Bug 1184069
Summary: | group names are not resolved for gid from sssd cache when using IPA backend | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Shashikant <shashikant.mundlik> | ||||||
Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> | ||||||
Status: | CLOSED DUPLICATE | QA Contact: | Kaushik Banerjee <kbanerje> | ||||||
Severity: | high | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 6.6 | CC: | gawin, grajaiya, jgalipea, jhrozek, lslebodn, mkosek, mzidek, pbrezina, shashikant.mundlik | ||||||
Target Milestone: | rc | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2015-01-29 12:53:14 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Shashikant
2015-01-20 14:25:41 UTC
Can you enable sssd debug_level in the nss and domain sections and send us the logs that capture the bug? Also, when the bug hits you, can you do a dump of the ldb database? yum -y install ldb-tools ldbsearch -H /var/lib/sss/db/cache_$domain.ldb Created attachment 981957 [details]
sssd logs and ldb content for affected system hd008
Created attachment 981958 [details]
ldb content on working system hd006
Thanks Jakub for picking this early. I have update bug with sssd debug logs and ldb content from system where this issue is currently happening (hd008) . Also I have attached ldb content from working system (hd006) where all the group are present properly. Here is what I seen in ldb dump. These are three group ids which are not present in the cache, and its group names are not displayed with id command GIDs: 1019412599,1019424177,1019424180 On affected system: [root@server008 ~]# id p3001841 uid=1019408268(p3001841) gid=1019408268(p3001841) groups=1019408268(p3001841),1019429545(itapp_eah_admin),1019424178(itapphueadmin),1019424179(itappcmadmin),1019412599,1019424177,1019424180 [root@server008 ~]# ldbsearch -H /var/lib/sss/db/cache_unix.example.com.ldb |grep gidNumber asq: Unable to register control with rootdse! gidNumber: 1019424010 gidNumber: 1019424280 gidNumber: 0 gidNumber: 1019408268 gidNumber: 1019424179 gidNumber: 1019424280 gidNumber: 1019410644 gidNumber: 1019410644 gidNumber: 1019429545 gidNumber: 1019422062 gidNumber: 1019422062 gidNumber: 1019421136 gidNumber: 1019421136 gidNumber: 1019424178 gidNumber: 1019408268 On system where cache is clean: [root@hlxp0server006 ~]# id p3001841 uid=1019408268(p3001841) gid=1019408268(p3001841) groups=1019408268(p3001841),1019412599(itsrvrhadmin),1019424179(itappcmadmin),1019429545(itapp_eah_admin),1019424177(itapphue),1019424178(itapphueadmin),1019424180(itappcm) [root@server006 ~]# ldbsearch -H /var/lib/sss/db/cache_unix.example.com.ldb|grep gidNumber asq: Unable to register control with rootdse! gidNumber: 1019412599 gidNumber: 1019421281 gidNumber: 1019425825 gidNumber: 1019425210 gidNumber: 1019414733 gidNumber: 1019424180 gidNumber: 1019408268 gidNumber: 1019424179 gidNumber: 1019429545 gidNumber: 1019424178 gidNumber: 1019426225 gidNumber: 1019426648 gidNumber: 1019408268 gidNumber: 1019421665 gidNumber: 1019424177 gidNumber: 1019425826 This is what I see in sss_nss.log on affected system for GID 1019412599 which is having issue /var/log/sssd/sssd_nss.log:(Tue Jan 20 18:22:41 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x418850:2:1019412599.com] /var/log/sssd/sssd_nss.log:(Tue Jan 20 18:22:41 2015) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [1019412599] /var/log/sssd/sssd_nss.log:(Tue Jan 20 18:22:42 2015) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [1019412599.com] /var/log/sssd/sssd_nss.log:(Tue Jan 20 18:22:42 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GID/1019412599] to negative cache /var/log/sssd/sssd_nss.log:(Tue Jan 20 18:22:42 2015) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [1019412599] /var/log/sssd/sssd_nss.log:(Tue Jan 20 18:22:42 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x418850:2:1019412599.com] /var/log/sssd/sssd_nss.log:(Tue Jan 20 18:28:43 2015) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [34] with id [1019412599]. /var/log/sssd/sssd_nss.log:(Tue Jan 20 18:28:43 2015) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/GID/1019412599] /var/log/sssd/sssd_nss.log:(Tue Jan 20 18:28:43 2015) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [1019412599.com] /var/log/sssd/sssd_nss.log:(Tue Jan 20 18:28:43 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x418850:2:1019412599.com] /var/log/sssd/sssd_nss.log:(Tue Jan 20 18:28:43 2015) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [unix.example.com][4098][1][idnumber=1019412599] Please note I have sanitized domain and server names in the comments. Thank you very much for the info, we'll track the bug together with https://bugzilla.redhat.com/show_bug.cgi?id=1184458 *** This bug has been marked as a duplicate of bug 1184458 *** (In reply to Jakub Hrozek from comment #6) > Thank you very much for the info, we'll track the bug together with > https://bugzilla.redhat.com/show_bug.cgi?id=1184458 > > *** This bug has been marked as a duplicate of bug 1184458 *** Hi, we have this same problem when we get users/groups from AD. It is posible to track this bug? Now i have "You are not authorized to access bug #1184458...." (In reply to Marek Gawinski from comment #7) > (In reply to Jakub Hrozek from comment #6) > > Thank you very much for the info, we'll track the bug together with > > https://bugzilla.redhat.com/show_bug.cgi?id=1184458 > > > > *** This bug has been marked as a duplicate of bug 1184458 *** > > Hi, > > we have this same problem when we get users/groups from AD. > It is posible to track this bug? > Now i have "You are not authorized to access bug #1184458...." I'm pretty sure that's a different bug, the one we track here is IPA-specific. You should open a new one with debugging information. Can you also try the 1.12 series? Effects are this same as in this bug. No we dont try 1.12.4 version because we use ubuntu 12.04 and have some problem to create packages for this version. Now we use 1.11.5. I will try to open debug this and open new bug for our case. (In reply to Marek Gawinski from comment #9) > Effects are this same as in this bug. > No we dont try 1.12.4 version because we use ubuntu 12.04 and have some > problem to create packages for this version. Now we use 1.11.5. I will try > to open debug this and open new bug for our case. There are known issues in sssd-1.11.. I would recommend to upgrade to the sssd-1.11.7 (In reply to Lukas Slebodnik from comment #10) > (In reply to Marek Gawinski from comment #9) > > Effects are this same as in this bug. > > No we dont try 1.12.4 version because we use ubuntu 12.04 and have some > > problem to create packages for this version. Now we use 1.11.5. I will try > > to open debug this and open new bug for our case. > > There are known issues in sssd-1.11.. I would recommend to upgrade to the > sssd-1.11.7 I will try on this version. |