On 12/29/21 13:48, sssd-users(a)lists.fedorahosted.org wrote:
We have a particular machine that is having trouble resolving an AD
group -
"domain admins". The relevant log entries seem to be:
(2021-12-29 13:40:17): [nss] [cache_req_search_cache] (0x0400): CR #152:
Looking up [domain admins(a)ad.nwra.com] in cache
(2021-12-29 13:40:17): [nss] [sysdb_search_override_by_name] (0x0400): No user
override found for name [domain admins(a)ad.nwra.com].
(2021-12-29 13:40:17): [nss] [sysdb_getgrnam_with_views] (0x4000): Group
object [name=domain admins(a)ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb],
contains ghost entries which must be resolved before overrides can be applied.
(2021-12-29 13:40:17): [nss] [sysdb_getgrnam_with_views] (0x4000): Returning
empty result.
(2021-12-29 13:40:17): [nss] [cache_req_search_cache] (0x0400): CR #152:
Object [domain admins(a)ad.nwra.com] was not found in cache
(2021-12-29 13:40:17): [nss] [cache_req_search_ncache_add_to_domain] (0x0400):
CR #152: Adding [domain admins(a)ad.nwra.com] to negative cache
(2021-12-29 13:40:17): [nss] [sss_ncache_set_str] (0x0400): Adding
[
NCE/GROUP/ad.nwra.com/domain admins(a)ad.nwra.com] to negative cache
(2021-12-29 13:40:17): [nss] [cache_req_process_result] (0x0400): CR #152:
Finished: Not found
(2021-12-29 13:40:17): [nss] [sss_domain_get_state] (0x1000): Domain
ad.nwra.com is Active
(2021-12-29 13:40:17): [nss] [nss_protocol_done] (0x4000): Sending reply: not
found
on working systems we don't have the sysdb_getgrnam_with_views message. I'd
rather not clear the sssd database. Is there anything else that can be done?
'sss_cache -g "domain admins"' does not help.
We're using an IPA <-> AD trust.
So, ldbsearch revealed:
dn: name=domain admins(a)ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb
...
ghost: template-admin(a)ad.nwra.com
and:
sss_cache -g 'domain admins(a)ad.nwra.com'
did the trick of clearing that.
--
Orion Poplawski
IT Systems Manager 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301
https://www.nwra.com/