[Freeipa-users] ipa_add_ad_memberships_get_next errors

[Orion Poplawski]

On 04/03/2017 02:10 AM, Alexander Bokovoy wrote:
> On ma, 03 huhti 2017, Jakub Hrozek wrote:
>> On Fri, Mar 31, 2017 at 04:07:16PM -0600, Orion Poplawski wrote:
>>> I'm seeing messages like this:
>>>
>>> (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]]
>>> [ipa_add_ad_memberships_get_next] (0x0020): There are unresolved external
>>> group memberships even after all groups have been looked up on the LDAP
>>> server.
>>>
>>> and wondering it is anything to worry about.
>>>
>>>
>>> Some context:
>>>
>>> (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups]
>>> (0x2000): Search groups with filter:
>>> (&(objectclass=group)(originalDN=ipaUniqueID=12d2026e-a5cd-11e5-a14e-00163e2d6456,cn=hbac,dc=nwra,dc=com))
>>>
>>> (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups]
>>> (0x2000): No such entry
>>> (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups]
>>> (0x2000): Search groups with filter:
>>> (&(objectclass=group)(originalDN=cn=nwra,cn=groups,cn=accounts,dc=nwra,dc=com))
>>>
>>> (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [merge_msg_ts_attrs] (0x2000):
>>> No such DN in the timestamp cache:
>>> name=nwra at nwra.com,cn=groups,cn=nwra.com,cn=sysdb
>>> (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_merge_res_ts_attrs]
>>> (0x2000): TS cache doesn't contain this DN, skipping
>>> (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_groups_next_base]
>>> (0x0400): Searching for groups with base [cn=accounts,dc=nwra,dc=com]
>>> (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_print_server] (0x2000):
>>> Searching 10.10.41.4:389
>>> (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step]
>>> (0x0400): calling ldap_search_ext with
>>> [(&(cn=12d2026e-a5cd-11e5-a14e-00163e2d6456)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=nwra,dc=com].
>>>
>>
>> I think this might be the reason why SSSD reports unresolved
>> memberships. It'trying to resolve the group using the cn attribute, ut
>> the object's RDN attribute seems to be ipaUniqueID. So I don't think
>> this is harmful, just confusing.
>>
>> Can you please check what the object is on the IPA side with this
>> ipaUniqueID?
> It is HBAC group -- see above in the log:
> (&(objectclass=group)(originalDN=ipaUniqueID=12d2026e-a5cd-11e5-a14e-00163e2d6456,cn=hbac,dc=nwra,dc=com))

This is our "allow employees access" HBAC group.  So it applies to our "nwra"
host group as well as a couple individual machines, and to our "nwra" IPA group.

# 12d2026e-a5cd-11e5-a14e-00163e2d6456, hbac, nwra.com
dn: ipaUniqueID=12d2026e-a5cd-11e5-a14e-00163e2d6456,cn=hbac,dc=nwra,dc=com
description: Allow NWRA-Users
serviceCategory: all
memberHost: cn=nwra,cn=hostgroups,cn=accounts,dc=nwra,dc=com
memberHost: fqdn=ipaclient1.cora.nwra.com,cn=computers,cn=accounts,dc=nwra,dc=
 com
memberHost: fqdn=quetzal.cora.nwra.com,cn=computers,cn=accounts,dc=nwra,dc=com
memberUser: cn=nwra,cn=groups,cn=accounts,dc=nwra,dc=com
objectClass: ipaassociation
objectClass: ipahbacrule
accessRuleType: allow
ipaEnabledFlag: TRUE
cn: allow_nwra
ipaUniqueID: 12d2026e-a5cd-11e5-a14e-00163e2d6456

The group search for that item fails presumably because it's not a group
(doesn't have objectclass=group).

The nwra group contains the nwra_users_external group:

# ipa group-show nwra
  Group name: nwra
  Description: ad.nwra.com NWRA-Users
  GID: 1001
  Member groups: nwra_users_external
  Member of HBAC rule: allow_nwra

# ipa group-show nwra_users_external
  Group name: nwra_users_external
  Description: ad.nwra.com NWRA-Users external map
  External member: nwra-users at ad.nwra.com
  Member of groups: nwra
  Indirect Member of HBAC rule: allow_nwra


-- 
Orion Poplawski
Technical Manager                          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                   http://www.nwra.com