On 04/03/2017 02:08 AM, Jakub Hrozek wrote: > On Fri, Mar 31, 2017 at 05:08:13PM -0600, Orion Poplawski wrote: >> I seem to be having some issues with users/groups that may be leading to >> errors in the subdomain status. Can anyone parse this for me? >> >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr] >> (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object >> (32)] >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr] >> (0x0080): Cannot set ts attrs for >> name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb > > This can be ignored, it's just a minor performance annoyance we track > upstream.
Figured something like that, but thanks. >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr] >> (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object >> (32)] >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr] >> (0x0080): Cannot set ts attrs for >> name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] >> [ipa_initgr_get_overrides_step] (0x0040): The group >> name=u...@nwra.com,cn=groups,cn=nwra.com,cn=sysdb has no UUID attribute >> objectSIDString, error! > > But this seems strange. Before you sanitized (presumably?) the logs, did > the DN name=u...@nwra.com,cn=groups,cn=nwra.com,cn=sysdb correspond to > an IPA object? Yes, it's an IPA group used for HBAC access. > Did you run the sidgen task when setting up trusts or did you make sure > all replicas are either trust controllers or trust agents? Does the > entry on the IPA LDAP side have ipaNTSecurityIdentifier attribute? I suspect the sidgen task has not been run, as I'm not really sure what that is. I have belatedly installed and run ipa-adtrust-install on all of our IPA servers, though a couple ran without that for a while. It does not look like that group has an ipaNTSecurityIdentifier atribute. >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] >> [ipa_id_get_groups_overrides_done] (0x0040): IPA resolve user groups >> overrides >> failed [22]. >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done] >> (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument. >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_subdomain_account_done] >> (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument. >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [dp_reply_std_set] (0x0080): >> DP Error is OK on failed request? >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr] >> (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object >> (32)] >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr] >> (0x0080): Cannot set ts attrs for >> name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] >> [ipa_initgr_get_overrides_step] (0x0040): The group >> name=u...@nwra.com,cn=groups,cn=nwra.com,cn=sysdb has no UUID attribute >> objectSIDString, error! >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] >> [ipa_id_get_groups_overrides_done] (0x0040): IPA resolve user groups >> overrides >> failed [22]. >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done] >> (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument. >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_subdomain_account_done] >> (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument. >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [dp_reply_std_set] (0x0080): >> DP Error is OK on failed request? >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] >> [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID >> S-1-5-32-545 >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_cache_entry_attr] >> (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object >> (32)] >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [sysdb_set_entry_attr] >> (0x0080): Cannot set ts attrs for >> name=u...@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] >> [ipa_add_ad_memberships_get_next] (0x0020): There are unresolved external >> group memberships even after all groups have been looked up on the LDAP >> server. >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] >> [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending >> request >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done] >> (0x0080): Sudomain lookup failed, will try to reset sudomain.. >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [be_fo_reset_svc] (0x0080): >> Cannot retrieve service [ad.nwra.com] >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done] >> (0x0040): ipa_get_*_acct request failed: [1432158270]: Subdomain is inactive. >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_subdomain_account_done] >> (0x0040): ipa_get_*_acct request failed: [1432158270]: Subdomain is inactive. >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [dp_reply_std_set] (0x0080): >> DP Error is OK on failed request? >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] >> [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending >> request >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done] >> (0x0080): Sudomain lookup failed, will try to reset sudomain.. >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [be_fo_reset_svc] (0x0080): >> Cannot retrieve service [ad.nwra.com] >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_srv_ad_acct_lookup_done] >> (0x0040): ipa_get_*_acct request failed: [1432158270]: Subdomain is inactive. >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [ipa_subdomain_account_done] >> (0x0040): ipa_get_*_acct request failed: [1432158270]: Subdomain is inactive. >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] [dp_reply_std_set] (0x0080): >> DP Error is OK on failed request? >> (Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]] >> [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending >> request >> >> -- >> Orion Poplawski >> Technical Manager 720-772-5637 >> NWRA, Boulder/CoRA Office FAX: 303-415-9702 >> 3380 Mitchell Lane or...@nwra.com >> Boulder, CO 80301 http://www.nwra.com >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > -- Orion Poplawski Technical Manager 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 http://www.nwra.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project