[Freeipa-users] Fedora 16 client not getting group names

Mon Jan 30 15:11:26 UTC 2012

On Mon, 2012-01-30 at 10:02 -0500, Dan Scott wrote:
> On Mon, Jan 30, 2012 at 09:46, Stephen Gallagher <sgallagh at redhat.com> wrote:
> > On Mon, 2012-01-30 at 09:41 -0500, Dan Scott wrote:
> >> Hi,
> >>
> >> On Mon, Jan 30, 2012 at 08:19, Stephen Gallagher <sgallagh at redhat.com> wrote:
> >> > On Fri, 2012-01-27 at 15:00 -0500, Dan Scott wrote:
> >> >> On Fri, Jan 27, 2012 at 13:17, Stephen Gallagher <sgallagh at redhat.com> wrote:
> >> >> > On Fri, 2012-01-27 at 17:57 +0100, Jakub Hrozek wrote:
> >> >> >> On Fri, Jan 27, 2012 at 11:47:01AM -0500, Dan Scott wrote:
> >> >> >> > Hi,
> >> >> >> >
> >> >> >> > On Fri, Jan 27, 2012 at 10:48, Stephen Gallagher <sgallagh at redhat.com> wrote:
> >> >> >> > > On Fri, 2012-01-27 at 10:36 -0500, Dan Scott wrote:
> >> >> >> > >> Hi,
> >> >> >> > >>
> >> >> >> > >> I have a Fedora 16 client running sssd-client-1.6.4-1.fc16.x86_64.
> >> >> >> > >>
> >> >> >> > >> When I run, e.g. id djscott, I do not get the names of the groups:
> >> >> >> > >>
> >> >> >> > >> -bash-4.2$ id djscott
> >> >> >> > >> uid=768(djscott) gid=1002(legacy-group)
> >> >> >> > >> groups=1002(legacy-group),1134,1130,1118,1103,1108,1113,789600001(ipausers),1102,1109,1129,1111
> >> >> >> > >>
> >> >> >> > >> Is this because they have low GIDs? (These were migrated over from my
> >> >> >> > >> old FreeIPA 1 installation and I'd rather not re-number them all).
> >> >> >> > >>
> >> >> >> > >> Can someone help me to figure out how to retrieve the group names?
> >> >> >> > >> This is working fine on the Fedora 15 clients (sssd-1.5.x).
> >> >> >> > >
> >> >> >> > >
> >> >> >> > > This looks to me like you didn't migrate all of the groups. GIF 1002 and
> >> >> >> > > 789600001 are both reporting the names correctly, so clearly the client
> >> >> >> > > is able to access the FreeIPA server and retrieve groups.
> >> >> >> >
> >> >> >> > It's working fine with Fedora 15 clients, so I think that the groups
> >> >> >> > were migrated OK.
> >> >> >> >
> >> >> >> > > Please try the following and report the results:
> >> >> >> > >
> >> >> >> > > getent group 1134
> >> >> >> > >
> >> >> >> > > and also
> >> >> >> > > getent group <groupname>
> >> >> >> > >
> >> >> >> > > where <groupname> is the name that is SUPPOSED to match GID 1134.
> >> >> >> >
> >> >> >> > I've just realised that once I've manually looked up the group using
> >> >> >> > the name, the id command is 'fixed':
> >> >> >> >
> >> >> >> > [root at newton ~]# getent group 1134
> >> >> >> > [root at newton ~]# getent group svn-wfdb-swig-matlab
> >> >> >> > svn-wfdb-swig-matlab:*:1134:ikaro,djscott
> >> >> >> > [root at newton ~]# getent group 1134
> >> >> >> > svn-wfdb-swig-matlab:*:1134:ikaro,djscott
> >> >> >> > [root at newton ~]# id djscott
> >> >> >> > uid=768(djscott) gid=1002(legacy-group)
> >> >> >> > groups=1002(legacy-group),1134(svn-wfdb-swig-matlab),1130,1118,1103,1108,1113,789600001(ipausers),1102,1109,1129,1111
> >> >> >> >
> >> >> >> > The initial getent returned no data. But the group info seems OK once
> >> >> >> > I've done one lookup.
> >> >> >> >
> >> >> >>
> >> >> >> That's weird, id runs getgrgid() on each of the returned group GIDs
> >> >> >>
> >> >> >
> >> >> > I know what's going on here. It was a stupid glibc screw-up in Fedora
> >> >> > 16. Remove the line starting with "initgroups: " from
> >> >> > your /etc/nsswitch.conf file.
> >> >> >
> >> >> > See https://bugzilla.redhat.com/show_bug.cgi?id=751450 for more details.
> >> >>
> >> >> Thanks for the info, but I don't have that line in my nsswitch.conf
> >> >> file. These servers were upgraded from F15, and I can see the line in
> >> >> the /etc/nsswitch.conf.rpmnew files.
> >> >>
> >> >> Clearing the SSSD cache doesn't seem to have helped. I'm still getting
> >> >> the same problem. It's even reverted back to the original list of IDs.
> >> >> Only my primary group and 'ipausers' (the only one in the high ID
> >> >> range) show up properly.
> >> >>
> >> >> Thanks,
> >> >>
> >> >> Dan
> >> >
> >> > Are you running nscd by any chance? That could be interacting poorly.
> >>
> >> Nope, nscd isn't running.
> >>
> >> > Other than that, could you please set debug_level = 7 in your
> >> > [domain/DOMAINNAME] section of /etc/sssd/sssd.conf and restart SSSD?
> >> > Then try the 'id' command again and take a look
> >> > at /var/log/sssd/sssd_DOMAINNAME.log
> >>
> >> Log file is attached (email only to you, not the list). Possibly a
> >> problem with the keytab?
> >>
> >> Thanks,
> >>
> >> Dan


(Mon Jan 30 09:59:46 2012) [sssd[be[DOMAIN]]]
[sdap_get_generic_ext_done] (6): Search result: Server is unwilling to
perform(53), Simple Paged Results Search already in progress on this
connection
(Mon Jan 30 09:59:46 2012) [sssd[be[DOMAIN]]]
[sdap_get_generic_ext_done] (2): Unexpected result from ldap: Server is
unwilling to perform(53), Simple Paged Results Search already in
progress on this connection


You're hitting a 389 DS bug: https://fedorahosted.org/389/ticket/260

Re-adding the list (not including private data).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120130/17f60e81/attachment.sig>