Learn more about these different git repos.
Other Git URLs
I found the following in the logs
(Thu Jul 20 11:58:32 2017) [sssd[be[ipaf26.devel]]] [ipa_srv_ad_acct_lookup_step] (0x0400): Looking up AD account (Thu Jul 20 11:58:32 2017) [sssd[be[ipaf26.devel]]] [sss_domain_get_state] (0x1000): Domain ipaf26.devel is Active (Thu Jul 20 11:58:32 2017) [sssd[be[ipaf26.devel]]] [sss_domain_get_state] (0x1000): Domain ad.devel is Active (Thu Jul 20 11:58:32 2017) [sssd[be[ipaf26.devel]]] [ad_account_can_shortcut] (0x0080): Mapping ID [733600006] to SID failed: [IDMAP unknown error code] (Thu Jul 20 11:58:32 2017) [sssd[be[ipaf26.devel]]] [sss_domain_get_state] (0x1000): Domain ad.devel is Active (Thu Jul 20 11:58:32 2017) [sssd[be[ipaf26.devel]]] [groups_get_send] (0x0080): Mapping ID [733600006] to SID failed: [IDMAP unknown error code] (Thu Jul 20 11:58:32 2017) [sssd[be[ipaf26.devel]]] [ipa_srv_ad_acct_lookup_done] (0x0080): Sudomain lookup failed, will try to reset sudomain.. (Thu Jul 20 11:58:32 2017) [sssd[be[ipaf26.devel]]] [ipa_server_trusted_dom_setup_send] (0x1000): Trust direction of subdom ad.devel from forest ad.devel is: two-way trust (Thu Jul 20 11:58:32 2017) [sssd[be[ipaf26.devel]]] [ipa_srv_ad_acct_retried] (0x0400): Sudomain re-set, will retry lookup (Thu Jul 20 11:58:32 2017) [sssd[be[ipaf26.devel]]] [be_fo_reset_svc] (0x1000): Resetting all servers in service ad.devel (Thu Jul 20 11:58:32 2017) [sssd[be[ipaf26.devel]]] [be_fo_reset_svc] (0x0080): Cannot retrieve service [ad.devel] (Thu Jul 20 11:58:32 2017) [sssd[be[ipaf26.devel]]] [ipa_srv_ad_acct_lookup_step] (0x0400): Looking up AD account (Thu Jul 20 11:58:32 2017) [sssd[be[ipaf26.devel]]] [sss_domain_get_state] (0x1000): Domain ipaf26.devel is Active (Thu Jul 20 11:58:32 2017) [sssd[be[ipaf26.devel]]] [sss_domain_get_state] (0x1000): Domain ad.devel is Active (Thu Jul 20 11:58:32 2017) [sssd[be[ipaf26.devel]]] [ad_account_can_shortcut] (0x0080): Mapping ID [733600006] to SID failed: [IDMAP unknown error code] (Thu Jul 20 11:58:32 2017) [sssd[be[ipaf26.devel]]] [sss_domain_get_state] (0x1000): Domain ad.devel is Active (Thu Jul 20 11:58:32 2017) [sssd[be[ipaf26.devel]]] [groups_get_send] (0x0080): Mapping ID [733600006] to SID failed: [IDMAP unknown error code] (Thu Jul 20 11:58:32 2017) [sssd[be[ipaf26.devel]]] [be_mark_dom_offline] (0x1000): Marking subdomain ad.devel offline
The imap error in ad_account_can_shortcut() does not cause the domain to be skipped but the idmap call is run again during the lookup which then cause the domain to go offline.
ad_account_can_shortcut() should better return 'true' in this case to skip the domain.
I think this issue is specific to the IPA provider because ad_account_can_shortcut() was recently added to the IPA provider as well and the idmap return code is IDMAP_EXTERNAL which is treated as error in groups_get_send().
In the AD provider IDMAP_EXTERNAL cannot be returned because either all domains used id-mapping or none. In the non-id-mapping case no domain is added to the idmapping library and IDMAP_NO_DOMAIN is returned which is handled in groups_get_send().
Nevertheless fixing this in ad_account_can_shortcut() makes more sense imo because the request can finished earlier in this case.
Btw, '[IDMAP unknown error code]' indicates that some idmap error codes are not translated properly which should be fixed as well.
https://github.com/SSSD/sssd/pull/330
Metadata Update from @sbose: - Custom field patch adjusted to on
Metadata Update from @jhrozek: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1474711
Issue linked to Bugzilla: Bug 1474711
Metadata Update from @jhrozek: - Issue assigned to sbose - Issue close_status updated to: Fixed - Issue set to the milestone: SSSD 1.15.3 - Issue status updated to: Closed (was: Open)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4479
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.