8:59 a.m.
Hello everybody,
I have an issue with listing the AD users part of Default Trust View (all users have
the uid overriden ) from an ipa client which is running sssd 2.2.3. The same setup works
properly on Ubuntu systems with sssd 1.16.1 and Idm servers with sssd version 2.4.0. I
have enabled all tracing on the clients and it seems that the issue is when it tries to
write the cache :
(Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_store_user] (0x1000): User
test_user(a)example.com does not exist.
(Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_add_user] (0x0040): Group named
test_user(a)example.com already exists in an MPG domain
(Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_add_user] (0x0400): Error: 17
(File exists)
(Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_search_user_by_uid] (0x0400): No
such entry
(Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_delete_user] (0x0400): Error: 2
(No such file or directory)
(Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_store_user] (0x0040): Cache update
failed: 17
(Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_store_user] (0x0400): Error: 17
(File exists)
(Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_search_group_by_gid] (0x0400): No
such entry
(Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_delete_group] (0x0400): Error: 2
(No such file or directory)
(Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [ipa_s2n_save_objects] (0x0040):
sysdb_delete_group failed for MPG group [2]: No such file or directory
(Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [ipa_s2n_get_user_done] (0x0040):
ipa_s2n_save_objects failed.
The query works properly for trust users which do not have uid overriden . getent group
works properly but getent passwd does not display anything.
I am in a point where I am clueless therefore any hint/suggestion would be really
appreciated.
I have posted the issue on the freeipa-users list as well but I thought that being an sssd
issue maybe is more appropriate to have it here.
1:29 a.m.
Am Thu, Jun 17, 2021 at 01:59:13PM -0000 schrieb iulian roman:
Hello everybody,
I have an issue with listing the AD users part of Default Trust View (all users have
the uid overriden ) from an ipa client which is running sssd 2.2.3. The same setup works
properly on Ubuntu systems with sssd 1.16.1 and Idm servers with sssd version 2.4.0. I
have enabled all tracing on the clients and it seems that the issue is when it tries to
write the cache :
(Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_store_user] (0x1000): User
test_user(a)example.com does not exist.
(Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_add_user] (0x0040): Group named
test_user(a)example.com already exists in an MPG domain
(Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_add_user] (0x0400): Error: 17
(File exists)
(Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_search_user_by_uid] (0x0400): No
such entry
(Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_delete_user] (0x0400): Error: 2
(No such file or directory)
(Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_store_user] (0x0040): Cache
update failed: 17
(Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_store_user] (0x0400): Error: 17
(File exists)
(Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_search_group_by_gid] (0x0400): No
such entry
(Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [sysdb_delete_group] (0x0400): Error: 2
(No such file or directory)
(Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [ipa_s2n_save_objects] (0x0040):
sysdb_delete_group failed for MPG group [2]: No such file or directory
(Thu Jun 17 15:03:54 2021) [be[ipa.example.com]] [ipa_s2n_get_user_done] (0x0040):
ipa_s2n_save_objects failed.
The query works properly for trust users which do not have uid overriden . getent group
works properly but getent passwd does not display anything.
Hi,
I'm sorry I didn't reply in time on the freeipa-users list. From the log
snippet it looks like you have overwritten a user or a group name so
that a user and a group will have the same name. This does not work with
the idrange type 'ipa-ad-trust' where UIDs and GIDs are generated
automatically and a "user-private-group" is created in the fly. This
"user-private-group" is the primary group of the user and will have the
same name as the user and the GID is numerically the same as the UID of
the user. This means we restrict the name and ID space which are
typically independent on the Linux/UNIX/Posix side. This works fine with
AD and automatic ID generation because on AD users and groups are using
the same name and ID space as well.
For id-overrides this restrictions must be observed as well.
With very recent versions of FreeIPA and SSSD the primary group can be
configured more flexible, see https://pagure.io/freeipa/issue/8807 and
https://github.com/SSSD/sssd/issues/4216 for more details. But the
related patches might not be available on all platforms.
HTH
bye,
Sumit
I am in a point where I am clueless therefore any hint/suggestion would be really
appreciated.
I have posted the issue on the freeipa-users list as well but I thought that being an
sssd issue maybe is more appropriate to have it here.
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
2:56 a.m.
Hi Sumit,
Thank you for the answer. The same setup works without issues on all Ubuntu 18.04 systems
with sssd 1.16.1. I overwrite only the UID and the primary gid is generated automatically
by IPA (a long number).
The problem is with the Ubuntu 20 and sssd 2.2.3 , therefore I cannot enrol any Ubuntu 20
systems. I ended up with an unfunctional setup and I have no clue what/where to change
anything in order to have it working for both versions of Ubuntu and sssd.
Any help would be really appreciated.
7:34 a.m.
I forgot to mention that on the Idm Server (version 4.8.7) and sssd 2.4.0 the getent and
id queries work, not matter how and what I override in the Default Trust View.
7:54 a.m.
Am Fri, Jun 18, 2021 at 07:56:04AM -0000 schrieb iulian roman:
Hi Sumit,
Thank you for the answer. The same setup works without issues on all
Ubuntu 18.04 systems with sssd 1.16.1. I overwrite only the UID and
the primary gid is generated automatically by IPA (a long number).
The problem is with the Ubuntu 20 and sssd 2.2.3 , therefore I cannot
enrol any Ubuntu 20 systems. I ended up with an unfunctional setup and
Hi,
can you do the following on this client:
- add 'debug_level = 9' at least to the [nss] and [domain/...] sections
of sssd.conf (you might already have this)
- restart SSSD with an empty cache, e.g.
sssctl cache-remove -ops
- lookup the user
getent passwd user_with_override(a)ad.domain
I guess this should fail and return nothing
- send me the SSSD logs
bye,
Sumit
I have no clue what/where to change anything in order to have it
working for both versions of Ubuntu and sssd.
Any help would be really appreciated.
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
11:31 a.m.
Am Fri, Jun 18, 2021 at 01:16:30PM -0000 schrieb iulian roman:
Where can I upload the logs?
Hi,
if you do not want to send them here, feel free to send them to me
directly.
bye,
Sumit
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
7:15 a.m.
Am Fri, Jun 18, 2021 at 07:55:32PM -0000 schrieb iulian roman:
> Am Fri, Jun 18, 2021 at 01:16:30PM -0000 schrieb iulian roman:
>
> Hi,
>
> if you do not want to send them here, feel free to send them to me
> directly.
>
Hi Sumit,
I have sent the logs to your email. They were quite big to attach here.
Hi,
thank you for the logs, they helped me to understand the setup better.
If I understand it correctly you are letting IPA/SSSD automatically
assign UIDs and GIDs to AD users and groups and then created an
id-override for a user where only the UID is set to a different value.
This in fact might be a scenario we currently didn't cover properly. The
id-overrides were introduced as a tool to facilitate migrations and we
used various use-cases/user-stories for testing since the overall
possibilities with id-overrides are quite large. For the automatic ID
assignment we thought that for legacy systems which still depend on old
UIDs and GIDs both must be changed. This should also show a possible
workaround.
If you add a GID to the user override as well which is either the GID of
an existing AD group or the overridden one from a group override the
client should be able to resolve the user as well.
HTH
bye,
Sumit
> bye,
> Sumit
Hi Sumit,
They are
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
9:28 a.m.
Hi Summit,
Initially I tried to override both the uid and gid of the active directory users in the
Default Trust View. Due to the fact that I did not have a group name for the GID in Active
Directory I had to remove the GID override . All works properly with sssd client version
1.16.1 and sssd client 2.4.0 in ipa server mode, but not with sssd 2.2.3 as I mentioned
already.
Now, I tried to override the GID in the Default Trust View , User Groups section, but I
get the following error:
"invalid 'identifier': You are trying to reference a magic private group
which is not allowed to be overridden. Try overriding the GID attribute of the
corresponding user instead.". If I'll override the GID in the user section, it
will stop working on all clients due to the fact that in AD i do not have a group name for
that GID.
Any idea or workaround I can use ?
Thank You !
10:22 a.m.
quick update regarding the GID override. If I override the GID (and the group name does
not exist in AD for that GID) , I can make the sssd client (both versions) work ONLY if i
run manually getent group <group_name>. I cannot do that for hundred of users and
thousand of servers (especially when the infrastructure is quit dynamic) , therefore I
would need an acceptable compromise, which eventually can be automated.
3:17 a.m.
Am Tue, Jun 22, 2021 at 03:22:33PM -0000 schrieb iulian roman:
quick update regarding the GID override. If I override the GID (and
the group name does not exist in AD for that GID) , I can make the
Hi,
yes, it is required that the GID can be resolved to a name, so there
either must be a group with this GID or the GID must set in a group
id-override.
bye,
Sumit
sssd client (both versions) work ONLY if i run manually getent
group
<group_name>. I cannot do that for hundred of users and thousand of
servers (especially when the infrastructure is quit dynamic) ,
therefore I would need an acceptable compromise, which eventually can
be automated.
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
1030
days inactive
1042
days old
sssd-users@lists.fedorahosted.org
11 comments
2 participants
participants (2)
-
iulian roman -
Sumit Bose