[Freeipa-users] problems with netgroups cached values

Natxo Asenjo natxo.asenjo at gmail.com
Mon Jan 7 11:48:54 UTC 2013 

On Mon, Jan 7, 2013 at 12:18 PM, Natxo Asenjo <natxo.asenjo at gmail.com> wrote:
> How could I troubleshoot this?

i have upped the debugging on sssd.conf

debug_level = 9

en reloaded sssd.

When I run

# getent netgroup nagios
nagios

[root at ipaclient01 ~]# grep -i nagios /var/log/sssd/*.log
/var/log/sssd/sssd_unix.domain.tld.log:(Mon Jan  7 12:27:37 2013)
[sssd[be[unix.domain.tld]]] [be_get_account_info] (0x0100): Got
request for [4100][1][name=nagios]
/var/log/sssd/sssd_unix.domain.tld.log:(Mon Jan  7 12:27:38 2013)
[sssd[be[unix.domain.tld]]] [sdap_get_generic_ext_step] (0x0400):
calling ldap_search_ext with
[(&(cn=nagios)(objectclass=ipaNisNetgroup))][cn=ng,cn=alt,dc=unix,dc=domain,dc=tld].
/var/log/sssd/sssd_unix.domain.tld.log:(Mon Jan  7 12:27:38 2013)
[sssd[be[unix.domain.tld]]] [sdap_parse_entry] (0x4000): OriginalDN:
[cn=nagios,cn=ng,cn=alt,dc=unix,dc=domain,dc=tld].
/var/log/sssd/sssd_unix.domain.tld.log:(Mon Jan  7 12:27:38 2013)
[sssd[be[unix.domain.tld]]] [sdap_get_generic_ext_step] (0x0400):
calling ldap_search_ext with
[(&(|(memberOf=cn=nagios,cn=ng,cn=alt,dc=unix,dc=domain,dc=tld))(objectclass=ipaHost))][cn=accounts,dc=unix,dc=domain,dc=tld].
/var/log/sssd/sssd_unix.domain.tld.log:(Mon Jan  7 12:27:38 2013)
[sssd[be[unix.domain.tld]]] [ipa_save_netgroup] (0x2000): Storing
netgroup nagios
/var/log/sssd/sssd_unix.domain.tld.log:(Mon Jan  7 12:27:38 2013)
[sssd[be[unix.domain.tld]]] [ipa_save_netgroup] (0x1000): Adding
original DN [cn=nagios,cn=ng,cn=alt,dc=unix,dc=domain,dc=tld] to
attributes of [nagios].
/var/log/sssd/sssd_unix.domain.tld.log:(Mon Jan  7 12:27:38 2013)
[sssd[be[unix.domain.tld]]] [ipa_save_netgroup] (0x2000): No netgroup
triples for netgroup [nagios].
/var/log/sssd/sssd_unix.domain.tld.log:(Mon Jan  7 12:27:38 2013)
[sssd[be[unix.domain.tld]]] [ipa_save_netgroup] (0x1000): No original
members for netgroup [nagios]
/var/log/sssd/sssd_unix.domain.tld.log:(Mon Jan  7 12:27:38 2013)
[sssd[be[unix.domain.tld]]] [ipa_save_netgroup] (0x1000): No members
for netgroup [nagios]
/var/log/sssd/sssd_unix.domain.tld.log:(Mon Jan  7 12:27:38 2013)
[sssd[be[unix.domain.tld]]] [ipa_save_netgroup] (0x0400): Storing info
for netgroup nagios

But when searching ldap directly:

$ ldapsearch -h kdc01.unix.domain.tld -b "dc=unix,dc=domain,dc=tld"
"(cn=nagios)" -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: jose.admin at unix.domain.tld
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=unix,dc=domain,dc=tld> with scope subtree
# filter: (cn=nagios)
# requesting: ALL
#

# nagios, ng, compat, unix.domain.tld
dn: cn=nagios,cn=ng,cn=compat,dc=unix,dc=domain,dc=tld
objectClass: nisNetgroup
objectClass: top
nisNetgroupTriple: (solr01.unix.domain.tld,-,unix.domain.tld)
nisNetgroupTriple: (mrepo.unix.domain.tld,-,unix.domain.tld)
nisNetgroupTriple: (radius01.unix.domain.tld,-,unix.domain.tld)
nisNetgroupTriple: (kdc02.unix.domain.tld,-,unix.domain.tld)
nisNetgroupTriple: (kdc01.unix.domain.tld,-,unix.domain.tld)
nisNetgroupTriple: (ipaclient01.unix.domain.tld,-,unix.domain.tld)
cn: nagios

# nagios, hostgroups, accounts, unix.domain.tld
dn: cn=nagios,cn=hostgroups,cn=accounts,dc=unix,dc=domain,dc=tld
objectClass: ipaobject
objectClass: ipahostgroup
objectClass: nestedGroup
objectClass: groupOfNames
objectClass: top
objectClass: mepOriginEntry
cn: nagios
description: members of this hostgroup get cfengine policy to install the nagi
 os agent and the snmp server
ipaUniqueID: 4b95dbea-3e27-11e2-b9f4-005056806151
memberOf: cn=nagios,cn=ng,cn=alt,dc=unix,dc=domain,dc=tld
mepManagedEntry: cn=nagios,cn=ng,cn=alt,dc=unix,dc=domain,dc=tld
member: fqdn=solr01.unix.domain.tld,cn=computers,cn=accounts,dc=unix,dc=domain,dc=tld
member: fqdn=mrepo.unix.domain.tld,cn=computers,cn=accounts,dc=unix,dc=domain,dc=tld
member: fqdn=radius01.unix.domain.tld,cn=computers,cn=accounts,dc=unix,dc=domain,dc=tld
member: fqdn=kdc02.unix.domain.tld,cn=computers,cn=accounts,dc=unix,dc=domain,dc=tld
member: fqdn=kdc01.unix.domain.tld,cn=computers,cn=accounts,dc=unix,dc=domain,dc=tld
member: fqdn=ipaclient01.unix.domain.tld,cn=computers,cn=accounts,dc=unix,dc=domain,dc=tld

# nagios, ng, alt, unix.domain.tld
dn: cn=nagios,cn=ng,cn=alt,dc=unix,dc=domain,dc=tld
objectClass: ipanisnetgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: ipaAssociation
objectClass: top
nisDomainName: unix.domain.tld
cn: nagios
memberHost: cn=nagios,cn=hostgroups,cn=accounts,dc=unix,dc=domain,dc=tld
description: ipaNetgroup nagios
mepManagedBy: cn=nagios,cn=hostgroups,cn=accounts,dc=unix,dc=domain,dc=tld
ipaUniqueID: 4b97c932-3e27-11e2-b9f4-005056806151

# search result
search: 4
result: 0 Success

So the values are there. After the cache times out, I get results with
getent netgroup.

Any clues as to how to prevent this?

TIA,
-- 
natxo

More information about the Freeipa-users mailing list