We have a particular machine that is having trouble resolving an AD group - "domain admins". The relevant log entries seem to be:
(2021-12-29 13:40:17): [nss] [cache_req_search_cache] (0x0400): CR #152: Looking up [domain admins@ad.nwra.com] in cache (2021-12-29 13:40:17): [nss] [sysdb_search_override_by_name] (0x0400): No user override found for name [domain admins@ad.nwra.com]. (2021-12-29 13:40:17): [nss] [sysdb_getgrnam_with_views] (0x4000): Group object [name=domain admins@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb], contains ghost entries which must be resolved before overrides can be applied. (2021-12-29 13:40:17): [nss] [sysdb_getgrnam_with_views] (0x4000): Returning empty result. (2021-12-29 13:40:17): [nss] [cache_req_search_cache] (0x0400): CR #152: Object [domain admins@ad.nwra.com] was not found in cache (2021-12-29 13:40:17): [nss] [cache_req_search_ncache_add_to_domain] (0x0400): CR #152: Adding [domain admins@ad.nwra.com] to negative cache (2021-12-29 13:40:17): [nss] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/ad.nwra.com/domain admins@ad.nwra.com] to negative cache (2021-12-29 13:40:17): [nss] [cache_req_process_result] (0x0400): CR #152: Finished: Not found (2021-12-29 13:40:17): [nss] [sss_domain_get_state] (0x1000): Domain ad.nwra.com is Active (2021-12-29 13:40:17): [nss] [nss_protocol_done] (0x4000): Sending reply: not found
on working systems we don't have the sysdb_getgrnam_with_views message. I'd rather not clear the sssd database. Is there anything else that can be done? 'sss_cache -g "domain admins"' does not help.
We're using an IPA <-> AD trust.
Thanks
On 12/29/21 13:48, sssd-users@lists.fedorahosted.org wrote:
We have a particular machine that is having trouble resolving an AD group - "domain admins". The relevant log entries seem to be:
(2021-12-29 13:40:17): [nss] [cache_req_search_cache] (0x0400): CR #152: Looking up [domain admins@ad.nwra.com] in cache (2021-12-29 13:40:17): [nss] [sysdb_search_override_by_name] (0x0400): No user override found for name [domain admins@ad.nwra.com]. (2021-12-29 13:40:17): [nss] [sysdb_getgrnam_with_views] (0x4000): Group object [name=domain admins@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb], contains ghost entries which must be resolved before overrides can be applied. (2021-12-29 13:40:17): [nss] [sysdb_getgrnam_with_views] (0x4000): Returning empty result. (2021-12-29 13:40:17): [nss] [cache_req_search_cache] (0x0400): CR #152: Object [domain admins@ad.nwra.com] was not found in cache (2021-12-29 13:40:17): [nss] [cache_req_search_ncache_add_to_domain] (0x0400): CR #152: Adding [domain admins@ad.nwra.com] to negative cache (2021-12-29 13:40:17): [nss] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/ad.nwra.com/domain admins@ad.nwra.com] to negative cache (2021-12-29 13:40:17): [nss] [cache_req_process_result] (0x0400): CR #152: Finished: Not found (2021-12-29 13:40:17): [nss] [sss_domain_get_state] (0x1000): Domain ad.nwra.com is Active (2021-12-29 13:40:17): [nss] [nss_protocol_done] (0x4000): Sending reply: not found
on working systems we don't have the sysdb_getgrnam_with_views message. I'd rather not clear the sssd database. Is there anything else that can be done? 'sss_cache -g "domain admins"' does not help.
We're using an IPA <-> AD trust.
So, ldbsearch revealed:
dn: name=domain admins@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb ... ghost: template-admin@ad.nwra.com
and:
sss_cache -g 'domain admins@ad.nwra.com'
did the trick of clearing that.
On 12/29/21 14:00, sssd-users@lists.fedorahosted.org wrote:
On 12/29/21 13:48, sssd-users@lists.fedorahosted.org wrote:
We have a particular machine that is having trouble resolving an AD group - "domain admins". The relevant log entries seem to be:
(2021-12-29 13:40:17): [nss] [cache_req_search_cache] (0x0400): CR #152: Looking up [domain admins@ad.nwra.com] in cache (2021-12-29 13:40:17): [nss] [sysdb_search_override_by_name] (0x0400): No user override found for name [domain admins@ad.nwra.com]. (2021-12-29 13:40:17): [nss] [sysdb_getgrnam_with_views] (0x4000): Group object [name=domain admins@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb], contains ghost entries which must be resolved before overrides can be applied. (2021-12-29 13:40:17): [nss] [sysdb_getgrnam_with_views] (0x4000): Returning empty result. (2021-12-29 13:40:17): [nss] [cache_req_search_cache] (0x0400): CR #152: Object [domain admins@ad.nwra.com] was not found in cache (2021-12-29 13:40:17): [nss] [cache_req_search_ncache_add_to_domain] (0x0400): CR #152: Adding [domain admins@ad.nwra.com] to negative cache (2021-12-29 13:40:17): [nss] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/ad.nwra.com/domain admins@ad.nwra.com] to negative cache (2021-12-29 13:40:17): [nss] [cache_req_process_result] (0x0400): CR #152: Finished: Not found (2021-12-29 13:40:17): [nss] [sss_domain_get_state] (0x1000): Domain ad.nwra.com is Active (2021-12-29 13:40:17): [nss] [nss_protocol_done] (0x4000): Sending reply: not found
on working systems we don't have the sysdb_getgrnam_with_views message. I'd rather not clear the sssd database. Is there anything else that can be done? 'sss_cache -g "domain admins"' does not help.
We're using an IPA <-> AD trust.
So, ldbsearch revealed:
dn: name=domain admins@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb ... ghost: template-admin@ad.nwra.com
and:
sss_cache -g 'domain admins@ad.nwra.com'
did the trick of clearing that.
As a followup - is it reasonable for sssd to return an empty group in this situation?
Am Thu, Dec 30, 2021 at 07:59:22AM -0700 schrieb Orion Poplawski:
On 12/29/21 14:00, sssd-users@lists.fedorahosted.org wrote:
On 12/29/21 13:48, sssd-users@lists.fedorahosted.org wrote:
We have a particular machine that is having trouble resolving an AD group - "domain admins". The relevant log entries seem to be:
(2021-12-29 13:40:17): [nss] [cache_req_search_cache] (0x0400): CR #152: Looking up [domain admins@ad.nwra.com] in cache (2021-12-29 13:40:17): [nss] [sysdb_search_override_by_name] (0x0400): No user override found for name [domain admins@ad.nwra.com]. (2021-12-29 13:40:17): [nss] [sysdb_getgrnam_with_views] (0x4000): Group object [name=domain admins@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb], contains ghost entries which must be resolved before overrides can be applied. (2021-12-29 13:40:17): [nss] [sysdb_getgrnam_with_views] (0x4000): Returning empty result. (2021-12-29 13:40:17): [nss] [cache_req_search_cache] (0x0400): CR #152: Object [domain admins@ad.nwra.com] was not found in cache (2021-12-29 13:40:17): [nss] [cache_req_search_ncache_add_to_domain] (0x0400): CR #152: Adding [domain admins@ad.nwra.com] to negative cache (2021-12-29 13:40:17): [nss] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/ad.nwra.com/domain admins@ad.nwra.com] to negative cache (2021-12-29 13:40:17): [nss] [cache_req_process_result] (0x0400): CR #152: Finished: Not found (2021-12-29 13:40:17): [nss] [sss_domain_get_state] (0x1000): Domain ad.nwra.com is Active (2021-12-29 13:40:17): [nss] [nss_protocol_done] (0x4000): Sending reply: not found
on working systems we don't have the sysdb_getgrnam_with_views message. I'd rather not clear the sssd database. Is there anything else that can be done? 'sss_cache -g "domain admins"' does not help.
We're using an IPA <-> AD trust.
So, ldbsearch revealed:
dn: name=domain admins@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb ... ghost: template-admin@ad.nwra.com
and:
sss_cache -g 'domain admins@ad.nwra.com'
did the trick of clearing that.
As a followup - is it reasonable for sssd to return an empty group in this situation?
Hi,
are you using 'ignore_group_members = True' in sssd.conf?
bye, Sumit
-- Orion Poplawski he/him/his - surely the least important thing about me Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 https://www.nwra.com/
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On 1/3/22 08:47, Sumit Bose wrote:
Am Thu, Dec 30, 2021 at 07:59:22AM -0700 schrieb Orion Poplawski:
On 12/29/21 14:00, sssd-users@lists.fedorahosted.org wrote:
On 12/29/21 13:48, sssd-users@lists.fedorahosted.org wrote:
We have a particular machine that is having trouble resolving an AD group - "domain admins". The relevant log entries seem to be:
(2021-12-29 13:40:17): [nss] [cache_req_search_cache] (0x0400): CR #152: Looking up [domain admins@ad.nwra.com] in cache (2021-12-29 13:40:17): [nss] [sysdb_search_override_by_name] (0x0400): No user override found for name [domain admins@ad.nwra.com]. (2021-12-29 13:40:17): [nss] [sysdb_getgrnam_with_views] (0x4000): Group object [name=domain admins@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb], contains ghost entries which must be resolved before overrides can be applied. (2021-12-29 13:40:17): [nss] [sysdb_getgrnam_with_views] (0x4000): Returning empty result. (2021-12-29 13:40:17): [nss] [cache_req_search_cache] (0x0400): CR #152: Object [domain admins@ad.nwra.com] was not found in cache (2021-12-29 13:40:17): [nss] [cache_req_search_ncache_add_to_domain] (0x0400): CR #152: Adding [domain admins@ad.nwra.com] to negative cache (2021-12-29 13:40:17): [nss] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/ad.nwra.com/domain admins@ad.nwra.com] to negative cache (2021-12-29 13:40:17): [nss] [cache_req_process_result] (0x0400): CR #152: Finished: Not found (2021-12-29 13:40:17): [nss] [sss_domain_get_state] (0x1000): Domain ad.nwra.com is Active (2021-12-29 13:40:17): [nss] [nss_protocol_done] (0x4000): Sending reply: not found
on working systems we don't have the sysdb_getgrnam_with_views message. I'd rather not clear the sssd database. Is there anything else that can be done? 'sss_cache -g "domain admins"' does not help.
We're using an IPA <-> AD trust.
So, ldbsearch revealed:
dn: name=domain admins@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb ... ghost: template-admin@ad.nwra.com
and:
sss_cache -g 'domain admins@ad.nwra.com'
did the trick of clearing that.
As a followup - is it reasonable for sssd to return an empty group in this situation?
Hi,
are you using 'ignore_group_members = True' in sssd.conf?
No.
Am Sun, Jan 09, 2022 at 04:39:14PM -0700 schrieb Orion Poplawski:
On 1/3/22 08:47, Sumit Bose wrote:
Am Thu, Dec 30, 2021 at 07:59:22AM -0700 schrieb Orion Poplawski:
On 12/29/21 14:00, sssd-users@lists.fedorahosted.org wrote:
On 12/29/21 13:48, sssd-users@lists.fedorahosted.org wrote:
We have a particular machine that is having trouble resolving an AD group - "domain admins". The relevant log entries seem to be:
(2021-12-29 13:40:17): [nss] [cache_req_search_cache] (0x0400): CR #152: Looking up [domain admins@ad.nwra.com] in cache (2021-12-29 13:40:17): [nss] [sysdb_search_override_by_name] (0x0400): No user override found for name [domain admins@ad.nwra.com]. (2021-12-29 13:40:17): [nss] [sysdb_getgrnam_with_views] (0x4000): Group object [name=domain admins@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb], contains ghost entries which must be resolved before overrides can be applied. (2021-12-29 13:40:17): [nss] [sysdb_getgrnam_with_views] (0x4000): Returning empty result. (2021-12-29 13:40:17): [nss] [cache_req_search_cache] (0x0400): CR #152: Object [domain admins@ad.nwra.com] was not found in cache (2021-12-29 13:40:17): [nss] [cache_req_search_ncache_add_to_domain] (0x0400): CR #152: Adding [domain admins@ad.nwra.com] to negative cache (2021-12-29 13:40:17): [nss] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/ad.nwra.com/domain admins@ad.nwra.com] to negative cache (2021-12-29 13:40:17): [nss] [cache_req_process_result] (0x0400): CR #152: Finished: Not found (2021-12-29 13:40:17): [nss] [sss_domain_get_state] (0x1000): Domain ad.nwra.com is Active (2021-12-29 13:40:17): [nss] [nss_protocol_done] (0x4000): Sending reply: not found
on working systems we don't have the sysdb_getgrnam_with_views message. I'd rather not clear the sssd database. Is there anything else that can be done? 'sss_cache -g "domain admins"' does not help.
We're using an IPA <-> AD trust.
So, ldbsearch revealed:
dn: name=domain admins@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb ... ghost: template-admin@ad.nwra.com
and:
sss_cache -g 'domain admins@ad.nwra.com'
did the trick of clearing that.
As a followup - is it reasonable for sssd to return an empty group in this situation?
Hi,
are you using 'ignore_group_members = True' in sssd.conf?
No.
Hi,
then I think SSSD should not return an empty group because applications checking group members might get confused.
Is there something special about 'template-admin@ad.nwra.com'? Can you resolve the user on IPA clients and servers? Does 'id template-admin@ad.nwra.com' show all group the user is a member of with name and GID on IPA clients and servers or is sometimes a group name missing and only the GID shown?
bye, Sumit
-- Orion Poplawski he/him/his - surely the least important thing about me Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 https://www.nwra.com/
I am currently out of the office, but plan to return to my desk on Tuesday at 7am.
If you require assistance with a server that is hosted by VCU Infrastructure Services, please submit a support ticket https://itsupport.vcu.edu/CherwellPortal.
If this is an emergency, please contact the Network Operations Center at (804) 828-1802.
I apologise for any inconvenience.
Make it be a great day,
*J. Adam Craig* Lead Linux Operating Systems Analyst VCU Infrastructure Services https://www.ucc.vcu.edu/ Technology Services Department 804.828.4886 jacraig@vcu.edu
https://adminmicro2.questionpro.com/?t_340030260=J.%20Adam%20Craig&u_65977055=351791134 *Don't be a phishing victim -- VCU and other reputable organisations will never use email to request that you reply with your password, social security number or confidential personal information. For more details, visit https://ts.vcu.edu/about-us/information-security/common-questions/what-is-ph... https://ts.vcu.edu/about-us/information-security/common-questions/what-is-phishing*
sssd-users@lists.fedorahosted.org