<div dir="ltr"><br><div class="gmail_extra"><div class="gmail_quote">On 20 March 2017 at 19:38, Martin Basti <span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><div class="m_-615112940159053003moz-cite-prefix">On 19.03.2017 22:58, Lachlan Musicman
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>Hi,<br>
<br>
</div>
I've reported a bug against SSSD and Lukas has pointed to a
number of FreeIPA errors in our logs.<br>
</div>
<div>I've can't find any information on how I might fix these
errors or what I might do to mitigate them. Any pointers
appreciated:<br>
<br>
</div>
First error:<br>
<div><br>
[sssd[be[<a href="http://unixdev.domain.org.au" target="_blank">unixdev.domain.org.au</a><wbr>]]]
[ipa_sudo_fetch_rules_done] (0x0040): Received 1 sudo rules
<br>
<br>
[sssd[be[<a href="http://unixdev.domain.org.au" target="_blank">unixdev.domain.org.au</a><wbr>]]]
[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
attribute](16)[attribute 'member': no matching attribute value
while deleting attribute on 'name=<a href="mailto:ipa_bioinf_staff@unixdev.domain.org.au" target="_blank">ipa_bioinf_staff@<wbr>unixdev.domain.org.au</a>,cn=<wbr>groups,cn=<a href="http://unixdev.domain.org.au" target="_blank">unixdev.domain.org.<wbr>au</a>,cn=sysdb']
<br>
<br>
[sssd[be[<a href="http://unixdev.domain.org.au" target="_blank">unixdev.domain.org.au</a><wbr>]]]
[sysdb_error_to_errno] (0x0020): LDB returned unexpected
error: [No such attribute] <br>
<br>
[sssd[be[<a href="http://unixdev.domain.org.au" target="_blank">unixdev.domain.org.au</a><wbr>]]]
[sysdb_update_members_ex] (0x0020): Could not remove member [<a href="mailto:SimpsonLachlan@domain.org.au" target="_blank">SimpsonLachlan@domain.org.au</a>]
from group [name=<a href="mailto:ipa_bioinf_staff@unixdev.domain.org.au" target="_blank">ipa_bioinf_staff@<wbr>unixdev.domain.org.au</a>,cn=<wbr>groups,cn=<a href="http://unixdev.domain.org.au" target="_blank">unixdev.domain.org.<wbr>au</a>,cn=sysdb].
Skipping<br>
<div>
<div><br>
<br>
<br>
</div>
<div>Second error is long list of errors that look like<br>
<br>
<br>
[sssd[be]] [get_ipa_groupname] (0x0020): Expected cn in
second component, got OU<br>
<br>
[sssd[be]] [get_ipa_groupname] (0x0020): Expected groups
second component, got Users<br>
<br>
<br>
</div>
<div>I don't know enough about AD to speak meaningfully to
these, but a quick google shows that a group can have
cn=Users as it's second component ( see here for example <a href="https://technet.microsoft.com/en-us/library/dn579255%28v=ws.11%29.aspx" target="_blank">https://technet.microsoft.com/<wbr>en-us/library/dn579255%28v=ws.<wbr>11%29.aspx</a>
)<br>
<br>
</div>
<div>Is there an LDAP query that I need to define or add to
the IPA server?<br>
</div>
<div><br>
</div>
<div>cheers<br>
</div>
<div>L.<br>
</div>
</div></div></div></blockquote>
<br>
Hello,<br>
<br>
can you describe your deployment more? Your DNs doesn't look like
created by FreeIPA<br>
This is not how FreeIPA's DIT looks 'name=<a href="mailto:ipa_bioinf_staff@unixdev.domain.org.au" target="_blank">ipa_bioinf_staff@<wbr>unixdev.domain.org.au</a>,cn=<wbr>groups,cn=<a href="http://unixdev.domain.org.au" target="_blank">unixdev.domain.org.<wbr>au</a>,cn=sysdb'<span class="HOEnZb"><font color="#888888"><br></font></span></div></blockquote><div><br></div><div><br>DNS isn't done by FreeIPA - it's all in AD. With a one way trust and all users and groups managed by AD - except for overrides and external groups for HBAC - everything is in AD.<br><br></div><div>As for the FreeIPA DIT - that is a group created in FreeIPA (through the GUI iirc). I haven't done anything particularly special to make it look like that (with the domain inside the cn). Unless it's a strange confluence of configurations that has created a situation that would make that happen.<br><br></div><div>cheers<br></div><div>L.<br></div><div><br></div><div>So, wrt to your question, what can I give you/what were you after? <br><br><br></div><div><br> </div><br></div></div></div>