[Freeipa-users] Re: group name not resolved in IPA server for override

2021-07-15 Thread iulian roman via FreeIPA-users 
I have done some more investigations and with the debugging enabled, I can see 
the following errors in the sssd_ipa.example.com.log  on the IPA server (when I 
run id  from an IPA client) : 

2021-07-15 16:33:34): [be[ipa.example.com]] [sdap_get_generic_op_finished] 
(0x0400): Search result: Success(0), no errmsg set
(2021-07-15 16:33:34): [be[ipa.example.com]] [sysdb_apply_default_override] 
(0x0080): Override attribute for [gidNumber] has more [2] than one value, using 
only the first.
(2021-07-15 16:33:34): [be[ipa.example.com]] [sysdb_set_entry_attr] (0x0080): 
Cannot set ts attrs for name=ro...@example.com,cn=users,cn=EXAMPLE.com,cn=sysdb
(2021-07-15 16:33:34): [be[ipa.example.com]] [sysdb_set_entry_attr] (0x0200): 
Entry [name=ro...@example.com,cn=users,cn=EXAMPLE.com,cn=sysdb] has set [cache, 
ts_cache] attrs.
(2021-07-15 16:33:34): [be[ipa.example.com]] [dp_req_done] (0x0400): DP Request 
[Account #247]: Request handler finished [0]: Success
(2021-07-15 16:33:34): [be[ipa.example.com]] [_dp_req_recv] (0x0400): DP 
Request [Account #247]: Receiving request data.
(2021-07-15 16:33:34): [be[ipa.example.com]] [dp_req_destructor] (0x0400): DP 
Request [Account #247]: Request removed.
(2021-07-15 16:33:34): [be[ipa.example.com]] [dp_req_destructor] (0x0400): 
Number of active DP request: 4
(2021-07-15 16:33:34): [be[ipa.example.com]] [dp_req_reply_std] (0x1000): DP 
Request [Account #247]: Returning [Success]: 0,0,Success
(2021-07-15 16:33:34): [be[ipa.example.com]] [sbus_issue_request_done] 
(0x0400): sssd.dataprovider.getAccountInfo: Success
(2021-07-15 16:33:34): [be[ipa.example.com]] [sdap_get_generic_op_finished] 
(0x0400): Search result: Success(0), no errmsg set
(2021-07-15 16:33:34): [be[ipa.example.com]] [sss_domain_get_state] (0x1000): 
Domain ipa.example.com is Active
(2021-07-15 16:33:34): [be[ipa.example.com]] [sss_domain_get_state] (0x1000): 
Domain EXAMPLE.com is Active
(2021-07-15 16:33:34): [be[ipa.example.com]] [ipa_srv_ad_acct_lookup_step] 
(0x0400): Looking up AD account
(2021-07-15 16:33:34): [be[ipa.example.com]] [sss_domain_get_state] (0x1000): 
Domain ipa.example.com is Active
(2021-07-15 16:33:34): [be[ipa.example.com]] [sss_domain_get_state] (0x1000): 
Domain EXAMPLE.com is Active
(2021-07-15 16:33:34): [be[ipa.example.com]] [ad_account_can_shortcut] 
(0x0080): Mapping ID [20890] to SID failed: [IDMAP domain not found]
(2021-07-15 16:33:34): [be[ipa.example.com]] [ad_handle_acct_info_send] 
(0x0400): This ID is from different domain
(2021-07-15 16:33:34): [be[ipa.example.com]] [ipa_get_ad_acct_ad_part_done] 
(0x0080): Object not found, ending request
(2021-07-15 16:33:34): [be[ipa.example.com]] [dp_req_done] (0x0400): DP Request 
[Account #249]: Request handler finished [0]: Success
(2021-07-15 16:33:34): [be[ipa.example.com]] [_dp_req_recv] (0x0400): DP 
Request [Account #249]: Receiving request data.
(2021-07-15 16:33:34): [be[ipa.example.com]] [dp_req_destructor] (0x0400): DP 
Request [Account #249]: Request removed.
(2021-07-15 16:33:34): [be[ipa.example.com]] [dp_req_destructor] (0x0400): 
Number of active DP request: 3
(2021-07-15 16:33:34): [be[ipa.example.com]] [dp_req_reply_std] (0x1000): DP 
Request [Account #249]: Returning [Success]: 0,0,Success
(2021-07-15 16:33:34): [be[ipa.example.com]] [sbus_issue_request_done] 
(0x0400): sssd.dataprovider.getAccountInfo: Success
(2021-07-15 16:33:34): [be[ipa.example.com]] [write_pipe_handler] (0x0400): All 
data has been sent!

The issues seems to be within ad_account_can_shortcut function but I cannot 
figure out what the real issue is. 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: Compatibility Plugin .update file for Active Directory

2021-07-15 Thread Joseph Fry via FreeIPA-users 
So I provided the solution detailed above to my customer and they are putting 
it through its paces.  One thing they noticed was that the directory errors log 
(e.g. /var/log/dirsrv/slapd-LAB-LOCAL/errors) is reporting an unknown object 
class:

[15/Jul/2021:15:09:15.046703678 -0400] - ERR - slapi_entry_schema_check_ext - 
Entry "cn=test.lab.local,cn=adcomputers,cn=compat,dc=lab,dc=local" has unknown 
object class "computer"

[15/Jul/2021:15:09:15.096309439 -0400] - ERR - slapi_entry_schema_check_ext - 
Entry "cn=testgroup,cn=adcomputergroups,cn=compat,dc=lab,dc=local" has unknown 
object class "group"

I understand that those object classes aren't in the IPA schema, but I thought 
that the whole point of the compatibility plugin was to make things compatible 
with other schema's without actually modifying the schema.  Is there a way to 
resolve this, or at least suppress the errors?  Everything seems functional 
otherwise.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: Compatibility Plugin .update file for Active Directory

2021-07-15 Thread Alexander Bokovoy via FreeIPA-users 

On to, 15 heinä 2021, Joseph Fry via FreeIPA-users wrote:

So I provided the solution detailed above to my customer and they are
putting it through its paces.  One thing they noticed was that the
directory errors log (e.g. /var/log/dirsrv/slapd-LAB-LOCAL/errors) is
reporting an unknown object class:

[15/Jul/2021:15:09:15.046703678 -0400] - ERR - slapi_entry_schema_check_ext - Entry 
"cn=test.lab.local,cn=adcomputers,cn=compat,dc=lab,dc=local" has unknown object class 
"computer"

[15/Jul/2021:15:09:15.096309439 -0400] - ERR - slapi_entry_schema_check_ext - Entry 
"cn=testgroup,cn=adcomputergroups,cn=compat,dc=lab,dc=local" has unknown object class 
"group"

I understand that those object classes aren't in the IPA schema, but I
thought that the whole point of the compatibility plugin was to make
things compatible with other schema's without actually modifying the
schema.  Is there a way to resolve this, or at least suppress the
errors?  Everything seems functional otherwise.


389-ds enforces schema compliance regardless of what you want to
represent to LDAP clients. There are two ways to solve this problem:

 - introduce proper LDAP object classes to the schema
 - use extensibleobject objectclass in the netry

As you'll find, introducing AD schema is almost impossible if you want
to serve IPA schema in the same LDAP instance, so you may want to add
objectclass 'extensibleObject' to your definitions.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure