[Freeipa-users] Group membership not populated
Darren Poulson
darren.poulson at genesys.com
Fri Nov 14 16:30:17 UTC 2014
Ok,
I've shoved them on pastebin. They were a bit big to put in a mailing list really.
ldap_child.log: http://pastebin.com/qGCZF4vK
sssd_nss.log: http://pastebin.com/gTBA8NEj
sssd_bur.us.genops.log: http://pastebin.com/ithUqb1z
I did see this in the sssd_nss.log:
(Fri Nov 14 16:09:34 2014) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 17 error message: Init group lookup failed
(Fri Nov 14 16:09:34 2014) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider
Error: 3, 17, Init group lookup failed
Will try to return what we have in cache
(Fri Nov 14 16:09:34 2014) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x418850:3:dpoulson at bur.us.genops]
Which pointed to this:
https://fedorahosted.org/sssd/ticket/2385
Which had similar symptoms but is related to AD.
Cheers,
Darren.
________________________________________
From: Jakub Hrozek [jhrozek at redhat.com]
Sent: 14 November 2014 15:57
To: Darren Poulson
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Group membership not populated
On Fri, Nov 14, 2014 at 03:38:47PM +0000, Darren Poulson wrote:
>
> >
> > OK, if the user is a direct member of the groups and the groups are all
> > POSIX (=they all have a GID), then I would expect the group membership
> > to show all users.
> >
> > Can you try setting ldap_deref_threshold=0 and re-running the test? It
> > would also be best if you could remove the sssd cache first.
>
> Ok, I added that into a [povider/ldap] block, but no change to the behaviour. I even cleared cache, rebooted, and tried again just for a bit of overkill.
>
> ipausers isn't a posix group, but the rest are. I removed ipausers for that user to make sure that wasn't causing an issue.
>
>
>
OK, at this point I think we need to see the SSSD debug logs...
Can you put debug_level=7 to the [nss] and [domain] sections, remove the
cache, restart sssd and then run id? Then attach the contents of
/var/log/sssd/*.log ...
More information about the Freeipa-users
mailing list