[Freeipa-users] ID Views without AD

Sumit Bose sbose at redhat.com
Thu Feb 18 10:26:58 UTC 2016 

On Tue, Feb 16, 2016 at 04:23:10PM +0000, Mike Kelly wrote:
> >>  Thanks. Here's what is hopefully the relevant lines:
> >
> > I'm sorry, but these logs only capture how the original entry was
> searched, not the overrides. Can you capture the full logs since the sssd
> startup? Also please make sure the cache was invalidated prior to the
> request with sss_cache -E.
> 
> Attached are the full logs since a restart of sssd.

Thank you, the logs helped. The IPA client reads the idview at startup
time either from the cache or the IPA server. Since there is of course
no idview name saved in the cache of your client the name must be looked
up from the server. The lookup of the idview name is part of the request
which reads other data about the IPA domain and possible trusted
domains. Unfortunately the current code expects that e.g. the domain SID
of the IPA domain is defined before it proceeds to read the idview. 

This is of course a bug and I will try to fix it. If you would like to
try a work-around you can call ipa-adtrust-install on one of your IPA
servers. This will create the needed data on the server. It is
sufficient to call it on one server because the data will be replicated
to the other servers and since you currently not plan to add a trust to
a AD domain, you do not have to prepare additional services on other
server (with FreeIPA-4.2 this wouldn't even be necessary if you plan to
add a trust).

If you can wait a day or two I'd be happy to prepare a SSSD test build
with a fix.

bye,
Sumit

> 
> I ran these commands:
> 
> systemctl stop sssd
> 
> echo '----MARK----' >> /var/log/sssd/sssd_home.pioto.org.log # so I could
> mark were the restart happened
> 
> sss_cache -E
> 
> systemctl start sssd
> 
> sss_cache -E
> 
> id pioto
> 
> ----
> 
> I still don't see the override being applied. Possibly because of this line?
> 
> (Tue Feb 16 11:12:27 2016) [sssd[be[home.pioto.org]]]
> [ipa_get_ad_override_send]
> (0x4000): View not defined, nothing to do.
> 
> So, I get the feeling that, for whatever reason, sssd isn't correctly
> deciding that my id view applies to this host, or just isn't looking it up?
> 
> Is there possibly some sort of extra configuration that I've missed to tell
> SSSD to apply these views? From what I can tell, it should just pick these
> up out of the box, from the configuration built by ipa-client-install...?


> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list