[Freeipa-users] subdomain errors

Orion Poplawski orion at cora.nwra.com
Mon Apr 3 15:25:53 UTC 2017 

On 04/03/2017 09:03 AM, Orion Poplawski wrote:
> On 04/03/2017 02:08 AM, Jakub Hrozek wrote:
>> On Fri, Mar 31, 2017 at 05:08:13PM -0600, Orion Poplawski wrote:
>>> I seem to be having some issues with users/groups that may be leading to
>>> errors in the subdomain status.  Can anyone parse this for me?
>>>
>>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr]
>>> (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)]
>>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr]
>>> (0x0080): Cannot set ts attrs for
>>> name=USER at ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb
>>
>> This can be ignored, it's just a minor performance annoyance we track
>> upstream.
> 
> Figured something like that, but thanks.
> 
>>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr]
>>> (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)]
>>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr]
>>> (0x0080): Cannot set ts attrs for
>>> name=USER at ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb
>>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
>>> [ipa_initgr_get_overrides_step] (0x0040): The group
>>> name=USER at nwra.com,cn=groups,cn=nwra.com,cn=sysdb has no UUID attribute
>>> objectSIDString, error!
>>
>> But this seems strange. Before you sanitized (presumably?) the logs, did
>> the DN name=USER at nwra.com,cn=groups,cn=nwra.com,cn=sysdb correspond to
>> an IPA object?
> 
> Yes, it's an IPA group used for HBAC access.
> 
>> Did you run the sidgen task when setting up trusts or did you make sure
>> all replicas are either trust controllers or trust agents? Does the
>> entry on the IPA LDAP side have ipaNTSecurityIdentifier attribute?
> 
> I suspect the sidgen task has not been run, as I'm not really sure what that
> is.  I have belatedly installed and run ipa-adtrust-install on all of our IPA
> servers, though a couple ran without that for a while.  It does not look like
> that group has an ipaNTSecurityIdentifier atribute.

I'm seeing:

[03/Apr/2017:09:07:34.269247507 -0600] sidgen_task_thread - [file
ipa_sidgen_task.c, line 194]: Sidgen task starts ...
[03/Apr/2017:09:07:34.273308903 -0600] find_sid_for_ldap_entry - [file
ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [24613] into an unused
SID.
[03/Apr/2017:09:07:34.274521892 -0600] do_work - [file ipa_sidgen_task.c, line
154]: Cannot add SID to existing entry.
[03/Apr/2017:09:07:34.277196405 -0600] sidgen_task_thread - [file
ipa_sidgen_task.c, line 199]: Sidgen task finished [32].

My IPA ranges are:

# ipa idrange-find
----------------
2 ranges matched
----------------
  Range name: AD.NWRA.COM_id_range
  First Posix ID of the range: 20000
  Number of IDs in the range: 20000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-89655523-1570529619-2103694531
  Range type: Active Directory domain range

  Range name: NWRA.COM_id_range
  First Posix ID of the range: 8000
  Number of IDs in the range: 2000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
----------------------------
Number of entries returned 2
----------------------------

So I've been creating these local posix IPA groups for HBAC access (as well as
file storage) with the same gid as that assigned to the AD user.  Perhaps that
is a problem?


-- 
Orion Poplawski
Technical Manager                          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                   http://www.nwra.com

More information about the Freeipa-users mailing list