group list not fetched from IPA server #3440

sssd-bot · 2020-05-02T13:05:49Z

Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/2398

Created at 2014-08-08 00:13:42 by admiyo
Closed as Invalid
Assigned to nobody

logged in to an IPA client machine via Kerberos/SSH and groups did not show nay of the groups assigned in the IPA server.

DIsabled ldap dereferences in sssd.conf:

ldap_deref_threshold = 0

Was now able to sudo to the user and see the groups. However, with this option set, was unable to sshd to the machine:

Comments

Comment from admiyo at 2014-08-08 00:14:20

Here is a snippet of /var/log/sssd/sssd_younglogic.net.log with
ldap_deref_threshold = 0

(Thu Aug  7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Thu Aug  7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Thu Aug  7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fqdn]
(Thu Aug  7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serverHostname]
(Thu Aug  7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Thu Aug  7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey]
(Thu Aug  7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID]
(Thu Aug  7 22:08:27 2014) [sssd[be[younglogic.net]]] [be_run_unconditional_online_cb] (0x0400): Running unconditional online callbacks.
(Thu Aug  7 22:08:27 2014) [sssd[be[younglogic.net]]] [be_run_unconditional_online_cb] (0x0400): Running unconditional online callbacks.
(Thu Aug  7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Thu Aug  7 22:08:27 2014) [sssd[be[younglogic.net]]] [ipa_host_info_done] (0x0020): Server does not support deref
(Thu Aug  7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_id_op_done] (0x0200): communication error on cached connection, moving to next server
(Thu Aug  7 22:08:27 2014) [sssd[be[younglogic.net]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, <NULL>) [Internal Error (System error)]
(Thu Aug  7 22:08:27 2014) [sssd[be[younglogic.net]]] [be_pam_handler_callback] (0x0100): Sending result [4][younglogic.net]
(Thu Aug  7 22:08:27 2014) [sssd[be[younglogic.net]]] [be_pam_handler_callback] (0x0100): Sent result [4][younglogic.net]

_comment0: Here is a snippet of /var/log/sssd/sssd_younglogic.net.log with
ldap_deref_threshold = 0

(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fqdn]
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serverHostname]
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey]
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID]
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [be_run_unconditional_online_cb] (0x0400): Running unconditional online callbacks.
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [be_run_unconditional_online_cb] (0x0400): Running unconditional online callbacks.
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [ipa_host_info_done] (0x0020): Server does not support deref
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_id_op_done] (0x0200): communication error on cached connection, moving to next server
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, ) [Internal Error (System error)]
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [be_pam_handler_callback] (0x0100): Sending result [4][younglogic.net]
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [be_pam_handler_callback] (0x0100): Sent result [4][younglogic.net]
=> 1407479489551927

Comment from jhrozek at 2014-08-08 08:31:01

Please attach all logs (or send them to me directly), the snippet is not conclusive enough.

From the log snippet I can only tell we should not be returning a System Error on connection error, but I have no idea what happened earlier.

Comment from jhrozek at 2014-08-08 22:29:15

This turned out to be a server side issue - https://fedorahosted.org/freeipa/ticket/4486

We need to first find out if the host identity is allowed to read those entries.

Comment from jhrozek at 2014-08-11 10:08:43

So far this looks like an IPA issue, we can reopen if needed.

resolution: => worksforme
status: new => closed

Comment from admiyo at 2017-02-24 14:26:39

Metadata Update from @admiyo:

Issue set to the milestone: NEEDS_TRIAGE

The text was updated successfully, but these errors were encountered:

sssd-bot added the Closed: Not a bug label May 2, 2020

sssd-bot closed this as completed May 2, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

group list not fetched from IPA server #3440

group list not fetched from IPA server #3440

sssd-bot commented May 2, 2020