On Wed, Mar 18, 2015 at 10:31:05AM +0100, Lukas Slebodnik wrote:
On (18/03/15 10:25), Lukas Slebodnik wrote:
On (17/03/15 13:56), Domenico Viggiani wrote:
-----Original Message----- But it would be nice to see the full logfile as well, this would i.e. make sense if we're offline.
Attached log file (slightly sanitized, to save the innocents).
These lines look suspicious.
[sdap_ad_tokengroups_update_members] (0x1000): Updating memberships for [testuser] [sysdb_error_to_errno] (0x0020): LDB returned unexpected error: [No such attribute] [sysdb_mod_group_member] (0x0400): Error: 14 (Bad address) [sysdb_update_members_ex] (0x0020): Could not remove member [testuser] from group [name=IT-Area IT,cn=groups,cn=MYDOMAIN.COM,cn=sysdb]. Skipping [sysdb_error_to_errno] (0x0020): LDB returned unexpected error: [No such attribute] [sysdb_mod_group_member] (0x0400): Error: 14 (Bad address) [sysdb_update_members_ex] (0x0020): Could not remove member [testuser] from group [name=DGOP-Direzione Generale Operativa,cn=groups,cn=MYDOMAIN.COM,cn=sysdb]. Skipping [sysdb_error_to_errno] (0x0020): LDB returned unexpected error: [No such attribute] [sysdb_mod_group_member] (0x0400): Error: 14 (Bad address) [sysdb_update_members_ex] (0x0020): Could not remove member [testuser] from group [name=Organigramma,cn=groups,cn=MYDOMAIN.COM,cn=sysdb]. Skipping [sysdb_error_to_errno] (0x0020): LDB returned unexpected error: [No such attribute] [sysdb_mod_group_member] (0x0400): Error: 14 (Bad address) [sysdb_update_members_ex] (0x0020): Could not remove member [testuser] from group [name=IT-Infrastruttura IT,cn=groups,cn=MYDOMAIN.COM,cn=sysdb]. Skipping
We recently added to sssd some extra debug messages which could help with identification of problem.
I can prepare you testing repo I need to know which platform do you want to test? rhel/fedora
I got another idea which could help you. By default we use tokengroups for obtaining group membership it is faster. But it caused some problems in your case so you can try do disable this feature.
Try to put "ldap_use_tokengroups = false" into domain section of sssd.conf. It is workaround which can help nevertheless we want to fix your initial bug.
Yes, the problem is that during tokengroups we save the group as: name=$SID,$DN objectSID: $SID isPosix: false then when the simple access provider resolves the group in order to learn the name, the group should become: name=$NAME,$DN objectSID: $SID
isPosix defaults to True. We need to find out why we don't remove the isPosix:False from the group object.