Hello everybody,
I have an issue with listing the AD users part of Default Trust View (all users have the uid overriden ) from an ipa client which is running sssd 2.2.3. The same setup works properly on Ubuntu systems with sssd 1.16.1 and Idm servers with sssd version 2.4.0. I have enabled all tracing on the clients and it seems that the issue is when it tries to write the cache :
(Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_store_user] (0x1000): User test_user@example.com does not exist. (Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_add_user] (0x0040): Group named test_user@example.com already exists in an MPG domain (Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_add_user] (0x0400): Error: 17 (File exists) (Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_search_user_by_uid] (0x0400): No such entry (Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_store_user] (0x0040): Cache update failed: 17 (Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_store_user] (0x0400): Error: 17 (File exists) (Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_search_group_by_gid] (0x0400): No such entry (Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_delete_group] (0x0400): Error: 2 (No such file or directory) (Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [ipa_s2n_save_objects] (0x0040): sysdb_delete_group failed for MPG group [2]: No such file or directory (Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [ipa_s2n_get_user_done] (0x0040): ipa_s2n_save_objects failed.
The query works properly for trust users which do not have uid overriden . getent group works properly but getent passwd does not display anything.
I am in a point where I am clueless therefore any hint/suggestion would be really appreciated. I have posted the issue on the freeipa-users list as well but I thought that being an sssd issue maybe is more appropriate to have it here.
Am Thu, Jun 17, 2021 at 01:59:13PM -0000 schrieb iulian roman:
Hello everybody,
I have an issue with listing the AD users part of Default Trust View (all users have the uid overriden ) from an ipa client which is running sssd 2.2.3. The same setup works properly on Ubuntu systems with sssd 1.16.1 and Idm servers with sssd version 2.4.0. I have enabled all tracing on the clients and it seems that the issue is when it tries to write the cache :
(Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_store_user] (0x1000): User test_user@example.com does not exist. (Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_add_user] (0x0040): Group named test_user@example.com already exists in an MPG domain (Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_add_user] (0x0400): Error: 17 (File exists) (Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_search_user_by_uid] (0x0400): No such entry (Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_store_user] (0x0040): Cache update failed: 17 (Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_store_user] (0x0400): Error: 17 (File exists) (Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_search_group_by_gid] (0x0400): No such entry (Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_delete_group] (0x0400): Error: 2 (No such file or directory) (Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [ipa_s2n_save_objects] (0x0040): sysdb_delete_group failed for MPG group [2]: No such file or directory (Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [ipa_s2n_get_user_done] (0x0040): ipa_s2n_save_objects failed.
The query works properly for trust users which do not have uid overriden . getent group works properly but getent passwd does not display anything.
Hi,
I'm sorry I didn't reply in time on the freeipa-users list. From the log snippet it looks like you have overwritten a user or a group name so that a user and a group will have the same name. This does not work with the idrange type 'ipa-ad-trust' where UIDs and GIDs are generated automatically and a "user-private-group" is created in the fly. This "user-private-group" is the primary group of the user and will have the same name as the user and the GID is numerically the same as the UID of the user. This means we restrict the name and ID space which are typically independent on the Linux/UNIX/Posix side. This works fine with AD and automatic ID generation because on AD users and groups are using the same name and ID space as well.
For id-overrides this restrictions must be observed as well.
With very recent versions of FreeIPA and SSSD the primary group can be configured more flexible, see https://pagure.io/freeipa/issue/8807 and https://github.com/SSSD/sssd/issues/4216 for more details. But the related patches might not be available on all platforms.
HTH
bye, Sumit
I am in a point where I am clueless therefore any hint/suggestion would be really appreciated. I have posted the issue on the freeipa-users list as well but I thought that being an sssd issue maybe is more appropriate to have it here.
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Hi Sumit,
Thank you for the answer. The same setup works without issues on all Ubuntu 18.04 systems with sssd 1.16.1. I overwrite only the UID and the primary gid is generated automatically by IPA (a long number). The problem is with the Ubuntu 20 and sssd 2.2.3 , therefore I cannot enrol any Ubuntu 20 systems. I ended up with an unfunctional setup and I have no clue what/where to change anything in order to have it working for both versions of Ubuntu and sssd. Any help would be really appreciated.
Am Fri, Jun 18, 2021 at 07:56:04AM -0000 schrieb iulian roman:
Hi Sumit,
Thank you for the answer. The same setup works without issues on all Ubuntu 18.04 systems with sssd 1.16.1. I overwrite only the UID and the primary gid is generated automatically by IPA (a long number). The problem is with the Ubuntu 20 and sssd 2.2.3 , therefore I cannot enrol any Ubuntu 20 systems. I ended up with an unfunctional setup and
Hi,
can you do the following on this client:
- add 'debug_level = 9' at least to the [nss] and [domain/...] sections of sssd.conf (you might already have this) - restart SSSD with an empty cache, e.g. sssctl cache-remove -ops - lookup the user getent passwd user_with_override@ad.domain I guess this should fail and return nothing - send me the SSSD logs
bye, Sumit
I have no clue what/where to change anything in order to have it working for both versions of Ubuntu and sssd. Any help would be really appreciated. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Am Fri, Jun 18, 2021 at 01:16:30PM -0000 schrieb iulian roman:
Where can I upload the logs?
Hi,
if you do not want to send them here, feel free to send them to me directly.
bye, Sumit
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Am Fri, Jun 18, 2021 at 07:55:32PM -0000 schrieb iulian roman:
Am Fri, Jun 18, 2021 at 01:16:30PM -0000 schrieb iulian roman:
Hi,
if you do not want to send them here, feel free to send them to me directly.
Hi Sumit,
I have sent the logs to your email. They were quite big to attach here.
Hi,
thank you for the logs, they helped me to understand the setup better.
If I understand it correctly you are letting IPA/SSSD automatically assign UIDs and GIDs to AD users and groups and then created an id-override for a user where only the UID is set to a different value.
This in fact might be a scenario we currently didn't cover properly. The id-overrides were introduced as a tool to facilitate migrations and we used various use-cases/user-stories for testing since the overall possibilities with id-overrides are quite large. For the automatic ID assignment we thought that for legacy systems which still depend on old UIDs and GIDs both must be changed. This should also show a possible workaround.
If you add a GID to the user override as well which is either the GID of an existing AD group or the overridden one from a group override the client should be able to resolve the user as well.
HTH
bye, Sumit
bye, Sumit
Hi Sumit, They are _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Hi Summit,
Initially I tried to override both the uid and gid of the active directory users in the Default Trust View. Due to the fact that I did not have a group name for the GID in Active Directory I had to remove the GID override . All works properly with sssd client version 1.16.1 and sssd client 2.4.0 in ipa server mode, but not with sssd 2.2.3 as I mentioned already.
Now, I tried to override the GID in the Default Trust View , User Groups section, but I get the following error: "invalid 'identifier': You are trying to reference a magic private group which is not allowed to be overridden. Try overriding the GID attribute of the corresponding user instead.". If I'll override the GID in the user section, it will stop working on all clients due to the fact that in AD i do not have a group name for that GID.
Any idea or workaround I can use ?
Thank You !
quick update regarding the GID override. If I override the GID (and the group name does not exist in AD for that GID) , I can make the sssd client (both versions) work ONLY if i run manually getent group <group_name>. I cannot do that for hundred of users and thousand of servers (especially when the infrastructure is quit dynamic) , therefore I would need an acceptable compromise, which eventually can be automated.
Am Tue, Jun 22, 2021 at 03:22:33PM -0000 schrieb iulian roman:
quick update regarding the GID override. If I override the GID (and the group name does not exist in AD for that GID) , I can make the
Hi,
yes, it is required that the GID can be resolved to a name, so there either must be a group with this GID or the GID must set in a group id-override.
bye, Sumit
sssd client (both versions) work ONLY if i run manually getent group <group_name>. I cannot do that for hundred of users and thousand of servers (especially when the infrastructure is quit dynamic) , therefore I would need an acceptable compromise, which eventually can be automated. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
I forgot to mention that on the Idm Server (version 4.8.7) and sssd 2.4.0 the getent and id queries work, not matter how and what I override in the Default Trust View.
sssd-users@lists.fedorahosted.org