On Wed, Mar 18, 2015 at 10:31:05AM +0100, Lukas Slebodnik wrote:
> On (18/03/15 10:25), Lukas Slebodnik wrote:
> >On (17/03/15 13:56), Domenico Viggiani wrote:
> >>> -----Original Message-----
> >>> But it would be nice to see the full logfile as well, this would i.e.
> >>> make sense if we're offline.
> >>
> >>Attached log file (slightly sanitized, to save the innocents).
> >>
> >These lines look suspicious.
> >
> >[sdap_ad_tokengroups_update_members] (0x1000): Updating memberships for
> >[testuser]
> >[sysdb_error_to_errno] (0x0020): LDB returned unexpected error: [No such
> >attribute]
> >[sysdb_mod_group_member] (0x0400): Error: 14 (Bad address)
> >[sysdb_update_members_ex] (0x0020): Could not remove member [testuser] from
> >group [name=IT-Area IT,cn=groups,cn=MYDOMAIN.COM,cn=sysdb]. Skipping
> >[sysdb_error_to_errno] (0x0020): LDB returned unexpected error: [No such
> >attribute]
> >[sysdb_mod_group_member] (0x0400): Error: 14 (Bad address)
> >[sysdb_update_members_ex] (0x0020): Could not remove member [testuser] from
> >group [name=DGOP-Direzione Generale
> >Operativa,cn=groups,cn=MYDOMAIN.COM,cn=sysdb]. Skipping
> >[sysdb_error_to_errno] (0x0020): LDB returned unexpected error: [No such
> >attribute]
> >[sysdb_mod_group_member] (0x0400): Error: 14 (Bad address)
> >[sysdb_update_members_ex] (0x0020): Could not remove member [testuser] from
> >group [name=Organigramma,cn=groups,cn=MYDOMAIN.COM,cn=sysdb]. Skipping
> >[sysdb_error_to_errno] (0x0020): LDB returned unexpected error: [No such
> >attribute]
> >[sysdb_mod_group_member] (0x0400): Error: 14 (Bad address)
> >[sysdb_update_members_ex] (0x0020): Could not remove member [testuser] from
> >group [name=IT-Infrastruttura IT,cn=groups,cn=MYDOMAIN.COM,cn=sysdb].
> >Skipping
> >
> >
> >We recently added to sssd some extra debug messages
> >which could help with identification of problem.
> >
> >I can prepare you testing repo I need to know which platform do you want
> >to test? rhel/fedora
> >
>
> I got another idea which could help you.
> By default we use tokengroups for obtaining group membership
> it is faster. But it caused some problems in your case
> so you can try do disable this feature.
>
> Try to put "ldap_use_tokengroups = false" into domain section of sssd.conf.
> It is workaround which can help nevertheless we want to fix your initial bug.
Yes, the problem is that during tokengroups we save the group as:
name=$SID,$DN
objectSID: $SID
isPosix: false
then when the simple access provider resolves the group in order to
learn the name, the group should become:
name=$NAME,$DN
objectSID: $SID
isPosix defaults to True. We need to find out why we don't remove the
isPosix:False from the group object.
_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
