[Freeipa-users] Re: Network I/O error when trying to resolve AD users
Am Fri, Jul 02, 2021 at 02:32:19PM +0200 schrieb Ronald Wimmer via FreeIPA-users: > On 01.07.21 18:00, Sumit Bose via FreeIPA-users wrote: > > Am Wed, Jun 30, 2021 at 01:29:48PM +0200 schrieb Ronald Wimmer via > > FreeIPA-users: > > > On 30.06.21 13:26, Sumit Bose via FreeIPA-users wrote: > > > > Am Wed, Jun 30, 2021 at 12:13:54PM +0200 schrieb Ronald Wimmer via > > > > FreeIPA-users: > > > > > Today I set up an IPA test web application in our IPA test > > > > > environment. I > > > > > figured out that my AD user was resolved but the user of my colleague > > > > > was > > > > > not. (getent passwd userA/userB) > > > > > > > > > > I stopped SSSD, cleared the cache with 'rm -rf /var/lib/sss/db/*' and > > > > > started SSSD again. After that I could not resolve any AD user. The > > > > > sssd > > > > > logs showed an Network I/O error: > > > > > > > > > > ==> /var/log/sssd/sssd_ipatest.mydomain.at.log <== > > > > > (2021-06-30 11:46:14): [be[ipatest.mydomain.at]] [ipa_s2n_exop_done] > > > > > (0x0040): ldap_extended_operation result: Operations error(1), Failed > > > > > to > > > > > handle the request. > > > > > . > > > > > (2021-06-30 11:46:14): [be[ipatest.mydomain.at]] [ipa_s2n_exop_done] > > > > > (0x0040): ldap_extended_operation failed, server logs might contain > > > > > more > > > > > details. > > > > > > > > Hi, > > > > > > > > you should check on the IPA servers if the users and all the > > > > group-memberships can be resolved properly, i.e. 'id aduser@AD.DOMAIN' > > > > should display the user and all its groups with both name and ID. If > > > > some groups are only listed by GID you should check why the IPA server > > > > cannot resolve the name. > > > > > > Resolving the users on an IPA server works properly. > > > > Hi, > > > > I'm afraid in this case you should point the client to a dedicated > > server and check the SSSD nss logs for issues while the client is > > sending the request to the server. If this does not give a hint then > > enabling plugin debugging in the 389ds LDAP server might help. > > (2021-07-02 14:25:45): [nss] [sss_ncache_check_str] (0x2000): Checking > negative cache for > [NCE/USER/someaddomain.mydomain.at/myadu...@someaddomain.mydomain.at] > (2021-07-02 14:25:45): [nss] [cache_req_search_ncache] (0x0400): CR #2: > [myadu...@someaddomain.mydomain.at] is not present in negative cache > (2021-07-02 14:25:45): [nss] [cache_req_search_cache] (0x0400): CR #2: > Looking up [myadu...@someaddomain.mydomain.at] in cache > (2021-07-02 14:25:45): [nss] [cache_req_search_cache] (0x0400): CR #2: > Object [myadu...@someaddomain.mydomain.at] was not found in cache > (2021-07-02 14:25:45): [nss] [cache_req_search_dp] (0x0400): CR #2: Looking > up [myadu...@someaddomain.mydomain.at] in data provider > (2021-07-02 14:25:45): [nss] [sss_dp_get_account_send] (0x0400): Creating > request for > [someaddomain.mydomain.at][0x1][BE_REQ_USER][name=myadu...@someaddomain.mydomain.at:-] > (2021-07-02 14:25:49): [nss] [sbus_dispatch] (0x4000): Dispatching. > (2021-07-02 14:25:49): [nss] [cache_req_common_process_dp_reply] (0x0040): > CR #2: Data Provider Error: 3, 17, File exists > (2021-07-02 14:25:49): [nss] [cache_req_common_process_dp_reply] (0x0400): > CR #2: Due to an error we will return cached data > > (2021-07-02 14:25:29): [be[ipatest.mydomain.at]] [server_setup] (0x0040): > Starting with debug level = 0x0070 > (2021-07-02 14:25:49): [be[ipatest.mydomain.at]] > [sysdb_set_cache_entry_attr] (0x0040): Error: 17 (File exists) > (2021-07-02 14:25:49): [be[ipatest.mydomain.at]] > [sysdb_set_cache_entry_attr] (0x0040): Error: 17 (File exists) > (2021-07-02 14:25:49): [be[ipatest.mydomain.at]] [sysdb_store_new_group] > (0x0040): sysdb_add_group failed (while renaming group) for: > myadu...@someaddomain.mydomain.at [1073895519]. > (2021-07-02 14:25:49): [be[ipatest.mydomain.at]] [sysdb_store_group] > (0x0040): Cache update failed: 17 > (2021-07-02 14:25:49): [be[ipatest.mydomain.at]] [ipa_s2n_save_objects] > (0x0040): sysdb_store_group failed. > (2021-07-02 14:25:49): [be[ipatest.mydomain.at]] > [ipa_s2n_get_list_save_step] (0x0040): ipa_s2n_save_objects failed. > (2021-07-02 14:25:49): [be[ipatest.mydomain.at]] [ipa_s2n_get_list_next] > (0x0040): ipa_s2n_get_list_save_step failed. > (2021-07-02 14:25:49): [be[ipatest.mydomain.at]] [ipa_s2n_get_list_done] > (0x0040): s2n get_fqlist request failed. > (2021-07-02 14:25:49): [be[ipatest.mydomain.at]] > [ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: [17]: > File exists. > (2021-07-02 14:25:55): [be[ipatest.mydomain.at]] [ipa_s2n_get_user_done] > (0x0040): s2n exop request failed. > (2021-07-02 14:26:01): [be[ipatest.mydomain.at]] [ipa_s2n_get_user_done] > (0x0040): s2n exop request failed. > (2021-07-02 14:26:07): [be[ipatest.mydomain.at]] [ipa_s2n_get_user_done] > (0x0040): s2n exop request failed. > (2021-07-02 14:26:13): [be[ipatest.mydomain.at]] [ipa_s2n_exop_done] > (0x0040): ldap_extended_operation
[Freeipa-users] Re: Network I/O error when trying to resolve AD users
On 01.07.21 18:00, Sumit Bose via FreeIPA-users wrote: Am Wed, Jun 30, 2021 at 01:29:48PM +0200 schrieb Ronald Wimmer via FreeIPA-users: On 30.06.21 13:26, Sumit Bose via FreeIPA-users wrote: Am Wed, Jun 30, 2021 at 12:13:54PM +0200 schrieb Ronald Wimmer via FreeIPA-users: Today I set up an IPA test web application in our IPA test environment. I figured out that my AD user was resolved but the user of my colleague was not. (getent passwd userA/userB) I stopped SSSD, cleared the cache with 'rm -rf /var/lib/sss/db/*' and started SSSD again. After that I could not resolve any AD user. The sssd logs showed an Network I/O error: ==> /var/log/sssd/sssd_ipatest.mydomain.at.log <== (2021-06-30 11:46:14): [be[ipatest.mydomain.at]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: Operations error(1), Failed to handle the request. . (2021-06-30 11:46:14): [be[ipatest.mydomain.at]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation failed, server logs might contain more details. Hi, you should check on the IPA servers if the users and all the group-memberships can be resolved properly, i.e. 'id aduser@AD.DOMAIN' should display the user and all its groups with both name and ID. If some groups are only listed by GID you should check why the IPA server cannot resolve the name. Resolving the users on an IPA server works properly. Hi, I'm afraid in this case you should point the client to a dedicated server and check the SSSD nss logs for issues while the client is sending the request to the server. If this does not give a hint then enabling plugin debugging in the 389ds LDAP server might help. (2021-07-02 14:25:45): [nss] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/someaddomain.mydomain.at/myadu...@someaddomain.mydomain.at] (2021-07-02 14:25:45): [nss] [cache_req_search_ncache] (0x0400): CR #2: [myadu...@someaddomain.mydomain.at] is not present in negative cache (2021-07-02 14:25:45): [nss] [cache_req_search_cache] (0x0400): CR #2: Looking up [myadu...@someaddomain.mydomain.at] in cache (2021-07-02 14:25:45): [nss] [cache_req_search_cache] (0x0400): CR #2: Object [myadu...@someaddomain.mydomain.at] was not found in cache (2021-07-02 14:25:45): [nss] [cache_req_search_dp] (0x0400): CR #2: Looking up [myadu...@someaddomain.mydomain.at] in data provider (2021-07-02 14:25:45): [nss] [sss_dp_get_account_send] (0x0400): Creating request for [someaddomain.mydomain.at][0x1][BE_REQ_USER][name=myadu...@someaddomain.mydomain.at:-] (2021-07-02 14:25:49): [nss] [sbus_dispatch] (0x4000): Dispatching. (2021-07-02 14:25:49): [nss] [cache_req_common_process_dp_reply] (0x0040): CR #2: Data Provider Error: 3, 17, File exists (2021-07-02 14:25:49): [nss] [cache_req_common_process_dp_reply] (0x0400): CR #2: Due to an error we will return cached data (2021-07-02 14:25:29): [be[ipatest.mydomain.at]] [server_setup] (0x0040): Starting with debug level = 0x0070 (2021-07-02 14:25:49): [be[ipatest.mydomain.at]] [sysdb_set_cache_entry_attr] (0x0040): Error: 17 (File exists) (2021-07-02 14:25:49): [be[ipatest.mydomain.at]] [sysdb_set_cache_entry_attr] (0x0040): Error: 17 (File exists) (2021-07-02 14:25:49): [be[ipatest.mydomain.at]] [sysdb_store_new_group] (0x0040): sysdb_add_group failed (while renaming group) for: myadu...@someaddomain.mydomain.at [1073895519]. (2021-07-02 14:25:49): [be[ipatest.mydomain.at]] [sysdb_store_group] (0x0040): Cache update failed: 17 (2021-07-02 14:25:49): [be[ipatest.mydomain.at]] [ipa_s2n_save_objects] (0x0040): sysdb_store_group failed. (2021-07-02 14:25:49): [be[ipatest.mydomain.at]] [ipa_s2n_get_list_save_step] (0x0040): ipa_s2n_save_objects failed. (2021-07-02 14:25:49): [be[ipatest.mydomain.at]] [ipa_s2n_get_list_next] (0x0040): ipa_s2n_get_list_save_step failed. (2021-07-02 14:25:49): [be[ipatest.mydomain.at]] [ipa_s2n_get_list_done] (0x0040): s2n get_fqlist request failed. (2021-07-02 14:25:49): [be[ipatest.mydomain.at]] [ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: [17]: File exists. (2021-07-02 14:25:55): [be[ipatest.mydomain.at]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. (2021-07-02 14:26:01): [be[ipatest.mydomain.at]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. (2021-07-02 14:26:07): [be[ipatest.mydomain.at]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. (2021-07-02 14:26:13): [be[ipatest.mydomain.at]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null). (2021-07-02 14:26:13): [be[ipatest.mydomain.at]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null). What is this error no. 17 "file exists"? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List
[Freeipa-users] Re: Network I/O error when trying to resolve AD users
Am Wed, Jun 30, 2021 at 01:29:48PM +0200 schrieb Ronald Wimmer via FreeIPA-users: > On 30.06.21 13:26, Sumit Bose via FreeIPA-users wrote: > > Am Wed, Jun 30, 2021 at 12:13:54PM +0200 schrieb Ronald Wimmer via > > FreeIPA-users: > > > Today I set up an IPA test web application in our IPA test environment. I > > > figured out that my AD user was resolved but the user of my colleague was > > > not. (getent passwd userA/userB) > > > > > > I stopped SSSD, cleared the cache with 'rm -rf /var/lib/sss/db/*' and > > > started SSSD again. After that I could not resolve any AD user. The sssd > > > logs showed an Network I/O error: > > > > > > ==> /var/log/sssd/sssd_ipatest.mydomain.at.log <== > > > (2021-06-30 11:46:14): [be[ipatest.mydomain.at]] [ipa_s2n_exop_done] > > > (0x0040): ldap_extended_operation result: Operations error(1), Failed to > > > handle the request. > > > . > > > (2021-06-30 11:46:14): [be[ipatest.mydomain.at]] [ipa_s2n_exop_done] > > > (0x0040): ldap_extended_operation failed, server logs might contain more > > > details. > > > > Hi, > > > > you should check on the IPA servers if the users and all the > > group-memberships can be resolved properly, i.e. 'id aduser@AD.DOMAIN' > > should display the user and all its groups with both name and ID. If > > some groups are only listed by GID you should check why the IPA server > > cannot resolve the name. > > Resolving the users on an IPA server works properly. Hi, I'm afraid in this case you should point the client to a dedicated server and check the SSSD nss logs for issues while the client is sending the request to the server. If this does not give a hint then enabling plugin debugging in the 389ds LDAP server might help. bye, Sumit > > > > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Network I/O error when trying to resolve AD users
On 30.06.21 13:26, Sumit Bose via FreeIPA-users wrote: Am Wed, Jun 30, 2021 at 12:13:54PM +0200 schrieb Ronald Wimmer via FreeIPA-users: Today I set up an IPA test web application in our IPA test environment. I figured out that my AD user was resolved but the user of my colleague was not. (getent passwd userA/userB) I stopped SSSD, cleared the cache with 'rm -rf /var/lib/sss/db/*' and started SSSD again. After that I could not resolve any AD user. The sssd logs showed an Network I/O error: ==> /var/log/sssd/sssd_ipatest.mydomain.at.log <== (2021-06-30 11:46:14): [be[ipatest.mydomain.at]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: Operations error(1), Failed to handle the request. . (2021-06-30 11:46:14): [be[ipatest.mydomain.at]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation failed, server logs might contain more details. Hi, you should check on the IPA servers if the users and all the group-memberships can be resolved properly, i.e. 'id aduser@AD.DOMAIN' should display the user and all its groups with both name and ID. If some groups are only listed by GID you should check why the IPA server cannot resolve the name. Resolving the users on an IPA server works properly. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Network I/O error when trying to resolve AD users
Am Wed, Jun 30, 2021 at 12:13:54PM +0200 schrieb Ronald Wimmer via FreeIPA-users: > Today I set up an IPA test web application in our IPA test environment. I > figured out that my AD user was resolved but the user of my colleague was > not. (getent passwd userA/userB) > > I stopped SSSD, cleared the cache with 'rm -rf /var/lib/sss/db/*' and > started SSSD again. After that I could not resolve any AD user. The sssd > logs showed an Network I/O error: > > ==> /var/log/sssd/sssd_ipatest.mydomain.at.log <== > (2021-06-30 11:46:14): [be[ipatest.mydomain.at]] [ipa_s2n_exop_done] > (0x0040): ldap_extended_operation result: Operations error(1), Failed to > handle the request. > . > (2021-06-30 11:46:14): [be[ipatest.mydomain.at]] [ipa_s2n_exop_done] > (0x0040): ldap_extended_operation failed, server logs might contain more > details. Hi, you should check on the IPA servers if the users and all the group-memberships can be resolved properly, i.e. 'id aduser@AD.DOMAIN' should display the user and all its groups with both name and ID. If some groups are only listed by GID you should check why the IPA server cannot resolve the name. HTH bye, Sumit > (2021-06-30 11:46:14): [be[ipatest.mydomain.at]] [ipa_s2n_get_user_done] > (0x0040): s2n exop request failed. > (2021-06-30 11:46:14): [be[ipatest.mydomain.at]] > [ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: > [1432158230]: Network I/O Error. > > ==> /var/log/sssd/sssd_nss.log <== > (2021-06-30 11:46:14): [nss] [cache_req_common_process_dp_reply] (0x0040): > CR #197: Data Provider Error: 3, 1432158230, Network I/O Error > (2021-06-30 11:46:14): [nss] [cache_req_common_process_dp_reply] (0x0400): > CR #197: Due to an error we will return cached data > (2021-06-30 11:46:14): [nss] [cache_req_search_cache] (0x0400): CR #197: > Looking up [aduser...@org.mydomain.at] in cache > (2021-06-30 11:46:14): [nss] [cache_req_search_cache] (0x0400): CR #197: > Object [aduser...@org.mydomain.at] was not found in cache > (2021-06-30 11:46:14): [nss] [cache_req_process_result] (0x0400): CR #197: > Finished: Not found > (2021-06-30 11:46:14): [nss] [client_recv] (0x0200): Client disconnected! > > What the hell is going on here? Any hints would be highly appreciated! > > Cheers, > Ronald > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
