[Freeipa-users] Re: upgrade idm servers rhel 7 to 8 problems

Alexander Bokovoy via FreeIPA-users Mon, 25 Mar 2024 07:25:50 -0700

On Пан, 25 сак 2024, Natxo Asenjo wrote:

On Mon, Mar 25, 2024 at 2:50 PM Alexander Bokovoy <aboko...@redhat.com>
wrote:

On Пан, 25 сак 2024, Natxo Asenjo wrote:
>On Mon, Mar 25, 2024 at 1:49 PM Alexander Bokovoy <aboko...@redhat.com>
>wrote:

>> Can you give more details about this ID?
>>
>
>is this a local user account ?
>
>On both client and server involved in this problem:
>
># id -nu 2000
>id: ‘2000’: no such user
>
>Or I am misunderstanding your question, if so, apologies?

There are quite a few IDs that get the same treatment:

(2024-03-25 11:17:07): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#146] Mapping ID [65535] to SID failed: [IDMAP domain not
found]
(2024-03-25 11:17:07): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#148] Mapping ID [1001] to SID failed: [IDMAP domain not
found]
(2024-03-25 11:17:07): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#150] Mapping ID [2000] to SID failed: [IDMAP domain not
found]
(2024-03-25 11:17:07): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#152] Mapping ID [1200] to SID failed: [IDMAP domain not
found]
(2024-03-25 11:17:11): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#154] Mapping ID [2000] to SID failed: [IDMAP domain not
found]
(2024-03-25 11:17:13): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#156] Mapping ID [101] to SID failed: [IDMAP domain not found]
(2024-03-25 11:17:13): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#158] Mapping ID [103] to SID failed: [IDMAP domain not found]
(2024-03-25 11:17:19): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#160] Mapping ID [65532] to SID failed: [IDMAP domain not
found]
(2024-03-25 11:17:29): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#162] Mapping ID [101] to SID failed: [IDMAP domain not found]
(2024-03-25 11:17:29): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#164] Mapping ID [103] to SID failed: [IDMAP domain not found]
(2024-03-25 11:17:37): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#166] Mapping ID [65532] to SID failed: [IDMAP domain not
found]
(2024-03-25 11:17:45): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#168] Mapping ID [101] to SID failed: [IDMAP domain not found]
(2024-03-25 11:17:45): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#170] Mapping ID [103] to SID failed: [IDMAP domain not found]
(2024-03-25 11:17:46): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#172] Mapping ID [65535] to SID failed: [IDMAP domain not
found]
(2024-03-25 11:17:46): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#174] Mapping ID [1001] to SID failed: [IDMAP domain not
found]
(2024-03-25 11:17:46): [be[idm.domain.local]] [ad_account_can_shortcut]
(0x0080): [RID#176] Mapping ID [2000] to SID failed: [IDMAP domain not
found]

By the code mark, it is in AD provider:

$ git grep ad_account_can_shortcut
src/providers/ad/ad_id.c:static bool ad_account_can_shortcut(struct
sdap_idmap_ctx *idmap_ctx,
src/providers/ad/ad_id.c:    shortcut =
ad_account_can_shortcut(ctx->opts->idmap_ctx,

so it attempts to perform ID to name translation but fails to see if
this ID matches the AD domain's ID range.

If you have full SSSD logs from both client and IPA server at the same
time, those would be helpful.

Of course. If you don't mind I will not sanitize them and send them
directly to you. That will prevent search/replace errors on my part.

I will make 2 tarballs, one for client, one for server, and send them
directly, if it's ok.


That is fine. Thank you!



--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: upgrade idm servers rhel 7 to 8 problems

Reply via email to