Hello all,
First off, a big thanks to the developers for providing this piece of
software! Now, to the point!
I've recently run into the error(?) message below (/var/log/messages) on
some of our infrastructure nodes which have upgraded from sssd 1.9.x to
sssd-1.12.4-47:
sssd[be[rc.usf.edu]]: dereference processing failed : Input/output error
sssd[be[rc.usf.edu]]: dereference processing failed : Input/output error
Doing some online research and checking the list archives (2012-2015), I
found that other users with varied versions of sssd and Linux had run into
this issue as well. It was suggested that they should use
"ldap_deref_threshold = 0". A user also reported no errors after enabling
enumeration. I've done both on a test node and the message persists. I
even purged the db and cache without luck. I am using "error(?)" because I
am not experiencing any user/group resolution errors. All calls to getent
and id are successful.
A thread from February 2013 [1] had a suggestion to check LDAP with a deref
call and without. On the affected nodes, it does return a result; the OP
of that thread said that the deref call failed.
I also saw bug report for IPA 4.0 [2] that seems to reference the same
issue, but I'm not able to duplicate the problem.
There was an update to the LDAP servers via yum (minor bug fix revisions)
for 389ds and IPA, but nothing major. All other nodes running sssd-1.9.x
are not manifesting this message.
We're using FreeIPA (IPA server 3.0.0-47) with 389ds 1.2.11.15-60.
I can produce detailed logs upon request, but before doing so I was hoping
that the community could tell me if the message is a red herring and can be
safely ignored, or if there something else that should be checked. It's
just very odd that the older clients aren't manifesting the message and
these new clients are, even though nothing seems "broken".
[1]
https://lists.fedorahosted.org/pipermail/sssd-users/2013-February/000418....
[2]
https://fedorahosted.org/freeipa/ticket/4389
Thanks for any information!
John DeSantis