We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/2398
logged in to an IPA client machine via Kerberos/SSH and groups did not show nay of the groups assigned in the IPA server.
DIsabled ldap dereferences in sssd.conf:
ldap_deref_threshold = 0
Was now able to sudo to the user and see the groups. However, with this option set, was unable to sshd to the machine:
Comment from admiyo at 2014-08-08 00:14:20
Here is a snippet of /var/log/sssd/sssd_younglogic.net.log with ldap_deref_threshold = 0
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fqdn] (Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serverHostname] (Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [be_run_unconditional_online_cb] (0x0400): Running unconditional online callbacks. (Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [be_run_unconditional_online_cb] (0x0400): Running unconditional online callbacks. (Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [ipa_host_info_done] (0x0020): Server does not support deref (Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_id_op_done] (0x0200): communication error on cached connection, moving to next server (Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, <NULL>) [Internal Error (System error)] (Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [be_pam_handler_callback] (0x0100): Sending result [4][younglogic.net] (Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [be_pam_handler_callback] (0x0100): Sent result [4][younglogic.net]
_comment0: Here is a snippet of /var/log/sssd/sssd_younglogic.net.log with ldap_deref_threshold = 0
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fqdn] (Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serverHostname] (Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [be_run_unconditional_online_cb] (0x0400): Running unconditional online callbacks. (Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [be_run_unconditional_online_cb] (0x0400): Running unconditional online callbacks. (Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [ipa_host_info_done] (0x0020): Server does not support deref (Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_id_op_done] (0x0200): communication error on cached connection, moving to next server (Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, ) [Internal Error (System error)] (Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [be_pam_handler_callback] (0x0100): Sending result [4][younglogic.net] (Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [be_pam_handler_callback] (0x0100): Sent result [4][younglogic.net] => 1407479489551927
Comment from jhrozek at 2014-08-08 08:31:01
Please attach all logs (or send them to me directly), the snippet is not conclusive enough.
From the log snippet I can only tell we should not be returning a System Error on connection error, but I have no idea what happened earlier.
Comment from jhrozek at 2014-08-08 22:29:15
This turned out to be a server side issue - https://fedorahosted.org/freeipa/ticket/4486
We need to first find out if the host identity is allowed to read those entries.
Comment from jhrozek at 2014-08-11 10:08:43
So far this looks like an IPA issue, we can reopen if needed.
resolution: => worksforme status: new => closed
Comment from admiyo at 2017-02-24 14:26:39
Metadata Update from @admiyo:
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/2398
logged in to an IPA client machine via Kerberos/SSH and groups did not show nay of the groups assigned in the IPA server.
DIsabled ldap dereferences in sssd.conf:
ldap_deref_threshold = 0
Was now able to sudo to the user and see the groups. However, with this option set, was unable to sshd to the machine:
Comments
Comment from admiyo at 2014-08-08 00:14:20
Here is a snippet of /var/log/sssd/sssd_younglogic.net.log with
ldap_deref_threshold = 0
_comment0: Here is a snippet of /var/log/sssd/sssd_younglogic.net.log with
ldap_deref_threshold = 0
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fqdn]
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serverHostname]
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey]
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID]
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [be_run_unconditional_online_cb] (0x0400): Running unconditional online callbacks.
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [be_run_unconditional_online_cb] (0x0400): Running unconditional online callbacks.
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [ipa_host_info_done] (0x0020): Server does not support deref
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_id_op_done] (0x0200): communication error on cached connection, moving to next server
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, ) [Internal Error (System error)]
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [be_pam_handler_callback] (0x0100): Sending result [4][younglogic.net]
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [be_pam_handler_callback] (0x0100): Sent result [4][younglogic.net]
=> 1407479489551927
Comment from jhrozek at 2014-08-08 08:31:01
Please attach all logs (or send them to me directly), the snippet is not conclusive enough.
From the log snippet I can only tell we should not be returning a System Error on connection error, but I have no idea what happened earlier.
Comment from jhrozek at 2014-08-08 22:29:15
This turned out to be a server side issue - https://fedorahosted.org/freeipa/ticket/4486
We need to first find out if the host identity is allowed to read those entries.
Comment from jhrozek at 2014-08-11 10:08:43
So far this looks like an IPA issue, we can reopen if needed.
resolution: => worksforme
status: new => closed
Comment from admiyo at 2017-02-24 14:26:39
Metadata Update from @admiyo:
The text was updated successfully, but these errors were encountered: