Discussion:
[Freeipa-users] ipa_add_ad_memberships_get_next errors
Orion Poplawski
2017-03-31 22:07:16 UTC
Permalink
I'm seeing messages like this:

(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]]
[ipa_add_ad_memberships_get_next] (0x0020): There are unresolved external
group memberships even after all groups have been looked up on the LDAP server.

and wondering it is anything to worry about.


Some context:

(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups]
(0x2000): Search groups with filter:
(&(objectclass=group)(originalDN=ipaUniqueID=12d2026e-a5cd-11e5-a14e-00163e2d6456,cn=hbac,dc=nwra,dc=com))
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups]
(0x2000): No such entry
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups]
(0x2000): Search groups with filter:
(&(objectclass=group)(originalDN=cn=nwra,cn=groups,cn=accounts,dc=nwra,dc=com))
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [merge_msg_ts_attrs] (0x2000):
No such DN in the timestamp cache:
name=***@nwra.com,cn=groups,cn=nwra.com,cn=sysdb
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_merge_res_ts_attrs]
(0x2000): TS cache doesn't contain this DN, skipping
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_groups_next_base]
(0x0400): Searching for groups with base [cn=accounts,dc=nwra,dc=com]
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_print_server] (0x2000):
Searching 10.10.41.4:389
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with
[(&(cn=12d2026e-a5cd-11e5-a14e-00163e2d6456)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=nwra,dc=com].
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [objectClass]
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [posixGroup]
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [cn]
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [userPassword]
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [gidNumber]
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [member]
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [ipaUniqueID]
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [ipaNTSecurityIdentifier]
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [modifyTimestamp]
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [entryUSN]
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [ipaExternalMember]
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step]
(0x2000): ldap_search_ext called, msgid = 17
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_op_add] (0x2000): New
operation 17 timeout 6
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_process_result]
(0x2000): Trace: sh[0x7fc2ae9e9d90], connected[1], ops[0x7fc2aea403c0],
ldap[0x7fc2ae9b60b0]
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_process_result]
(0x2000): Trace: end of ldap_result list
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_process_result]
(0x2000): Trace: sh[0x7fc2ae9e9d90], connected[1], ops[0x7fc2aea403c0],
ldap[0x7fc2ae9b60b0]
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_op_finished]
(0x0400): Search result: Success(0), no errmsg set
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_op_destructor] (0x2000):
Operation 17 finished
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_groups_process]
(0x0400): Search for groups, returned 0 results.
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups]
(0x2000): Search groups with filter:
(&(objectclass=group)(originalDN=ipaUniqueID=12d2026e-a5cd-11e5-a14e-00163e2d6456,cn=hbac,dc=nwra,dc=com))
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups]
(0x2000): No such entry
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]]
[ipa_add_ad_memberships_get_next] (0x0020): There are unresolved external
group memberships even after all groups have been looked up on the LDAP server.
--
Orion Poplawski
Technical Manager 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane ***@nwra.com
Boulder, CO 80301 http://www.nwra.com
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Jakub Hrozek
2017-04-03 08:04:26 UTC
Permalink
Post by Orion Poplawski
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]]
[ipa_add_ad_memberships_get_next] (0x0020): There are unresolved external
group memberships even after all groups have been looked up on the LDAP server.
and wondering it is anything to worry about.
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups]
(&(objectclass=group)(originalDN=ipaUniqueID=12d2026e-a5cd-11e5-a14e-00163e2d6456,cn=hbac,dc=nwra,dc=com))
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups]
(0x2000): No such entry
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups]
(&(objectclass=group)(originalDN=cn=nwra,cn=groups,cn=accounts,dc=nwra,dc=com))
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_merge_res_ts_attrs]
(0x2000): TS cache doesn't contain this DN, skipping
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_groups_next_base]
(0x0400): Searching for groups with base [cn=accounts,dc=nwra,dc=com]
Searching 10.10.41.4:389
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with
[(&(cn=12d2026e-a5cd-11e5-a14e-00163e2d6456)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=nwra,dc=com].
I think this might be the reason why SSSD reports unresolved
memberships. It'trying to resolve the group using the cn attribute, ut
the object's RDN attribute seems to be ipaUniqueID. So I don't think
this is harmful, just confusing.

Can you please check what the object is on the IPA side with this
ipaUniqueID?

Could you describe the hierarchy so I can set up and reproduce something
similar locally?
Post by Orion Poplawski
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [objectClass]
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [posixGroup]
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [cn]
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [userPassword]
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [gidNumber]
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [member]
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [ipaUniqueID]
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [ipaNTSecurityIdentifier]
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [modifyTimestamp]
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [entryUSN]
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [ipaExternalMember]
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step]
(0x2000): ldap_search_ext called, msgid = 17
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_op_add] (0x2000): New
operation 17 timeout 6
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_process_result]
(0x2000): Trace: sh[0x7fc2ae9e9d90], connected[1], ops[0x7fc2aea403c0],
ldap[0x7fc2ae9b60b0]
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_process_result]
(0x2000): Trace: end of ldap_result list
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_process_result]
(0x2000): Trace: sh[0x7fc2ae9e9d90], connected[1], ops[0x7fc2aea403c0],
ldap[0x7fc2ae9b60b0]
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_op_finished]
(0x0400): Search result: Success(0), no errmsg set
Operation 17 finished
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_groups_process]
(0x0400): Search for groups, returned 0 results.
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups]
(&(objectclass=group)(originalDN=ipaUniqueID=12d2026e-a5cd-11e5-a14e-00163e2d6456,cn=hbac,dc=nwra,dc=com))
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups]
(0x2000): No such entry
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]]
[ipa_add_ad_memberships_get_next] (0x0020): There are unresolved external
group memberships even after all groups have been looked up on the LDAP server.
--
Orion Poplawski
Technical Manager 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
Boulder, CO 80301 http://www.nwra.com
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Alexander Bokovoy
2017-04-03 08:10:41 UTC
Permalink
Post by Jakub Hrozek
Post by Orion Poplawski
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]]
[ipa_add_ad_memberships_get_next] (0x0020): There are unresolved external
group memberships even after all groups have been looked up on the LDAP server.
and wondering it is anything to worry about.
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups]
(&(objectclass=group)(originalDN=ipaUniqueID=12d2026e-a5cd-11e5-a14e-00163e2d6456,cn=hbac,dc=nwra,dc=com))
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups]
(0x2000): No such entry
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups]
(&(objectclass=group)(originalDN=cn=nwra,cn=groups,cn=accounts,dc=nwra,dc=com))
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_merge_res_ts_attrs]
(0x2000): TS cache doesn't contain this DN, skipping
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_groups_next_base]
(0x0400): Searching for groups with base [cn=accounts,dc=nwra,dc=com]
Searching 10.10.41.4:389
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with
[(&(cn=12d2026e-a5cd-11e5-a14e-00163e2d6456)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=nwra,dc=com].
I think this might be the reason why SSSD reports unresolved
memberships. It'trying to resolve the group using the cn attribute, ut
the object's RDN attribute seems to be ipaUniqueID. So I don't think
this is harmful, just confusing.
Can you please check what the object is on the IPA side with this
ipaUniqueID?
It is HBAC group -- see above in the log:
(&(objectclass=group)(originalDN=ipaUniqueID=12d2026e-a5cd-11e5-a14e-00163e2d6456,cn=hbac,dc=nwra,dc=com))
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Orion Poplawski
2017-04-03 14:52:09 UTC
Permalink
Post by Orion Poplawski
Post by Jakub Hrozek
Post by Orion Poplawski
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]]
[ipa_add_ad_memberships_get_next] (0x0020): There are unresolved external
group memberships even after all groups have been looked up on the LDAP server.
and wondering it is anything to worry about.
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups]
(&(objectclass=group)(originalDN=ipaUniqueID=12d2026e-a5cd-11e5-a14e-00163e2d6456,cn=hbac,dc=nwra,dc=com))
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups]
(0x2000): No such entry
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups]
(&(objectclass=group)(originalDN=cn=nwra,cn=groups,cn=accounts,dc=nwra,dc=com))
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_merge_res_ts_attrs]
(0x2000): TS cache doesn't contain this DN, skipping
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_groups_next_base]
(0x0400): Searching for groups with base [cn=accounts,dc=nwra,dc=com]
Searching 10.10.41.4:389
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with
[(&(cn=12d2026e-a5cd-11e5-a14e-00163e2d6456)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=nwra,dc=com].
I think this might be the reason why SSSD reports unresolved
memberships. It'trying to resolve the group using the cn attribute, ut
the object's RDN attribute seems to be ipaUniqueID. So I don't think
this is harmful, just confusing.
Can you please check what the object is on the IPA side with this
ipaUniqueID?
(&(objectclass=group)(originalDN=ipaUniqueID=12d2026e-a5cd-11e5-a14e-00163e2d6456,cn=hbac,dc=nwra,dc=com))
This is our "allow employees access" HBAC group. So it applies to our "nwra"
host group as well as a couple individual machines, and to our "nwra" IPA group.

# 12d2026e-a5cd-11e5-a14e-00163e2d6456, hbac, nwra.com
dn: ipaUniqueID=12d2026e-a5cd-11e5-a14e-00163e2d6456,cn=hbac,dc=nwra,dc=com
description: Allow NWRA-Users
serviceCategory: all
memberHost: cn=nwra,cn=hostgroups,cn=accounts,dc=nwra,dc=com
memberHost: fqdn=ipaclient1.cora.nwra.com,cn=computers,cn=accounts,dc=nwra,dc=
com
memberHost: fqdn=quetzal.cora.nwra.com,cn=computers,cn=accounts,dc=nwra,dc=com
memberUser: cn=nwra,cn=groups,cn=accounts,dc=nwra,dc=com
objectClass: ipaassociation
objectClass: ipahbacrule
accessRuleType: allow
ipaEnabledFlag: TRUE
cn: allow_nwra
ipaUniqueID: 12d2026e-a5cd-11e5-a14e-00163e2d6456

The group search for that item fails presumably because it's not a group
(doesn't have objectclass=group).

The nwra group contains the nwra_users_external group:

# ipa group-show nwra
Group name: nwra
Description: ad.nwra.com NWRA-Users
GID: 1001
Member groups: nwra_users_external
Member of HBAC rule: allow_nwra

# ipa group-show nwra_users_external
Group name: nwra_users_external
Description: ad.nwra.com NWRA-Users external map
External member: nwra-***@ad.nwra.com
Member of groups: nwra
Indirect Member of HBAC rule: allow_nwra
--
Orion Poplawski
Technical Manager 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane ***@nwra.com
Boulder, CO 80301 http://www.nwra.com
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Alexander Bokovoy
2017-04-03 15:32:49 UTC
Permalink
Post by Orion Poplawski
Post by Orion Poplawski
Post by Jakub Hrozek
Post by Orion Poplawski
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]]
[ipa_add_ad_memberships_get_next] (0x0020): There are unresolved external
group memberships even after all groups have been looked up on the LDAP server.
and wondering it is anything to worry about.
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups]
(&(objectclass=group)(originalDN=ipaUniqueID=12d2026e-a5cd-11e5-a14e-00163e2d6456,cn=hbac,dc=nwra,dc=com))
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups]
(0x2000): No such entry
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups]
(&(objectclass=group)(originalDN=cn=nwra,cn=groups,cn=accounts,dc=nwra,dc=com))
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_merge_res_ts_attrs]
(0x2000): TS cache doesn't contain this DN, skipping
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_groups_next_base]
(0x0400): Searching for groups with base [cn=accounts,dc=nwra,dc=com]
Searching 10.10.41.4:389
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with
[(&(cn=12d2026e-a5cd-11e5-a14e-00163e2d6456)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=nwra,dc=com].
I think this might be the reason why SSSD reports unresolved
memberships. It'trying to resolve the group using the cn attribute, ut
the object's RDN attribute seems to be ipaUniqueID. So I don't think
this is harmful, just confusing.
Can you please check what the object is on the IPA side with this
ipaUniqueID?
(&(objectclass=group)(originalDN=ipaUniqueID=12d2026e-a5cd-11e5-a14e-00163e2d6456,cn=hbac,dc=nwra,dc=com))
This is our "allow employees access" HBAC group. So it applies to our "nwra"
host group as well as a couple individual machines, and to our "nwra" IPA group.
It is HBAC group, not a normal POSIX user group, so SSSD shouldn't even
look at it for a POSIX user membership.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Jakub Hrozek
2017-04-03 16:04:00 UTC
Permalink
Post by Alexander Bokovoy
Post by Orion Poplawski
Post by Orion Poplawski
Post by Jakub Hrozek
Post by Orion Poplawski
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]]
[ipa_add_ad_memberships_get_next] (0x0020): There are unresolved external
group memberships even after all groups have been looked up on the LDAP
server.
and wondering it is anything to worry about.
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups]
(&(objectclass=group)(originalDN=ipaUniqueID=12d2026e-a5cd-11e5-a14e-00163e2d6456,cn=hbac,dc=nwra,dc=com))
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups]
(0x2000): No such entry
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups]
(&(objectclass=group)(originalDN=cn=nwra,cn=groups,cn=accounts,dc=nwra,dc=com))
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_merge_res_ts_attrs]
(0x2000): TS cache doesn't contain this DN, skipping
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_groups_next_base]
(0x0400): Searching for groups with base [cn=accounts,dc=nwra,dc=com]
Searching 10.10.41.4:389
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with
[(&(cn=12d2026e-a5cd-11e5-a14e-00163e2d6456)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=nwra,dc=com].
I think this might be the reason why SSSD reports unresolved
memberships. It'trying to resolve the group using the cn attribute, ut
the object's RDN attribute seems to be ipaUniqueID. So I don't think
this is harmful, just confusing.
Can you please check what the object is on the IPA side with this
ipaUniqueID?
(&(objectclass=group)(originalDN=ipaUniqueID=12d2026e-a5cd-11e5-a14e-00163e2d6456,cn=hbac,dc=nwra,dc=com))
This is our "allow employees access" HBAC group. So it applies to our "nwra"
host group as well as a couple individual machines, and to our "nwra" IPA group.
It is HBAC group, not a normal POSIX user group, so SSSD shouldn't even
look at it for a POSIX user membership.
Right, I'll try to reproduce at least the error message locally to try
if we can suppress it (by skipping the HBAC group). At the very least
the error message is confusing for admins.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Alexander Bokovoy
2017-04-03 16:12:09 UTC
Permalink
Post by Jakub Hrozek
Post by Alexander Bokovoy
Post by Orion Poplawski
Post by Orion Poplawski
Post by Jakub Hrozek
Post by Orion Poplawski
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]]
[ipa_add_ad_memberships_get_next] (0x0020): There are unresolved external
group memberships even after all groups have been looked up on the LDAP
server.
and wondering it is anything to worry about.
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups]
(&(objectclass=group)(originalDN=ipaUniqueID=12d2026e-a5cd-11e5-a14e-00163e2d6456,cn=hbac,dc=nwra,dc=com))
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups]
(0x2000): No such entry
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups]
(&(objectclass=group)(originalDN=cn=nwra,cn=groups,cn=accounts,dc=nwra,dc=com))
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_merge_res_ts_attrs]
(0x2000): TS cache doesn't contain this DN, skipping
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_groups_next_base]
(0x0400): Searching for groups with base [cn=accounts,dc=nwra,dc=com]
Searching 10.10.41.4:389
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with
[(&(cn=12d2026e-a5cd-11e5-a14e-00163e2d6456)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=nwra,dc=com].
I think this might be the reason why SSSD reports unresolved
memberships. It'trying to resolve the group using the cn attribute, ut
the object's RDN attribute seems to be ipaUniqueID. So I don't think
this is harmful, just confusing.
Can you please check what the object is on the IPA side with this
ipaUniqueID?
(&(objectclass=group)(originalDN=ipaUniqueID=12d2026e-a5cd-11e5-a14e-00163e2d6456,cn=hbac,dc=nwra,dc=com))
This is our "allow employees access" HBAC group. So it applies to our "nwra"
host group as well as a couple individual machines, and to our "nwra" IPA group.
It is HBAC group, not a normal POSIX user group, so SSSD shouldn't even
look at it for a POSIX user membership.
Right, I'll try to reproduce at least the error message locally to try
if we can suppress it (by skipping the HBAC group). At the very least
the error message is confusing for admins.
It may also be related to the issue of not setting proper base for
searches in case of IPA provider for some times of searches.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Loading...