#2398 group list not fetched from IPA server
Closed: Invalid None Opened 9 years ago by admiyo.

logged in to an IPA client machine via Kerberos/SSH and groups did not show nay of the groups assigned in the IPA server.

DIsabled ldap dereferences in sssd.conf:

ldap_deref_threshold = 0

Was now able to sudo to the user and see the groups. However, with this option set, was unable to sshd to the machine:


Here is a snippet of /var/log/sssd/sssd_younglogic.net.log with
ldap_deref_threshold = 0

(Thu Aug  7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Thu Aug  7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Thu Aug  7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fqdn]
(Thu Aug  7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serverHostname]
(Thu Aug  7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Thu Aug  7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey]
(Thu Aug  7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID]
(Thu Aug  7 22:08:27 2014) [sssd[be[younglogic.net]]] [be_run_unconditional_online_cb] (0x0400): Running unconditional online callbacks.
(Thu Aug  7 22:08:27 2014) [sssd[be[younglogic.net]]] [be_run_unconditional_online_cb] (0x0400): Running unconditional online callbacks.
(Thu Aug  7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Thu Aug  7 22:08:27 2014) [sssd[be[younglogic.net]]] [ipa_host_info_done] (0x0020): Server does not support deref
(Thu Aug  7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_id_op_done] (0x0200): communication error on cached connection, moving to next server
(Thu Aug  7 22:08:27 2014) [sssd[be[younglogic.net]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, <NULL>) [Internal Error (System error)]
(Thu Aug  7 22:08:27 2014) [sssd[be[younglogic.net]]] [be_pam_handler_callback] (0x0100): Sending result [4][younglogic.net]
(Thu Aug  7 22:08:27 2014) [sssd[be[younglogic.net]]] [be_pam_handler_callback] (0x0100): Sent result [4][younglogic.net]

_comment0: Here is a snippet of /var/log/sssd/sssd_younglogic.net.log with
ldap_deref_threshold = 0

(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fqdn]
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serverHostname]
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey]
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID]
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [be_run_unconditional_online_cb] (0x0400): Running unconditional online callbacks.
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [be_run_unconditional_online_cb] (0x0400): Running unconditional online callbacks.
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [ipa_host_info_done] (0x0020): Server does not support deref
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [sdap_id_op_done] (0x0200): communication error on cached connection, moving to next server
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, <NULL>) [Internal Error (System error)]
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [be_pam_handler_callback] (0x0100): Sending result [4][younglogic.net]
(Thu Aug 7 22:08:27 2014) [sssd[be[younglogic.net]]] [be_pam_handler_callback] (0x0100): Sent result [4][younglogic.net]
=> 1407479489551927

Please attach all logs (or send them to me directly), the snippet is not conclusive enough.

From the log snippet I can only tell we should not be returning a System Error on connection error, but I have no idea what happened earlier.

This turned out to be a server side issue - https://fedorahosted.org/freeipa/ticket/4486

We need to first find out if the host identity is allowed to read those entries.

So far this looks like an IPA issue, we can reopen if needed.

resolution: => worksforme
status: new => closed

Metadata Update from @admiyo:
- Issue set to the milestone: NEEDS_TRIAGE

7 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3440

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata