10:00): [nss] [cache_req_search_ncache] (0x0400): CR #0: [myADUser@mydomain.at] is not present in negative cache (2020-11-18 9:10:00): [nss] [cache_req_search_cache] (0x0400): CR #0: Looking up [myADUser@mydomain.at] in cache (2020-11-18 9:10:00): [nss] [cache_req_search_cache] (0x0400): CR #0: Object [myADUser@mydomain.at] was not found in cache (2020-11-18 9:10:00): [nss] [cache_req_search_dp] (0x0400): CR #0: Looking up [myADUser@mydomain.at] in data provider (2020-11-18 9:10:00): [nss] [sss_dp_get_account_send] (0x0400): Creating request for [mydomain.at][0x1][BE_REQ_USER][name=myADUser@mydomain.at:-]
==> /var/log/sssd/sssd_linux.mydomain.at.log <== (2020-11-18 9:10:00): [be[linux.mydomain.at]] [dp_get_account_info_send] (0x0200): Got request for [0x1][BE_REQ_USER][name=myADUser@mydomain.at] (2020-11-18 9:10:00): [be[linux.mydomain.at]] [dp_attach_req] (0x0400): DP Request [Account #4]: New request. Flags [0x0001]. (2020-11-18 9:10:00): [be[linux.mydomain.at]] [dp_attach_req] (0x0400): Number of active DP request: 1 (2020-11-18 9:10:00): [be[linux.mydomain.at]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=myADUser))][cn=Default Trust View,cn=views,cn=accounts,dc=linux,dc=mydomain,dc=at]. (2020-11-18 9:10:00): [be[linux.mydomain.at]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (2020-11-18 9:10:00): [be[linux.mydomain.at]] [ipa_s2n_get_acct_info_send] (0x0400): Sending request_type: [REQ_FULL_WITH_MEMBERS] for trust user [myADUser] to IPA server (2020-11-18 9:10:00): [be[linux.mydomain.at]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (2020-11-18 9:10:00): [be[linux.mydomain.at]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null). (2020-11-18 9:10:00): [be[linux.mydomain.at]] [sysdb_search_by_name] (0x0400): No such entry (2020-11-18 9:10:00): [be[linux.mydomain.at]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (2020-11-18 9:10:00): [be[linux.mydomain.at]] [dp_req_done] (0x0400): DP Request [Account #4]: Request handler finished [0]: Success (2020-11-18 9:10:00): [be[linux.mydomain.at]] [_dp_req_recv] (0x0400): DP Request [Account #4]: Receiving request data. (2020-11-18 9:10:00): [be[linux.mydomain.at]] [dp_req_destructor] (0x0400): DP Request [Account #4]: Request removed. (2020-11-18 9:10:00): [be[linux.mydomain.at]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (2020-11-18 9:10:00): [be[linux.mydomain.at]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.getAccountInfo: Success
==> /var/log/sssd/sssd_nss.log <== (2020-11-18 9:10:00): [nss] [cache_req_search_cache] (0x0400): CR #0: Looking up [myADUser@mydomain.at] in cache (2020-11-18 9:10:00): [nss] [cache_req_search_cache] (0x0400): CR #0: Object [myADUser@mydomain.at] was not found in cache (2020-11-18 9:10:00): [nss] [cache_req_search_ncache_add_to_domain] (0x0400): CR #0: Adding [myADUser@mydomain.at] to negative cache (2020-11-18 9:10:00): [nss] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/mydomain.at/myADUser@mydomain.at] to negative cache (2020-11-18 9:10:00): [nss] [cache_req_set_domain] (0x0400): CR #0: Using domain [tk.mydomain.at] (2020-11-18 9:10:00): [nss] [cache_req_prepare_domain_data] (0x0400): CR #0: Preparing input data for domain [tk.mydomain.at] rules (2020-11-18 9:10:00): [nss] [cache_req_search_send] (0x0400): CR #0: Looking up myADUser@tk.mydomain.at (2020-11-18 9:10:00): [nss] [cache_req_search_ncache] (0x0400): CR #0: Checking negative cache for [myADUser@tk.mydomain.at] (2020-11-18 9:10:00): [nss] [cache_req_search_ncache] (0x0400): CR #0: [myADUser@tk.mydomain.at] is not present in negative cache (2020-11-18 9:10:00): [nss] [cache_req_search_cache] (0x0400): CR #0: Looking up [myADUser@tk.mydomain.at] in cache (2020-11-18 9:10:00): [nss] [cache_req_search_cache] (0x0400): CR #0: Object [myADUser@tk.mydomain.at] was not found in cache (2020-11-18 9:10:00): [nss] [cache_req_search_dp] (0x0400): CR #0: Looking up [myADUser@tk.mydomain.at] in data provider (2020-11-18 9:10:00): [nss] [sss_dp_get_account_send] (0x0400): Creating request for [tk.mydomain.at][0x1][BE_REQ_USER][name=myADUser@tk.mydomain.at:-]
==> /var/log/sssd/sssd_linux.mydomain.at.log <== (2020-11-18 9:10:00): [be[linux.mydomain.at]] [dp_get_account_info_send] (0x0200): Got request for [0x1][BE_REQ_USER][name=myADUser@tk.mydomain.at] (2020-11-18 9:10:00): [be[linux.mydomain.at]] [dp_attach_req] (0x0400): DP Request [Account #5]: New request. Flags [0x0001]. (2020-11-18 9:10:00): [be[linux.mydomain.at]] [dp_attach_req] (0x0400): Number of active DP request: 1 (2020-11-18 9:10:00): [be[linux.mydomain.at]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=myADUser))][cn=Default Trust View,cn=views,cn=accounts,dc=linux,dc=mydomain,dc=at]. (2020-11-18 9:10:00): [be[linux.mydomain.at]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (2020-11-18 9:10:00): [be[linux.mydomain.at]] [ipa_s2n_get_acct_info_send] (0x0400): Sending request_type: [REQ_FULL_WITH_MEMBERS] for trust user [myADUser] to IPA server (2020-11-18 9:10:00): [be[linux.mydomain.at]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (2020-11-18 9:10:00): [be[linux.mydomain.at]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null). (2020-11-18 9:10:00): [be[linux.mydomain.at]] [sysdb_search_by_name] (0x0400): No such entry (2020-11-18 9:10:00): [be[linux.mydomain.at]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (2020-11-18 9:10:00): [be[linux.mydomain.at]] [dp_req_done] (0x0400): DP Request [Account #5]: Request handler finished [0]: Success (2020-11-18 9:10:00): [be[linux.mydomain.at]] [_dp_req_recv] (0x0400): DP Request [Account #5]: Receiving request data. (2020-11-18 9:10:00): [be[linux.mydomain.at]] [dp_req_destructor] (0x0400): DP Request [Account #5]: Request removed. (2020-11-18 9:10:00): [be[linux.mydomain.at]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (2020-11-18 9:10:00): [be[linux.mydomain.at]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.getAccountInfo: Success
==> /var/log/sssd/sssd_nss.log <== (2020-11-18 9:10:00): [nss] [cache_req_search_cache] (0x0400): CR #0: Looking up [myADUser@tk.mydomain.at] in cache (2020-11-18 9:10:00): [nss] [cache_req_search_cache] (0x0400): CR #0: Object [myADUser@tk.mydomain.at] was not found in cache (2020-11-18 9:10:00): [nss] [cache_req_search_ncache_add_to_domain] (0x0400): CR #0: Adding [myADUser@tk.mydomain.at] to negative cache (2020-11-18 9:10:00): [nss] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/tk.mydomain.at/myADUser@tk.mydomain.at] to negative cache (2020-11-18 9:10:00): [nss] [cache_req_process_result] (0x0400): CR #0: Finished: Not found (2020-11-18 9:10:00): [nss] [client_recv] (0x0200): Client disconnected!
On 18.11.20 09:20, Ronald Wimmer via FreeIPA-users wrote:
After upgrading our IPA servers AD user resolution seems to have stopped working.
id myADUser says: id: ‘myADUser’: no such user
It might have something to do with: sssctl domain-status org.mydomain.at Online status: Offline
But why is it seen as offline?
On 18.11.20 09:41, Ronald Wimmer via FreeIPA-users wrote:
On 18.11.20 09:20, Ronald Wimmer via FreeIPA-users wrote:
After upgrading our IPA servers AD user resolution seems to have stopped working.
id myADUser says: id: ‘myADUser’: no such user
It might have something to do with: sssctl domain-status org.mydomain.at Online status: Offline
But why is it seen as offline?
./sssd_linux.mydomain.at.log:(2020-11-18 9:35:48): [be[linux.mydomain.at]] [fo_set_port_status] (0x0100): Marking port 389 of server 'somedomaincontroller.org.mydomain.at' as 'not working' ./sssd_linux.mydomain.at.log:(2020-11-18 9:35:48): [be[linux.mydomain.at]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'somedomaincontroller.org.mydomain.at' as 'not working'
On ke, 18 marras 2020, Ronald Wimmer via FreeIPA-users wrote:
On 18.11.20 09:20, Ronald Wimmer via FreeIPA-users wrote:
After upgrading our IPA servers AD user resolution seems to have stopped working.
id myADUser says: id: ‘myADUser’: no such user
It might have something to do with: sssctl domain-status org.mydomain.at Online status: Offline
But why is it seen as offline?
In your original log you can see that ipa_s2n requests return an error. Check SSSD logs on IPA masters that the client talks to. This all is covered at https://sssd.io/docs/users/troubleshooting.html#common-ipa-provider-issues
On 18.11.20 09:46, Alexander Bokovoy wrote:
On ke, 18 marras 2020, Ronald Wimmer via FreeIPA-users wrote:
On 18.11.20 09:20, Ronald Wimmer via FreeIPA-users wrote:
After upgrading our IPA servers AD user resolution seems to have stopped working.
id myADUser says: id: ‘myADUser’: no such user
It might have something to do with: sssctl domain-status org.mydomain.at Online status: Offline
But why is it seen as offline?
In your original log you can see that ipa_s2n requests return an error. Check SSSD logs on IPA masters that the client talks to. This all is covered at https://sssd.io/docs/users/troubleshooting.html#common-ipa-provider-issues
As it turned out I had to enable an encryption policy in order to allow the deprecated type RC4 for communication to AD.
This is done by issuing the command (on every 8.3 server that needs to communicate to AD) by: update-crypto-policies --set DEFAULT:AD-SUPPORT
Details can be found in the Ootpa Release Notes: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/pdf...
Cheers, Ronald
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Ronald Wimmer