<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 19.03.2017 22:58, Lachlan Musicman
wrote:<br>
</div>
<blockquote
cite="mid:CAGBeqiOR36F3V=QXX48rZakTfZ3qauftUCz2MMaP0bmozq3i6w@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>Hi,<br>
<br>
</div>
I've reported a bug against SSSD and Lukas has pointed to a
number of FreeIPA errors in our logs.<br>
</div>
<div>I've can't find any information on how I might fix these
errors or what I might do to mitigate them. Any pointers
appreciated:<br>
<br>
</div>
First error:<br>
<div><br>
[sssd[be[<a moz-do-not-send="true"
href="http://unixdev.domain.org.au">unixdev.domain.org.au</a>]]]
[ipa_sudo_fetch_rules_done] (0x0040): Received 1 sudo rules
<br>
<br>
[sssd[be[<a moz-do-not-send="true"
href="http://unixdev.domain.org.au">unixdev.domain.org.au</a>]]]
[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
attribute](16)[attribute 'member': no matching attribute value
while deleting attribute on 'name=<a moz-do-not-send="true"
href="mailto:ipa_bioinf_staff@unixdev.domain.org.au">ipa_bioinf_staff@unixdev.domain.org.au</a>,cn=groups,cn=<a
moz-do-not-send="true" href="http://unixdev.domain.org.au">unixdev.domain.org.au</a>,cn=sysdb']
<br>
<br>
[sssd[be[<a moz-do-not-send="true"
href="http://unixdev.domain.org.au">unixdev.domain.org.au</a>]]]
[sysdb_error_to_errno] (0x0020): LDB returned unexpected
error: [No such attribute] <br>
<br>
[sssd[be[<a moz-do-not-send="true"
href="http://unixdev.domain.org.au">unixdev.domain.org.au</a>]]]
[sysdb_update_members_ex] (0x0020): Could not remove member [<a
moz-do-not-send="true"
href="mailto:SimpsonLachlan@domain.org.au">SimpsonLachlan@domain.org.au</a>]
from group [name=<a moz-do-not-send="true"
href="mailto:ipa_bioinf_staff@unixdev.domain.org.au">ipa_bioinf_staff@unixdev.domain.org.au</a>,cn=groups,cn=<a
moz-do-not-send="true" href="http://unixdev.domain.org.au">unixdev.domain.org.au</a>,cn=sysdb].
Skipping<br>
<div>
<div><br>
<br>
<br>
</div>
<div>Second error is long list of errors that look like<br>
<br>
<br>
[sssd[be]] [get_ipa_groupname] (0x0020): Expected cn in
second component, got OU<br>
<br>
[sssd[be]] [get_ipa_groupname] (0x0020): Expected groups
second component, got Users<br>
<br>
<br>
</div>
<div>I don't know enough about AD to speak meaningfully to
these, but a quick google shows that a group can have
cn=Users as it's second component ( see here for example <a
moz-do-not-send="true"
href="https://technet.microsoft.com/en-us/library/dn579255%28v=ws.11%29.aspx">https://technet.microsoft.com/en-us/library/dn579255%28v=ws.11%29.aspx</a>
)<br>
<br>
</div>
<div>Is there an LDAP query that I need to define or add to
the IPA server?<br>
</div>
<div><br>
</div>
<div>cheers<br>
</div>
<div>L.<br>
</div>
<div><br>
<br>
<br clear="all">
<div>
<div class="gmail_signature">
<div dir="ltr">
<div>------<br>
The most dangerous phrase in the language is,
"We've always done it this way."<br>
<br>
- Grace Hopper<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
Hello,<br>
<br>
can you describe your deployment more? Your DNs doesn't look like
created by FreeIPA<br>
This is not how FreeIPA's DIT looks 'name=<a moz-do-not-send="true"
href="mailto:ipa_bioinf_staff@unixdev.domain.org.au">ipa_bioinf_staff@unixdev.domain.org.au</a>,cn=groups,cn=<a
moz-do-not-send="true" href="http://unixdev.domain.org.au">unixdev.domain.org.au</a>,cn=sysdb'<br>
<br>
Martin<br>
</body>
</html>