[Freeipa-users] subdomain errors
Orion Poplawski
orion at cora.nwra.com
Mon Apr 3 15:25:53 UTC 2017
On 04/03/2017 09:03 AM, Orion Poplawski wrote:
> On 04/03/2017 02:08 AM, Jakub Hrozek wrote:
>> On Fri, Mar 31, 2017 at 05:08:13PM -0600, Orion Poplawski wrote:
>>> I seem to be having some issues with users/groups that may be leading to
>>> errors in the subdomain status. Can anyone parse this for me?
>>>
>>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr]
>>> (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)]
>>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr]
>>> (0x0080): Cannot set ts attrs for
>>> name=USER at ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb
>>
>> This can be ignored, it's just a minor performance annoyance we track
>> upstream.
>
> Figured something like that, but thanks.
>
>>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr]
>>> (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)]
>>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr]
>>> (0x0080): Cannot set ts attrs for
>>> name=USER at ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb
>>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
>>> [ipa_initgr_get_overrides_step] (0x0040): The group
>>> name=USER at nwra.com,cn=groups,cn=nwra.com,cn=sysdb has no UUID attribute
>>> objectSIDString, error!
>>
>> But this seems strange. Before you sanitized (presumably?) the logs, did
>> the DN name=USER at nwra.com,cn=groups,cn=nwra.com,cn=sysdb correspond to
>> an IPA object?
>
> Yes, it's an IPA group used for HBAC access.
>
>> Did you run the sidgen task when setting up trusts or did you make sure
>> all replicas are either trust controllers or trust agents? Does the
>> entry on the IPA LDAP side have ipaNTSecurityIdentifier attribute?
>
> I suspect the sidgen task has not been run, as I'm not really sure what that
> is. I have belatedly installed and run ipa-adtrust-install on all of our IPA
> servers, though a couple ran without that for a while. It does not look like
> that group has an ipaNTSecurityIdentifier atribute.
I'm seeing:
[03/Apr/2017:09:07:34.269247507 -0600] sidgen_task_thread - [file
ipa_sidgen_task.c, line 194]: Sidgen task starts ...
[03/Apr/2017:09:07:34.273308903 -0600] find_sid_for_ldap_entry - [file
ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [24613] into an unused
SID.
[03/Apr/2017:09:07:34.274521892 -0600] do_work - [file ipa_sidgen_task.c, line
154]: Cannot add SID to existing entry.
[03/Apr/2017:09:07:34.277196405 -0600] sidgen_task_thread - [file
ipa_sidgen_task.c, line 199]: Sidgen task finished [32].
My IPA ranges are:
# ipa idrange-find
----------------
2 ranges matched
----------------
Range name: AD.NWRA.COM_id_range
First Posix ID of the range: 20000
Number of IDs in the range: 20000
First RID of the corresponding RID range: 0
Domain SID of the trusted domain: S-1-5-21-89655523-1570529619-2103694531
Range type: Active Directory domain range
Range name: NWRA.COM_id_range
First Posix ID of the range: 8000
Number of IDs in the range: 2000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range type: local domain range
----------------------------
Number of entries returned 2
----------------------------
So I've been creating these local posix IPA groups for HBAC access (as well as
file storage) with the same gid as that assigned to the AD user. Perhaps that
is a problem?
--
Orion Poplawski
Technical Manager 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion at nwra.com
Boulder, CO 80301 http://www.nwra.com
More information about the Freeipa-users
mailing list