Am Thu, Jun 17, 2021 at 01:59:13PM -0000 schrieb iulian roman:
Hello everybody,
I have an issue with listing the AD users part of Default Trust View (all users have
the uid overriden ) from an ipa client which is running sssd 2.2.3. The same setup works
properly on Ubuntu systems with sssd 1.16.1 and Idm servers with sssd version 2.4.0. I
have enabled all tracing on the clients and it seems that the issue is when it tries to
write the cache :
(Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_store_user] (0x1000): User
test_user(a)example.com does not exist.
(Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_add_user] (0x0040): Group named
test_user(a)example.com already exists in an MPG domain
(Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_add_user] (0x0400): Error: 17
(File exists)
(Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_search_user_by_uid] (0x0400): No
such entry
(Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_delete_user] (0x0400): Error: 2
(No such file or directory)
(Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_store_user] (0x0040): Cache
update failed: 17
(Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_store_user] (0x0400): Error: 17
(File exists)
(Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_search_group_by_gid] (0x0400): No
such entry
(Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_delete_group] (0x0400): Error: 2
(No such file or directory)
(Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [ipa_s2n_save_objects] (0x0040):
sysdb_delete_group failed for MPG group [2]: No such file or directory
(Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [ipa_s2n_get_user_done] (0x0040):
ipa_s2n_save_objects failed.
The query works properly for trust users which do not have uid overriden . getent group
works properly but getent passwd does not display anything.
Hi,
I'm sorry I didn't reply in time on the freeipa-users list. From the log
snippet it looks like you have overwritten a user or a group name so
that a user and a group will have the same name. This does not work with
the idrange type 'ipa-ad-trust' where UIDs and GIDs are generated
automatically and a "user-private-group" is created in the fly. This
"user-private-group" is the primary group of the user and will have the
same name as the user and the GID is numerically the same as the UID of
the user. This means we restrict the name and ID space which are
typically independent on the Linux/UNIX/Posix side. This works fine with
AD and automatic ID generation because on AD users and groups are using
the same name and ID space as well.
For id-overrides this restrictions must be observed as well.
With very recent versions of FreeIPA and SSSD the primary group can be
configured more flexible, see
https://pagure.io/freeipa/issue/8807 and
https://github.com/SSSD/sssd/issues/4216 for more details. But the
related patches might not be available on all platforms.
HTH
bye,
Sumit
I am in a point where I am clueless therefore any hint/suggestion would be really
appreciated.
I have posted the issue on the freeipa-users list as well but I thought that being an
sssd issue maybe is more appropriate to have it here.
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure