Issue:
Multiple users with the same name who are also members of the same group break that group’s resolution.
More information:
When multiple LDAP entries map to the same SSSD user name during group processing, sdap_process_ghost_members() can append the same SYSDB_GHOST value more than once.
The later sysdb write then fails with ldb_modify errors similar to:
attribute 'ghost' ... provided more than once in REPLACE
The primary-group path already suppresses duplicate members with has_member() / link_pgroup_members(), but the ghost-member path does not.
Expected result:
SSSD will ignore all duplicate members found so that group resolution continues to function for all other members and inform the administrator of the issue within sssd_be logs, such as:
Multiple directory entries map to the same SSSD user name [someuser@example.com]:
[CN=Some User,CN=Users,DC=example,DC=com]
[CN=Some User - Admin,OU=PrivAccounts,OU=ExampleUsers,DC=example,DC=com]
Consider narrowing ldap_user_search_base or ldap_search_base.
Log example:
(2026-03-31 9:05:37): [be[example.com]] [sdap_get_primary_name] (0x0400): [RID#2] Processing object exampleuser
(2026-03-31 9:05:37): [be[example.com]] [sysdb_cache_search_users] (0x2000): [RID#2] Search users with filter: (&(objectCategory=user)(originalDN=CN=Firstname\20Lastname\20-\20Admin,OU=PrivAccounts,OU=DomUsers,DC=example,DC=com))
(2026-03-31 9:05:37): [be[example.com]] [sdap_get_primary_name] (0x0400): [RID#2] Processing object exampleuser
(2026-03-31 9:05:37): [be[example.com]] [sysdb_cache_search_users] (0x2000): [RID#2] Search users with filter: (&(objectCategory=user)(originalDN=CN=Firstname\20Lastname,CN=Users,DC=example,DC=com))
(2026-03-31 9:05:37): [be[example.com]] [sdap_process_ghost_members] (0x0400): [RID#2] Adding ghost member for group [exampleuser@example.com] <----- First user found
(2026-03-31 9:05:37): [be[example.com]] [sdap_process_ghost_members] (0x0400): [RID#2] Adding ghost member for group [exampleuser@example.com] <----- Second user found
(2026-03-31 9:05:37): [be[example.com]] [sdap_save_group] (0x0400): [RID#2] Storing info for group examplegroup@example.com
(2026-03-31 9:05:37): [be[example.com]] [sysdb_check_ts_cache] (0x2000): [RID#2] Cannot find TS cache entry for [name=examplegroup@example.com,cn=groups,cn=example.com,cn=sysdb]: [2]: No such file or directory
(2026-03-31 9:05:37): [be[example.com]] [sysdb_check_and_update_ts_cache] (0x2000): [RID#2] No timestamps entry
(2026-03-31 9:05:37): [be[example.com]] [sysdb_search_by_name] (0x0400): [RID#2] No such entry
(2026-03-31 9:05:37): [be[example.com]] [sysdb_store_group] (0x1000): [RID#2] Group examplegroup@example.com does not exist.
(2026-03-31 9:05:37): [be[example.com]] [sysdb_search_group_by_id] (0x0400): [RID#2] No such entry
(2026-03-31 9:05:37): [be[example.com]] [sysdb_ldb_msg_difference] (0x2000): [RID#2] Added attr [objectSIDString] to entry [name=examplegroup@example.com,cn=groups,cn=example.com,cn=sysdb]
(2026-03-31 9:05:37): [be[example.com]] [sysdb_set_cache_entry_attr] (0x0080): [RID#2] ldb_modify failed: [Attribute or value exists](20)[attribute 'ghost': value 'exampleuser@example.com' on 'name=examplegroup@example.com,cn=groups,cn=example.com,cn=sysdb' provided more than once in REPLACE]
(2026-03-31 9:05:37): [be[example.com]] [sysdb_set_cache_entry_attr] (0x0040): [RID#2] Error: 17 (File exists)
(2026-03-31 9:05:37): [be[example.com]] [sysdb_set_entry_attr] (0x0080): [RID#2] Cannot set attrs for name=examplegroup@example.com,cn=groups,cn=example.com,cn=sysdb, 17 [File exists
(2026-03-31 9:05:37): [be[example.com]] [sysdb_add_group] (0x1000): [RID#2] sysdb_set_group_attr failed.
(2026-03-31 9:05:37): [be[example.com]] [sysdb_add_group] (0x0400): [RID#2] Error: 17 (File exists)
(2026-03-31 9:05:37): [be[example.com]] [sysdb_store_new_group] (0x1000): [RID#2] sysdb_add_group failed: [EEXIST].
(2026-03-31 9:05:37): [be[example.com]] [sysdb_store_new_group] (0x0400): [RID#2] A group with the same GID [400] was removed from the cache
(2026-03-31 9:05:37): [be[example.com]] [sysdb_search_group_by_id] (0x0400): [RID#2] No such entry
(2026-03-31 9:05:37): [be[example.com]] [sysdb_ldb_msg_difference] (0x2000): [RID#2] Added attr [objectSIDString] to entry [name=examplegroup@example.com,cn=groups,cn=example.com,cn=sysdb]
(2026-03-31 9:05:37): [be[example.com]] [sysdb_set_cache_entry_attr] (0x0080): [RID#2] ldb_modify failed: [Attribute or value exists](20)[attribute 'ghost': value 'exampleuser@example.com' on 'name=examplegroup@example.com,cn=groups,cn=example.com,cn=sysdb' provided more than once in REPLACE]
(2026-03-31 9:05:37): [be[example.com]] [sysdb_set_cache_entry_attr] (0x0040): [RID#2] Error: 17 (File exists)
(2026-03-31 9:05:37): [be[example.com]] [sysdb_set_entry_attr] (0x0080): [RID#2] Cannot set attrs for name=examplegroup@example.com,cn=groups,cn=example.com,cn=sysdb, 17 [File exists
(2026-03-31 9:05:37): [be[example.com]] [sysdb_add_group] (0x1000): [RID#2] sysdb_set_group_attr failed.
(2026-03-31 9:05:37): [be[example.com]] [sysdb_add_group] (0x0400): [RID#2] Error: 17 (File exists)
(2026-03-31 9:05:37): [be[example.com]] [sysdb_store_new_group] (0x0040): [RID#2] sysdb_add_group failed (while renaming group) for: examplegroup@example.com [400].
(2026-03-31 9:05:37): [be[example.com]] [sysdb_store_group] (0x0040): [RID#2] Cache update failed: 17
(2026-03-31 9:05:37): [be[example.com]] [sysdb_store_group] (0x0400): [RID#2] Error: 17 (File exists)
(2026-03-31 9:05:37): [be[example.com]] [sdap_store_group_with_gid] (0x0040): [RID#2] Could not store group examplegroup@example.com
(2026-03-31 9:05:37): [be[example.com]] [sdap_save_group] (0x0080): [RID#2] Could not store group with GID: [File exists]
(2026-03-31 9:05:37): [be[example.com]] [sdap_save_group] (0x0080): [RID#2] Failed to save group [examplegroup@example.com]: [File exists]
(2026-03-31 9:05:37): [be[example.com]] [sdap_save_groups] (0x0040): [RID#2] Failed to store group 0. Ignoring.
(2026-03-31 9:05:37): [be[example.com]] [sdap_nested_done] (0x2000): [RID#2] No external members, done
Workaround:
Limiting the user search base with ldap_user_search_base avoid specific OUs where duplicate users exist resolves the issue.
Issue:
Multiple users with the same name who are also members of the same group break that group’s resolution.
More information:
When multiple LDAP entries map to the same SSSD user name during group processing,
sdap_process_ghost_members()can append the sameSYSDB_GHOSTvalue more than once.The later sysdb write then fails with
ldb_modifyerrors similar to:attribute 'ghost' ... provided more than once in REPLACEThe primary-group path already suppresses duplicate members with has_member() / link_pgroup_members(), but the ghost-member path does not.
Expected result:
SSSD will ignore all duplicate members found so that group resolution continues to function for all other members and inform the administrator of the issue within
sssd_belogs, such as:Log example:
Workaround:
Limiting the user search base with
ldap_user_search_baseavoid specific OUs where duplicate users exist resolves the issue.