[SSSD-users] Re: SSSD LDAP provider fails to fetch nested groups (groups member of groups)

[Finn Fysj]

> On Fri, Jan 19, 2024 at 12:39 PM Finn Fysj <finnfysj133(a)gmail.com&gt; wrote:
> 
> Well, to debug this one needs:
>  - stop sssd
>  - remove old sssd logs (/var/log/sssd/)
>  - set 'debug_level = 9' in [nss] and domain sections of sssd.conf
>  - start sssd
>  - date; id UID
>  - capture logs
> 
> Then `sssctl analyze --logdir . request list` - it will list 'id'  -
> it will list something like "... [uid 0] CID #1: id"
> And `sssctl analyze --logdir . request show --merge 1` (where 1 is
> from CID #1) will show all log messages related to this lookup.
> 
> Not an easy read, though...

Looking furher into sssd_default.log:
(2024-01-21 16:34:40): [be[default]] [sysdb_store_group] (0x0400): [RID#31] 
Group "prod-users@default" has been stored
(2024-01-21 16:34:40): [be[default]] [sdap_save_groups] (0x4000): [RID#31] 
Group 0 processed!
(2024-01-21 16:34:40): [be[default]] [sdap_attrs_get_sid_str] (0x1000): 
[RID#31] No [objectSID] attribute. [0][Success]
(2024-01-21 16:34:40): [be[default]] [sdap_save_grpmem] (0x0400): [RID#31] 
Failed to get group sid
(2024-01-21 16:34:40): [be[default]] [sdap_get_primary_name] (0x0400): [RID#31] 
Processing object prod-users
(2024-01-21 16:34:40): [be[default]] [sdap_save_grpmem] (0x0400): [RID#31] 
Processing group prod-users@default
(2024-01-21 16:34:40): [be[default]] [sdap_save_grpmem] (0x0400): [RID#31] 
Adding member users to group [prod-users@default]
(2024-01-21 16:34:40): [be[default]] [sdap_find_entry_by_origDN] (0x4000): 
[RID#31] Searching cache for [uid=user1,cn=users,cn=accounts,dc=example,dc=com].
(2024-01-21 16:34:40): [be[default]] [sdap_fill_memberships] (0x1000): [RID#31] 
    member #0 (uid=user1,cn=users,cn=accounts,dc=example,dc=com): 
[name=user1@default,cn=users,cn=default,cn=sysdb]
(2024-01-21 16:34:40): [be[default]] [sdap_find_entry_by_origDN] (0x4000): 
[RID#31] Searching cache for 
[cn=prod-users,cn=groups,cn=accounts,dc=example,dc=com].
(2024-01-21 16:34:40): [be[default]] [sdap_fill_memberships] (0x0080): [RID#31] 
Member [cn=devs,cn=groups,cn=accounts,dc=example,dc=com] was not found in 
cache. Is it out of scope?
(2024-01-21 16:34:40): [be[default]] [sdap_find_entry_by_origDN] (0x4000): 
[RID#31] Searching cache for [uid=user2,cn=users,cn=accounts,dc=example,dc=com].
(2024-01-22 16:34:40): [be[default]] [sdap_fill_memberships] (0x1000): [RID#31] 
    member #2 (uid=user2,cn=users,cn=accounts,dc=example,dc=com): 
[name=user2@default,cn=users,cn=default,cn=sysdb]

It's important to note that the groups "devs" is a NON-Posix group in FreeIPA. 
However, as preivously stated, this works with nss-pam-ldapd.
--
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue