Hi,
a similar issue was already seen in other customer cases, and the advice
was to look for an entry with nameAlias: <groupname> in the cache. The
issue was resolved by removing this additional group.
HTH,
flo
On Tue, Jul 13, 2021 at 11:14 AM iulian roman via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
Hello everybody,
In the client logs I get the error bellow when querying AD users:
[ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: Time limit
exceeded(3), (null).
(Tue Jul 13 10:47:46 2021) [sssd[be[ipa.example.com]]]
[ipa_s2n_exop_done] (0x0040): ldap_extended_operation failed, server logs
might contain more details.
(Tue Jul 13 10:47:46 2021) [sssd[be[ipa.example.com]]]
[ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
(Tue Jul 13 10:47:46 2021) [sssd[be[ipa.example.com]]]
[ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed:
[1432158229]: Network I/O Error.
I've enabled nss debug on the server, and for that timestamp, the error is:
(2021-07-13 10:47:46): [nss] [cache_req_search_cache] (0x0020): CR #415:
Multiple objects were found when only one was expected!
(2021-07-13 10:47:46): [nss] [cache_req_process_result] (0x0400): CR #415:
Finished: Error 1432158305: Multiple objects were found when only one was
expected
(2021-07-13 10:47:46): [nss] [nss_protocol_done] (0x4000): Sending reply:
error [1432158305]: Multiple objects were found when only one was expected
(2021-07-13 10:47:46): [nss] [client_recv] (0x0200): Client disconnected!
(2021-07-13 10:47:46): [nss] [client_close_fn] (0x2000): Terminated client
[0x55930a1916f0][12]
The GID it is trying to search corresponds to "Domain Users" group from
AD (GID:1768200513), which is the default primary group for all users.
ldbsearch against the cache shows only one dn: entry for the "Domain
Users". Nevertheless , when running groups command for any user, it
displays:
"cannot find name for group ID 1768200513 "
getent group 1768200513 does not resolve the group name to "Domain Users"
either.
Any hint or help would be really appreciated.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure