[Freeipa-users] Errors in IPA logs

Lachlan Musicman datakid at gmail.com
Mon Mar 20 09:16:48 UTC 2017 

On 20 March 2017 at 19:38, Martin Basti <mbasti at redhat.com> wrote:

> On 19.03.2017 22:58, Lachlan Musicman wrote:
>
> Hi,
>
> I've reported a bug against SSSD and Lukas has pointed to a number of
> FreeIPA errors in our logs.
> I've can't find any information on how I might fix these errors or what I
> might do to mitigate them. Any pointers appreciated:
>
> First error:
>
> [sssd[be[unixdev.domain.org.au]]] [ipa_sudo_fetch_rules_done] (0x0040):
> Received 1 sudo rules
>
> [sssd[be[unixdev.domain.org.au]]] [sysdb_mod_group_member] (0x0080):
> ldb_modify failed: [No such attribute](16)[attribute 'member': no matching
> attribute value while deleting attribute on 'name=ipa_bioinf_staff@
> unixdev.domain.org.au,cn=groups,cn=unixdev.domain.org.au,cn=sysdb']
>
> [sssd[be[unixdev.domain.org.au]]] [sysdb_error_to_errno] (0x0020): LDB
> returned unexpected error: [No such attribute]
>
> [sssd[be[unixdev.domain.org.au]]] [sysdb_update_members_ex] (0x0020):
> Could not remove member [SimpsonLachlan at domain.org.au] from group [name=
> ipa_bioinf_staff at unixdev.domain.org.au,cn=groups,cn=unixdev.domain.org.au,cn=sysdb].
> Skipping
>
>
>
> Second error is long list of errors that look like
>
>
> [sssd[be]] [get_ipa_groupname] (0x0020): Expected cn in second component,
> got OU
>
> [sssd[be]] [get_ipa_groupname] (0x0020): Expected groups second component,
> got Users
>
>
> I don't know enough about AD to speak meaningfully to these, but a quick
> google shows that a group can have cn=Users as it's second component ( see
> here for example https://technet.microsoft.com/
> en-us/library/dn579255%28v=ws.11%29.aspx )
>
> Is there an LDAP query that I need to define or add to the IPA server?
>
> cheers
> L.
>
>
> Hello,
>
> can you describe your deployment more? Your DNs doesn't look like created
> by FreeIPA
> This is not how FreeIPA's DIT looks 'name=ipa_bioinf_staff@
> unixdev.domain.org.au,cn=groups,cn=unixdev.domain.org.au,cn=sysdb'
>


DNS isn't done by FreeIPA - it's all in AD. With a one way trust and all
users and groups managed by AD - except for overrides and external groups
for HBAC - everything is in AD.

As for the FreeIPA DIT - that is a group created in FreeIPA (through the
GUI iirc). I haven't done anything particularly special to make it look
like that (with the domain inside the cn). Unless it's a strange confluence
of configurations that has created a situation that would make that happen.

cheers
L.

So, wrt to your question, what can I give you/what were you after?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170320/fd84e329/attachment.htm>

More information about the Freeipa-users mailing list