On 04/03/2017 02:10 AM, Alexander Bokovoy wrote: > On ma, 03 huhti 2017, Jakub Hrozek wrote: >> On Fri, Mar 31, 2017 at 04:07:16PM -0600, Orion Poplawski wrote: >>> I'm seeing messages like this: >>> >>> (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] >>> [ipa_add_ad_memberships_get_next] (0x0020): There are unresolved external >>> group memberships even after all groups have been looked up on the LDAP >>> server. >>> >>> and wondering it is anything to worry about. >>> >>> >>> Some context: >>> >>> (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups] >>> (0x2000): Search groups with filter: >>> (&(objectclass=group)(originalDN=ipaUniqueID=12d2026e-a5cd-11e5-a14e-00163e2d6456,cn=hbac,dc=nwra,dc=com)) >>> >>> (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups] >>> (0x2000): No such entry >>> (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups] >>> (0x2000): Search groups with filter: >>> (&(objectclass=group)(originalDN=cn=nwra,cn=groups,cn=accounts,dc=nwra,dc=com)) >>> >>> (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [merge_msg_ts_attrs] >>> (0x2000): >>> No such DN in the timestamp cache: >>> name=n...@nwra.com,cn=groups,cn=nwra.com,cn=sysdb >>> (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_merge_res_ts_attrs] >>> (0x2000): TS cache doesn't contain this DN, skipping >>> (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_groups_next_base] >>> (0x0400): Searching for groups with base [cn=accounts,dc=nwra,dc=com] >>> (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_print_server] >>> (0x2000): >>> Searching 10.10.41.4:389 >>> (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]] [sdap_get_generic_ext_step] >>> (0x0400): calling ldap_search_ext with >>> [(&(cn=12d2026e-a5cd-11e5-a14e-00163e2d6456)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=nwra,dc=com]. >>> >> >> I think this might be the reason why SSSD reports unresolved >> memberships. It'trying to resolve the group using the cn attribute, ut >> the object's RDN attribute seems to be ipaUniqueID. So I don't think >> this is harmful, just confusing. >> >> Can you please check what the object is on the IPA side with this >> ipaUniqueID? > It is HBAC group -- see above in the log: > (&(objectclass=group)(originalDN=ipaUniqueID=12d2026e-a5cd-11e5-a14e-00163e2d6456,cn=hbac,dc=nwra,dc=com))
This is our "allow employees access" HBAC group. So it applies to our "nwra" host group as well as a couple individual machines, and to our "nwra" IPA group. # 12d2026e-a5cd-11e5-a14e-00163e2d6456, hbac, nwra.com dn: ipaUniqueID=12d2026e-a5cd-11e5-a14e-00163e2d6456,cn=hbac,dc=nwra,dc=com description: Allow NWRA-Users serviceCategory: all memberHost: cn=nwra,cn=hostgroups,cn=accounts,dc=nwra,dc=com memberHost: fqdn=ipaclient1.cora.nwra.com,cn=computers,cn=accounts,dc=nwra,dc= com memberHost: fqdn=quetzal.cora.nwra.com,cn=computers,cn=accounts,dc=nwra,dc=com memberUser: cn=nwra,cn=groups,cn=accounts,dc=nwra,dc=com objectClass: ipaassociation objectClass: ipahbacrule accessRuleType: allow ipaEnabledFlag: TRUE cn: allow_nwra ipaUniqueID: 12d2026e-a5cd-11e5-a14e-00163e2d6456 The group search for that item fails presumably because it's not a group (doesn't have objectclass=group). The nwra group contains the nwra_users_external group: # ipa group-show nwra Group name: nwra Description: ad.nwra.com NWRA-Users GID: 1001 Member groups: nwra_users_external Member of HBAC rule: allow_nwra # ipa group-show nwra_users_external Group name: nwra_users_external Description: ad.nwra.com NWRA-Users external map External member: nwra-us...@ad.nwra.com Member of groups: nwra Indirect Member of HBAC rule: allow_nwra -- Orion Poplawski Technical Manager 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 http://www.nwra.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project