[Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)
Jakub Hrozek
jhrozek at redhat.com
Wed Jul 13 06:37:44 UTC 2016
On Wed, Jul 13, 2016 at 09:10:07AM +0300, Alexander Bokovoy wrote:
> On Tue, 12 Jul 2016, Sullivan, Daniel [AAA] wrote:
> > Justin,
> >
> > I really appreciate you taking the time to respond to me. This problem
> > is driving me crazy and I will certainly take any help I can get. My
> > suspicion is that the external user group in the policy below was
> > causing the log entry you specified, removing it from the policy does
> > not remediate the problem, even after flushing the client cache.
> >
> > The way I have this setup is as follows:
> >
> > 1) I created a POSIX group in IPA named
> > 'cri-cri_server_administrators_ipa' and allowed IPA to assign the GID.
> > 2) I created an external group in IPA named
> > 'cri-cri_server_administrators_external’ and added the AD group in the
> > trusted domain as an external member to this group
> > (cri-cri_server_administrators at bsdad.uchicago.edu).
> > 3) I added the group cri-cri_server_administrators_external' as a
> > member of 'cri-cri_server_administrators_ipa’
> >
> > The HBAC rule is configured as (removing the external group does not
> > seem to make a difference).
> >
> > [root at cri-ksysipadcp2 a.cri.dsullivan]# ipa hbacrule-show 'cri-cri_server_administrators_allow_all'
> > Rule name: cri-cri_server_administrators_allow_all
> > Host category: all
> > Service category: all
> > Description: Allow anyone in cri-cri_server_administrators at bsdad.uchicago.edu<mailto:cri-cri_server_administrators at bsdad.uchicago.edu> to login to any machine
> > Enabled: TRUE
> > User Groups: cri-cri_server_administrators_external, cri-cri_server_administrators_ipa
> > [root at cri-ksysipadcp2 a.cri.dsullivan]#
> >
> > For example, the problem still persists when the policy is configured in this manner:
> >
> > [root at cri-ksysipadcp2 a.cri.dsullivan]# ipa hbacrule-show 'cri-cri_server_administrators_allow_all'
> > Rule name: cri-cri_server_administrators_allow_all
> > Host category: all
> > Service category: all
> > Description: Allow anyone in cri-cri_server_administrators at bsdad.uchicago.edu to login to any machine
> > Enabled: TRUE
> > User Groups: cri-cri_server_administrators_ipa
> >
> > And my login validates against the host in question as follows:
> >
> > As I said I have this working consistently (i.e. can flush the cash) on
> > another host with the same exact version of IPA and SSSD. Here is a
> > validation of hbactest (works with either of the two policy
> > configurations above).
> I think you problems are related to this snippet of your domain log
> where SSSD on IPA client was unable to add membership of your user to
> any of these groups:
>
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [get_groups_dns] (0x0400): Root domain uses fully-qualified names,
> objects might not be correctly added to groups with short names.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [get_groups_dns] (0x0400): Root domain uses fully-qualified names,
> objects might not be correctly added to groups with short names.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [ipa_s2n_save_objects] (0x2000): Updating memberships for
> a.cri.dsullivan at bsdad.uchicago.edu
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=cri-aaa_sms_administrators at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=cri-aaa_cvs_repository at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=cri-active_users at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=aaa-bard04 at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=cri-aaa_developers at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=aaa$
> dma at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=a.cri.dsullivan at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=cri-aaa_teleform_admins_prod at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=cri-aaa_isilon_share at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=cri-galaxy_web_users at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=cri-hpc_allusers at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=cri-all_users at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=aaa-smaug03 at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=aaa-azog04 at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=cri-kraig_nas at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=cri-cri_server_administrators_ipa,cn=groups,cn=ipa.cri.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=cri-aaa_git_repository at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=cri-aaa_asap_admins at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=aaa-treebeard03 at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=domain
> users at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group [name=bsd$
> a.acct at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=adm-dd-priv at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=psm-sms at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=cri-all_groups at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=aaagroup at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=cri-hpc_server_administrators at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=cri-aaa_prodshop_loads at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=cri-vandrogelen_nas at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=cri-centrify_administrators at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=cri-aaa_workflowgen_uat_admins at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=cri-aaa_psom_redmine_admins at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=cri-galaxy_administrators at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=aaa-dan_sullivan at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=aaa-gpo-admins at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=cri-dssg_lab at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=cri-backup_admins at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=cri-aaa_server_administrators at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=cri-cri_server_administrators at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=cri-aaa_teleform_admins_uat at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> (Tue Jul 12 13:29:58 2016) [sssd[be[ipa.cri.uchicago.edu]]]
> [sysdb_update_members_ex] (0x0020): Could not add member
> [a.cri.dsullivan at bsdad.uchicago.edu] to group
> [name=cri-training at bsdad.uchicago.edu,cn=groups,cn=bsdad.uchicago.edu,cn=sysdb].
> Skipping.
>
> as result, the user is viewed by SSSD on this IPA client as not
> belonging to the cri-cri_server_administrators at bsdad.uchicago.edu group
> and thus, HBAC rule validation on this client fails.
First, we have some debug messages in this part of sssd that can really
use some improvement. That is, some debug messages are expected to
report failures and we recover from them later.
But in general Alexander is right. Does 'id
a.cri.dsullivan at bsdad.uchicago.edu' report the user as a member of the
group that should be allowing access?
If not, I would suggest to run:
1) sss_cache -E on both server and client (don't remove the cache,
please)
2) truncate the logs on server and client
3) run id a.cri.dsullivan at bsdad.uchicago.edu on the client
then send us the logs from that single id run..
More information about the Freeipa-users
mailing list