[Freeipa-users] HBAC access denied, all AD groups not detected

[Jakub Hrozek]

On Wed, May 18, 2016 at 09:46:49AM +1000, Lachlan Musicman wrote:
> It's worth noting that, in difference to the bug report:
> 
> 1. We aren't making changes to the overrides. The overrides exist, they
> just aren't propagating evenly or consistently.
> 2. We are seeing these errors in the various logs:
> 
> 
> sssd_DOMAIN.log:(Wed May 18 09:00:01 2016) [sssd[be[DOMAIN]]]
> [sysdb_delete_group] (0x0400): Error: 2 (No such file or directory)
> sssd_DOMAIN.log:(Wed May 18 09:00:01 2016) [sssd[be[DOMAIN]]]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> 
> 
> krb5_child.log:(Wed May 18 09:12:30 2016) [[sssd[krb5_child[8929]]]]
> [k5c_send_data] (0x0200): Received error code 0
> krb5_child.log:(Wed May 18 09:12:30 2016) [[sssd[krb5_child[8931]]]]
> [k5c_send_data] (0x0200): Received error code 1432158214
> 
> sssd_nss.log:Error: 3, 0, Account info lookup failed
> sssd_nss.log:(Wed May 18 09:01:04 2016) [sssd[nss]] [sss_dp_get_reply]
> (0x1000): Got reply from Data Provider - DP error code: 3 errno: 22 error
> message: Account info lookup failed
> sssd_nss.log:Error: 3, 22, Account info lookup failed
> sssd_nss.log:(Wed May 18 09:01:04 2016) [sssd[nss]] [sss_dp_get_reply]
> (0x1000): Got reply from Data Provider - DP error code: 3 errno: 0 error
> message: Account info lookup failed

You need to look into the failures in the domain log that happened in
the same time as these. Some failures are recoverable, in some other
cases we're just reporting failure even if we just didn't match any
entry (yes, that a subtle bug we should fix).