Am Fri, Jul 02, 2021 at 02:32:19PM +0200 schrieb Ronald Wimmer via FreeIPA-users: > On 01.07.21 18:00, Sumit Bose via FreeIPA-users wrote: > > Am Wed, Jun 30, 2021 at 01:29:48PM +0200 schrieb Ronald Wimmer via > > FreeIPA-users: > > > On 30.06.21 13:26, Sumit Bose via FreeIPA-users wrote: > > > > Am Wed, Jun 30, 2021 at 12:13:54PM +0200 schrieb Ronald Wimmer via > > > > FreeIPA-users: > > > > > Today I set up an IPA test web application in our IPA test > > > > > environment. I > > > > > figured out that my AD user was resolved but the user of my colleague > > > > > was > > > > > not. (getent passwd userA/userB) > > > > > > > > > > I stopped SSSD, cleared the cache with 'rm -rf /var/lib/sss/db/*' and > > > > > started SSSD again. After that I could not resolve any AD user. The > > > > > sssd > > > > > logs showed an Network I/O error: > > > > > > > > > > ==> /var/log/sssd/sssd_ipatest.mydomain.at.log <== > > > > > (2021-06-30 11:46:14): [be[ipatest.mydomain.at]] [ipa_s2n_exop_done] > > > > > (0x0040): ldap_extended_operation result: Operations error(1), Failed > > > > > to > > > > > handle the request. > > > > > . > > > > > (2021-06-30 11:46:14): [be[ipatest.mydomain.at]] [ipa_s2n_exop_done] > > > > > (0x0040): ldap_extended_operation failed, server logs might contain > > > > > more > > > > > details. > > > > > > > > Hi, > > > > > > > > you should check on the IPA servers if the users and all the > > > > group-memberships can be resolved properly, i.e. 'id aduser@AD.DOMAIN' > > > > should display the user and all its groups with both name and ID. If > > > > some groups are only listed by GID you should check why the IPA server > > > > cannot resolve the name. > > > > > > Resolving the users on an IPA server works properly. > > > > Hi, > > > > I'm afraid in this case you should point the client to a dedicated > > server and check the SSSD nss logs for issues while the client is > > sending the request to the server. If this does not give a hint then > > enabling plugin debugging in the 389ds LDAP server might help. > > (2021-07-02 14:25:45): [nss] [sss_ncache_check_str] (0x2000): Checking > negative cache for > [NCE/USER/someaddomain.mydomain.at/myadu...@someaddomain.mydomain.at] > (2021-07-02 14:25:45): [nss] [cache_req_search_ncache] (0x0400): CR #2: > [myadu...@someaddomain.mydomain.at] is not present in negative cache > (2021-07-02 14:25:45): [nss] [cache_req_search_cache] (0x0400): CR #2: > Looking up [myadu...@someaddomain.mydomain.at] in cache > (2021-07-02 14:25:45): [nss] [cache_req_search_cache] (0x0400): CR #2: > Object [myadu...@someaddomain.mydomain.at] was not found in cache > (2021-07-02 14:25:45): [nss] [cache_req_search_dp] (0x0400): CR #2: Looking > up [myadu...@someaddomain.mydomain.at] in data provider > (2021-07-02 14:25:45): [nss] [sss_dp_get_account_send] (0x0400): Creating > request for > [someaddomain.mydomain.at][0x1][BE_REQ_USER][name=myadu...@someaddomain.mydomain.at:-] > (2021-07-02 14:25:49): [nss] [sbus_dispatch] (0x4000): Dispatching. > (2021-07-02 14:25:49): [nss] [cache_req_common_process_dp_reply] (0x0040): > CR #2: Data Provider Error: 3, 17, File exists > (2021-07-02 14:25:49): [nss] [cache_req_common_process_dp_reply] (0x0400): > CR #2: Due to an error we will return cached data > > (2021-07-02 14:25:29): [be[ipatest.mydomain.at]] [server_setup] (0x0040): > Starting with debug level = 0x0070 > (2021-07-02 14:25:49): [be[ipatest.mydomain.at]] > [sysdb_set_cache_entry_attr] (0x0040): Error: 17 (File exists) > (2021-07-02 14:25:49): [be[ipatest.mydomain.at]] > [sysdb_set_cache_entry_attr] (0x0040): Error: 17 (File exists) > (2021-07-02 14:25:49): [be[ipatest.mydomain.at]] [sysdb_store_new_group] > (0x0040): sysdb_add_group failed (while renaming group) for: > myadu...@someaddomain.mydomain.at [1073895519]. > (2021-07-02 14:25:49): [be[ipatest.mydomain.at]] [sysdb_store_group] > (0x0040): Cache update failed: 17 > (2021-07-02 14:25:49): [be[ipatest.mydomain.at]] [ipa_s2n_save_objects] > (0x0040): sysdb_store_group failed. > (2021-07-02 14:25:49): [be[ipatest.mydomain.at]] > [ipa_s2n_get_list_save_step] (0x0040): ipa_s2n_save_objects failed. > (2021-07-02 14:25:49): [be[ipatest.mydomain.at]] [ipa_s2n_get_list_next] > (0x0040): ipa_s2n_get_list_save_step failed. > (2021-07-02 14:25:49): [be[ipatest.mydomain.at]] [ipa_s2n_get_list_done] > (0x0040): s2n get_fqlist request failed. > (2021-07-02 14:25:49): [be[ipatest.mydomain.at]] > [ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: [17]: > File exists. > (2021-07-02 14:25:55): [be[ipatest.mydomain.at]] [ipa_s2n_get_user_done] > (0x0040): s2n exop request failed. > (2021-07-02 14:26:01): [be[ipatest.mydomain.at]] [ipa_s2n_get_user_done] > (0x0040): s2n exop request failed. > (2021-07-02 14:26:07): [be[ipatest.mydomain.at]] [ipa_s2n_get_user_done] > (0x0040): s2n exop request failed. > (2021-07-02 14:26:13): [be[ipatest.mydomain.at]] [ipa_s2n_exop_done] > (0x0040): ldap_extended_operation result: No such object(32), (null). > (2021-07-02 14:26:13): [be[ipatest.mydomain.at]] [ipa_s2n_exop_done] > (0x0040): ldap_extended_operation result: No such object(32), (null). > > What is this error no. 17 "file exists"?
Hi, it looks like SSSD tries to add the primary group of the user to the cache directly but a group with the same name already exists. Can you send the full domain logs covering this request? bye, Sumit > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
