Am Wed, Jun 30, 2021 at 01:29:48PM +0200 schrieb Ronald Wimmer via FreeIPA-users: > On 30.06.21 13:26, Sumit Bose via FreeIPA-users wrote: > > Am Wed, Jun 30, 2021 at 12:13:54PM +0200 schrieb Ronald Wimmer via > > FreeIPA-users: > > > Today I set up an IPA test web application in our IPA test environment. I > > > figured out that my AD user was resolved but the user of my colleague was > > > not. (getent passwd userA/userB) > > > > > > I stopped SSSD, cleared the cache with 'rm -rf /var/lib/sss/db/*' and > > > started SSSD again. After that I could not resolve any AD user. The sssd > > > logs showed an Network I/O error: > > > > > > ==> /var/log/sssd/sssd_ipatest.mydomain.at.log <== > > > (2021-06-30 11:46:14): [be[ipatest.mydomain.at]] [ipa_s2n_exop_done] > > > (0x0040): ldap_extended_operation result: Operations error(1), Failed to > > > handle the request. > > > . > > > (2021-06-30 11:46:14): [be[ipatest.mydomain.at]] [ipa_s2n_exop_done] > > > (0x0040): ldap_extended_operation failed, server logs might contain more > > > details. > > > > Hi, > > > > you should check on the IPA servers if the users and all the > > group-memberships can be resolved properly, i.e. 'id aduser@AD.DOMAIN' > > should display the user and all its groups with both name and ID. If > > some groups are only listed by GID you should check why the IPA server > > cannot resolve the name. > > Resolving the users on an IPA server works properly.
Hi, I'm afraid in this case you should point the client to a dedicated server and check the SSSD nss logs for issues while the client is sending the request to the server. If this does not give a hint then enabling plugin debugging in the 389ds LDAP server might help. bye, Sumit > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure