[Freeipa-users] HBAC access denied, all AD groups not detected

Tue May 17 23:46:49 UTC 2016

It's worth noting that, in difference to the bug report:

1. We aren't making changes to the overrides. The overrides exist, they
just aren't propagating evenly or consistently.
2. We are seeing these errors in the various logs:

sssd_DOMAIN.log:(Wed May 18 09:00:01 2016) [sssd[be[DOMAIN]]]
[sysdb_delete_group] (0x0400): Error: 2 (No such file or directory)
sssd_DOMAIN.log:(Wed May 18 09:00:01 2016) [sssd[be[DOMAIN]]]
[sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)

krb5_child.log:(Wed May 18 09:12:30 2016) [[sssd[krb5_child[8929]]]]
[k5c_send_data] (0x0200): Received error code 0
krb5_child.log:(Wed May 18 09:12:30 2016) [[sssd[krb5_child[8931]]]]
[k5c_send_data] (0x0200): Received error code 1432158214

sssd_nss.log:Error: 3, 0, Account info lookup failed
sssd_nss.log:(Wed May 18 09:01:04 2016) [sssd[nss]] [sss_dp_get_reply]
(0x1000): Got reply from Data Provider - DP error code: 3 errno: 22 error
message: Account info lookup failed
sssd_nss.log:Error: 3, 22, Account info lookup failed
sssd_nss.log:(Wed May 18 09:01:04 2016) [sssd[nss]] [sss_dp_get_reply]
(0x1000): Got reply from Data Provider - DP error code: 3 errno: 0 error
message: Account info lookup failed

cheers
L.

------
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper

On 18 May 2016 at 08:35, Lachlan Musicman <datakid at gmail.com> wrote:

> Hmmm, I also now see
>
> https://fedorahosted.org/sssd/ticket/2642
> and
> https://bugzilla.redhat.com/show_bug.cgi?id=1217127
>
> Versions being run:
>
> sssd-client-1.13.0-40.el7_2.4.x86_64
> sssd-ad-1.13.0-40.el7_2.4.x86_64
> sssd-proxy-1.13.0-40.el7_2.4.x86_64
> sssd-1.13.0-40.el7_2.4.x86_64
> sssd-common-1.13.0-40.el7_2.4.x86_64
> sssd-common-pac-1.13.0-40.el7_2.4.x86_64
> sssd-ipa-1.13.0-40.el7_2.4.x86_64
> sssd-ldap-1.13.0-40.el7_2.4.x86_64
> python-sssdconfig-1.13.0-40.el7_2.4.noarch
> sssd-krb5-common-1.13.0-40.el7_2.4.x86_64
> sssd-krb5-1.13.0-40.el7_2.4.x86_64
>
> ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.6.1.x86_64
>
>
> ------
> The most dangerous phrase in the language is, "We've always done it this
> way."
>
> - Grace Hopper
>
> On 17 May 2016 at 22:34, Jakub Hrozek <jhrozek at redhat.com> wrote:
>
>> On Tue, May 17, 2016 at 03:08:37PM +1000, Lachlan Musicman wrote:
>> > FWIW,
>> >
>> > We are seeing the issues that are described here:
>> >
>> >
>> https://www.redhat.com/archives/freeipa-users/2015-December/msg00046.html
>> >
>> > I was about to write when I found this, it explains exactly what I am
>> > seeing - right down to the "impossible to reproduce because it's so
>> > (seemingly) random".
>> >
>> >
>> > I am about to read up on the SSSD trouble shooting in order to up the
>> logs
>> > &etc, but here is some output I can share - note that this all happened
>> in
>> > ~5 minutes. As you can see, clearing the cache has various unpredictable
>> > effects. Both users should return the same list of groups. This was
>> > performed on a FreeIPA client.
>>
>> There were some bugs related to external groups, what server and client
>> packages version are you running?
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160518/4b55c436/attachment.htm>