[Freeipa-users] subdomain errors
Alexander Bokovoy
abokovoy at redhat.com
Mon Apr 3 15:35:08 UTC 2017
On ma, 03 huhti 2017, Orion Poplawski wrote:
>On 04/03/2017 09:03 AM, Orion Poplawski wrote:
>> On 04/03/2017 02:08 AM, Jakub Hrozek wrote:
>>> On Fri, Mar 31, 2017 at 05:08:13PM -0600, Orion Poplawski wrote:
>>>> I seem to be having some issues with users/groups that may be leading to
>>>> errors in the subdomain status. Can anyone parse this for me?
>>>>
>>>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr]
>>>> (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)]
>>>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr]
>>>> (0x0080): Cannot set ts attrs for
>>>> name=USER at ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb
>>>
>>> This can be ignored, it's just a minor performance annoyance we track
>>> upstream.
>>
>> Figured something like that, but thanks.
>>
>>>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr]
>>>> (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)]
>>>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr]
>>>> (0x0080): Cannot set ts attrs for
>>>> name=USER at ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb
>>>> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
>>>> [ipa_initgr_get_overrides_step] (0x0040): The group
>>>> name=USER at nwra.com,cn=groups,cn=nwra.com,cn=sysdb has no UUID attribute
>>>> objectSIDString, error!
>>>
>>> But this seems strange. Before you sanitized (presumably?) the logs, did
>>> the DN name=USER at nwra.com,cn=groups,cn=nwra.com,cn=sysdb correspond to
>>> an IPA object?
>>
>> Yes, it's an IPA group used for HBAC access.
>>
>>> Did you run the sidgen task when setting up trusts or did you make sure
>>> all replicas are either trust controllers or trust agents? Does the
>>> entry on the IPA LDAP side have ipaNTSecurityIdentifier attribute?
>>
>> I suspect the sidgen task has not been run, as I'm not really sure what that
>> is. I have belatedly installed and run ipa-adtrust-install on all of our IPA
>> servers, though a couple ran without that for a while. It does not look like
>> that group has an ipaNTSecurityIdentifier atribute.
>
>I'm seeing:
>
>[03/Apr/2017:09:07:34.269247507 -0600] sidgen_task_thread - [file
>ipa_sidgen_task.c, line 194]: Sidgen task starts ...
>[03/Apr/2017:09:07:34.273308903 -0600] find_sid_for_ldap_entry - [file
>ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [24613] into an unused
>SID.
>[03/Apr/2017:09:07:34.274521892 -0600] do_work - [file ipa_sidgen_task.c, line
>154]: Cannot add SID to existing entry.
>[03/Apr/2017:09:07:34.277196405 -0600] sidgen_task_thread - [file
>ipa_sidgen_task.c, line 199]: Sidgen task finished [32].
Look at this list's archives, I've been giving recipes how to fix this
in February.
>My IPA ranges are:
>
># ipa idrange-find
>----------------
>2 ranges matched
>----------------
> Range name: AD.NWRA.COM_id_range
> First Posix ID of the range: 20000
> Number of IDs in the range: 20000
> First RID of the corresponding RID range: 0
> Domain SID of the trusted domain: S-1-5-21-89655523-1570529619-2103694531
> Range type: Active Directory domain range
>
> Range name: NWRA.COM_id_range
> First Posix ID of the range: 8000
> Number of IDs in the range: 2000
> First RID of the corresponding RID range: 1000
> First RID of the secondary RID range: 100000000
> Range type: local domain range
>----------------------------
>Number of entries returned 2
>----------------------------
>
>So I've been creating these local posix IPA groups for HBAC access (as well as
>file storage) with the same gid as that assigned to the AD user. Perhaps that
>is a problem?
Yes, that is a problem. But HBAC group is not a problem because HBAC
group is not a POSIX IPA group at all, it is even stored in a different
subtree than user groups.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list