Am Sun, Jan 09, 2022 at 04:39:14PM -0700 schrieb Orion Poplawski:
On 1/3/22 08:47, Sumit Bose wrote:
> Am Thu, Dec 30, 2021 at 07:59:22AM -0700 schrieb Orion Poplawski:
> > On 12/29/21 14:00, sssd-users(a)lists.fedorahosted.org wrote:
> > > On 12/29/21 13:48, sssd-users(a)lists.fedorahosted.org wrote:
> > > > We have a particular machine that is having trouble resolving an AD
group -
> > > > "domain admins". The relevant log entries seem to be:
> > > >
> > > > (2021-12-29 13:40:17): [nss] [cache_req_search_cache] (0x0400): CR
#152:
> > > > Looking up [domain admins(a)ad.nwra.com] in cache
> > > > (2021-12-29 13:40:17): [nss] [sysdb_search_override_by_name]
(0x0400): No user
> > > > override found for name [domain admins(a)ad.nwra.com].
> > > > (2021-12-29 13:40:17): [nss] [sysdb_getgrnam_with_views] (0x4000):
Group
> > > > object [name=domain
admins(a)ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb],
> > > > contains ghost entries which must be resolved before overrides can be
applied.
> > > > (2021-12-29 13:40:17): [nss] [sysdb_getgrnam_with_views] (0x4000):
Returning
> > > > empty result.
> > > > (2021-12-29 13:40:17): [nss] [cache_req_search_cache] (0x0400): CR
#152:
> > > > Object [domain admins(a)ad.nwra.com] was not found in cache
> > > > (2021-12-29 13:40:17): [nss] [cache_req_search_ncache_add_to_domain]
(0x0400):
> > > > CR #152: Adding [domain admins(a)ad.nwra.com] to negative cache
> > > > (2021-12-29 13:40:17): [nss] [sss_ncache_set_str] (0x0400): Adding
> > > > [
NCE/GROUP/ad.nwra.com/domain admins(a)ad.nwra.com] to negative cache
> > > > (2021-12-29 13:40:17): [nss] [cache_req_process_result] (0x0400): CR
#152:
> > > > Finished: Not found
> > > > (2021-12-29 13:40:17): [nss] [sss_domain_get_state] (0x1000): Domain
> > > >
ad.nwra.com is Active
> > > > (2021-12-29 13:40:17): [nss] [nss_protocol_done] (0x4000): Sending
reply: not
> > > > found
> > > >
> > > > on working systems we don't have the sysdb_getgrnam_with_views
message. I'd
> > > > rather not clear the sssd database. Is there anything else that can
be done?
> > > > 'sss_cache -g "domain admins"' does not help.
> > > >
> > > > We're using an IPA <-> AD trust.
> > >
> > > So, ldbsearch revealed:
> > >
> > >
> > > dn: name=domain admins(a)ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb
> > > ...
> > > ghost: template-admin(a)ad.nwra.com
> > >
> > > and:
> > >
> > > sss_cache -g 'domain admins(a)ad.nwra.com'
> > >
> > > did the trick of clearing that.
> >
> > As a followup - is it reasonable for sssd to return an empty group in this
> > situation?
>
> Hi,
>
> are you using 'ignore_group_members = True' in sssd.conf?
No.
Hi,
then I think SSSD should not return an empty group because applications
checking group members might get confused.
Is there something special about 'template-admin(a)ad.nwra.com'? Can you
resolve the user on IPA clients and servers? Does 'id
template-admin(a)ad.nwra.com' show all group the user is a member of with
name and GID on IPA clients and servers or is sometimes a group name
missing and only the GID shown?
bye,
Sumit
--
Orion Poplawski
he/him/his - surely the least important thing about me
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301
https://www.nwra.com/