[Freeipa-users] subdomain errors
Orion Poplawski
orion at cora.nwra.com
Mon Apr 3 15:03:19 UTC 2017
On 04/03/2017 02:08 AM, Jakub Hrozek wrote:
> On Fri, Mar 31, 2017 at 05:08:13PM -0600, Orion Poplawski wrote:
>> I seem to be having some issues with users/groups that may be leading to
>> errors in the subdomain status. Can anyone parse this for me?
>>
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr]
>> (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)]
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr]
>> (0x0080): Cannot set ts attrs for
>> name=USER at ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb
>
> This can be ignored, it's just a minor performance annoyance we track
> upstream.
Figured something like that, but thanks.
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr]
>> (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)]
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr]
>> (0x0080): Cannot set ts attrs for
>> name=USER at ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
>> [ipa_initgr_get_overrides_step] (0x0040): The group
>> name=USER at nwra.com,cn=groups,cn=nwra.com,cn=sysdb has no UUID attribute
>> objectSIDString, error!
>
> But this seems strange. Before you sanitized (presumably?) the logs, did
> the DN name=USER at nwra.com,cn=groups,cn=nwra.com,cn=sysdb correspond to
> an IPA object?
Yes, it's an IPA group used for HBAC access.
> Did you run the sidgen task when setting up trusts or did you make sure
> all replicas are either trust controllers or trust agents? Does the
> entry on the IPA LDAP side have ipaNTSecurityIdentifier attribute?
I suspect the sidgen task has not been run, as I'm not really sure what that
is. I have belatedly installed and run ipa-adtrust-install on all of our IPA
servers, though a couple ran without that for a while. It does not look like
that group has an ipaNTSecurityIdentifier atribute.
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
>> [ipa_id_get_groups_overrides_done] (0x0040): IPA resolve user groups overrides
>> failed [22].
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done]
>> (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument.
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_subdomain_account_done]
>> (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument.
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [dp_reply_std_set] (0x0080):
>> DP Error is OK on failed request?
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr]
>> (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)]
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr]
>> (0x0080): Cannot set ts attrs for
>> name=USER at ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
>> [ipa_initgr_get_overrides_step] (0x0040): The group
>> name=USER at nwra.com,cn=groups,cn=nwra.com,cn=sysdb has no UUID attribute
>> objectSIDString, error!
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
>> [ipa_id_get_groups_overrides_done] (0x0040): IPA resolve user groups overrides
>> failed [22].
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done]
>> (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument.
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_subdomain_account_done]
>> (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument.
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [dp_reply_std_set] (0x0080):
>> DP Error is OK on failed request?
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
>> [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID
>> S-1-5-32-545
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr]
>> (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)]
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr]
>> (0x0080): Cannot set ts attrs for
>> name=USER at ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
>> [ipa_add_ad_memberships_get_next] (0x0020): There are unresolved external
>> group memberships even after all groups have been looked up on the LDAP server.
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
>> [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done]
>> (0x0080): Sudomain lookup failed, will try to reset sudomain..
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [be_fo_reset_svc] (0x0080):
>> Cannot retrieve service [ad.nwra.com]
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done]
>> (0x0040): ipa_get_*_acct request failed: [1432158270]: Subdomain is inactive.
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_subdomain_account_done]
>> (0x0040): ipa_get_*_acct request failed: [1432158270]: Subdomain is inactive.
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [dp_reply_std_set] (0x0080):
>> DP Error is OK on failed request?
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
>> [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done]
>> (0x0080): Sudomain lookup failed, will try to reset sudomain..
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [be_fo_reset_svc] (0x0080):
>> Cannot retrieve service [ad.nwra.com]
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done]
>> (0x0040): ipa_get_*_acct request failed: [1432158270]: Subdomain is inactive.
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_subdomain_account_done]
>> (0x0040): ipa_get_*_acct request failed: [1432158270]: Subdomain is inactive.
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [dp_reply_std_set] (0x0080):
>> DP Error is OK on failed request?
>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
>> [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request
>>
>> --
>> Orion Poplawski
>> Technical Manager 720-772-5637
>> NWRA, Boulder/CoRA Office FAX: 303-415-9702
>> 3380 Mitchell Lane orion at nwra.com
>> Boulder, CO 80301 http://www.nwra.com
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>
--
Orion Poplawski
Technical Manager 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion at nwra.com
Boulder, CO 80301 http://www.nwra.com
More information about the Freeipa-users
mailing list