-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/23/2013 11:09 AM, Chris Hartman wrote:
On Fri, Aug 23, 2013 at 8:29 AM, Jakub Hrozek <jhrozek(a)redhat.com
<mailto:jhrozek@redhat.com>> wrote:
Do you run AD server in a trusted setup? Is it possible this group
comes from another AD domain?
No. We have a single domain. No trusts or subdomains.
Can you check if searching the SID in the Global Catalog works
(just search port 3268)? # ldapsearch -H
ldap://milkdud.TESTDOMAIN.local:3268 -Y GSSAPI -N -b
"dc=testdomain,dc=local" \
"(&(objectSID=S-1-5-21-1779125721-235263668-3792523542-3663)(objectclass=group)(name=*))"
Here are the results of that query:
USER@HOST:~$ ldapsearch -H ldap://milkdud.TESTDOMAIN.local:3268 -Y
GSSAPI -N -b "dc=testdomain,dc=local"
"(&(objectSID=S-1-5-21-1779125721-235263668-3792523542-3663)(objectclass=group)(name=*))"SASL/GSSAPI
authentication started
SASL username: USER(a)TESTDOMAIN.LOCAL SASL SSF: 56 SASL data
security layer installed. # extended LDIF # # LDAPv3 # base
<dc=wysu,dc=local> with scope subtree # filter:
(&(objectSID=S-1-5-21-1779125721-235263668-3792523542-3663)(objectclass=group)(name=*))
# requesting: ALL
# # search result search: 4 result: 0 Success # numResponses: 1
Also, I've actually not seen the original error in a few days and
have failed to reproduce it the few times I tried just now, so
perhaps this was a fluke? The only thing that has happened since
then has been a reboot or two of each domain controller. No changes
to AD or any of the SIDs in question. I'd be okay with shelving
this issue until it rears its head again. If any curious party
wants me to experiment some more, I'd be happy to oblige, I'll just
need some direction because I'm stumped. Otherwise, I'll monitor
the issue for a few more days and post back with one more follow up
if I can't reproduce it.
My best guess here is that you might have had an entry with that SID
on one replica that wasn't syncing properly. Every once in a while,
SSSD would end up connected to that replica at login.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlIXfbEACgkQeiVVYja6o6PtiQCeOWxrq3Dmbbuo7hT7YHNrUjNr
NaMAn3AVnDB0qaI5iFUbZN+Qg6JDlwdf
=0K5v
-----END PGP SIGNATURE-----