Hi, on sssd 1.13.4-1ubuntu1.5: looking at sssd_domain.tls.log with debug level 9, I can see many wrong group requests.
After flushing ssd cache and restarting: [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=10117)(objectClass=group)(sAMAccountName=*)(&(gidNumber=*)(!(gidNumber=0))))][DC=domain,DC=tld]. => it is valid, but few milliseconds later: [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=10107)(objectClass=group)(sAMAccountName=*)(&(gidNumber=*)(!(gidNumber=0))))][DC=domain,DC=tld] returns nothing, because sAMAccountName=10107 does not exists
in sssd_nss.log, it generates many errors such [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call [nss_cmd_getgrnam_search] (0x0040): No results for getgrnam call
is it expected or a misconfiguration on my test environment? attached : sssd.conf
On Mon, May 15, 2017 at 01:15:33PM +0200, Sébastien QUESSON wrote:
Hi, on sssd 1.13.4-1ubuntu1.5: looking at sssd_domain.tls.log with debug level 9, I can see many wrong group requests.
After flushing ssd cache and restarting: [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=10117)(objectClass=group)(sAMAccountName=*)(&(gidNumber=*)(!(gidNumber=0))))][DC=domain,DC=tld]. => it is valid, but few milliseconds later:
This looks like the back end reacted to a getgrgid(10117) call
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=10107)(objectClass=group)(sAMAccountName=*)(&(gidNumber=*)(!(gidNumber=0))))][DC=domain,DC=tld] returns nothing, because sAMAccountName=10107 does not exists
This looks like the back end reacted to a getgrnam(10117) call
in sssd_nss.log, it generates many errors such [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call [nss_cmd_getgrnam_search] (0x0040): No results for getgrnam call
And this confirms it.
is it expected or a misconfiguration on my test environment? attached : sssd.conf
I think it's expected, it just looks like some application (you can see its details referred to in the nss logs as 'client') is calling both getgrgid and getpwnam.
is it expected or a misconfiguration on my test environment?
I think it's expected, it just looks like some application (you can see its details referred to in the nss logs as 'client') is calling both getgrgid and getpwnam.
ok, I searched which application is requesting groups with gid instead of names: systemctl stop sssd && rm -rf /var/lib/sss/db/* && systemctl start sssd && service autofs restart cat sssd_domain.tld.log | egrep "ldap_search_ext.*sAMAccountName=[0-9].*objectClass=group" | tail -n 5
this log begans to fill with calling ldap_search_ext with [(&(sAMAccountName=10107)(objectClass=group) when autofs mounted a cifs share! and one of my map is: -fstype=cifs,sec=krb5,cruid=$UID,uid=$UID,username=$USER,noforceuid,gid=10107 man mount.cifs: gid : It may be specified as either a groupname or a numeric gid
I think I will use groupnames in my maps now :) ! thank you!
sssd-users@lists.fedorahosted.org
-
Jakub Hrozek -
Sébastien QUESSON