Hey All,
We're receiving the following message on an older installation of SSSD and RHEL 6.7. SSSD version is sssd-1.12.4-47.el6_7.4.x86_64.
I'm wondering under what conditions could "Expected one user entry and got 2" be thrown and if it's fixed in higher SSSD versions.
On Thu, Apr 06, 2017 at 02:30:41PM -0400, TomK wrote:
Hey All,
We're receiving the following message on an older installation of SSSD and RHEL 6.7. SSSD version is sssd-1.12.4-47.el6_7.4.x86_64.
I'm wondering under what conditions could "Expected one user entry and got 2" be thrown and if it's fixed in higher SSSD versions.
This message typically occurs if SSSD found a duplicate user or group name or a duplicated UID or GID on the server side. If that's the case a newer version won't help, the name or ID collision must be resolved on the server side.
HTH
bye, Sumit
-- Cheers, Tom K.
Living on earth is expensive, but it includes a free trip around the sun. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On 4/6/2017 2:44 PM, Sumit Bose wrote:
On Thu, Apr 06, 2017 at 02:30:41PM -0400, TomK wrote:
Hey All,
We're receiving the following message on an older installation of SSSD and RHEL 6.7. SSSD version is sssd-1.12.4-47.el6_7.4.x86_64.
I'm wondering under what conditions could "Expected one user entry and got 2" be thrown and if it's fixed in higher SSSD versions.
This message typically occurs if SSSD found a duplicate user or group name or a duplicated UID or GID on the server side. If that's the case a newer version won't help, the name or ID collision must be resolved on the server side.
HTH
bye, Sumit
-- Cheers, Tom K.
Living on earth is expensive, but it includes a free trip around the sun. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Thank you!
Is there a way in the sssd config to force the return of the user for only the main domain?
In some cases user cannot be removed or AD config is setup that way on purpose.
Cheers, Tom
Sent from my iPhone
On Apr 7, 2017, at 11:16 PM, TomK tk@mdevsys.com wrote:
On 4/6/2017 2:44 PM, Sumit Bose wrote:
On Thu, Apr 06, 2017 at 02:30:41PM -0400, TomK wrote: Hey All,
We're receiving the following message on an older installation of SSSD and RHEL 6.7. SSSD version is sssd-1.12.4-47.el6_7.4.x86_64.
I'm wondering under what conditions could "Expected one user entry and got 2" be thrown and if it's fixed in higher SSSD versions.
This message typically occurs if SSSD found a duplicate user or group name or a duplicated UID or GID on the server side. If that's the case a newer version won't help, the name or ID collision must be resolved on the server side.
HTH
bye, Sumit
-- Cheers, Tom K.
Living on earth is expensive, but it includes a free trip around the sun. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Thank you!
-- Cheers, Tom K.
Living on earth is expensive, but it includes a free trip around the sun.
On Tue, Jul 04, 2017 at 04:39:35PM -0400, Tom wrote:
Is there a way in the sssd config to force the return of the user for only the main domain?
You can skip some domains completely, please have a look at the ad_enabled_domains option in 'man sssd-ad' for details.
The only way I can think of to ignore only specific users from a sub-domain is to use specific search filters for the sub-domain. Please see the 'TRUSTED DOMAIN SECTION' of man sssd.conf for details about how to configure a search filter for a sub-domain.
Maybe local overrides can be used here as well. You might want to try to set a different UID to the user from the sub-domain with the sss_override utility. But I haven't tried this, so chances are that this might still fail.
bye, Sumit
In some cases user cannot be removed or AD config is setup that way on purpose.
Cheers, Tom
Sent from my iPhone
On Apr 7, 2017, at 11:16 PM, TomK tk@mdevsys.com wrote:
On 4/6/2017 2:44 PM, Sumit Bose wrote:
On Thu, Apr 06, 2017 at 02:30:41PM -0400, TomK wrote: Hey All,
We're receiving the following message on an older installation of SSSD and RHEL 6.7. SSSD version is sssd-1.12.4-47.el6_7.4.x86_64.
I'm wondering under what conditions could "Expected one user entry and got 2" be thrown and if it's fixed in higher SSSD versions.
This message typically occurs if SSSD found a duplicate user or group name or a duplicated UID or GID on the server side. If that's the case a newer version won't help, the name or ID collision must be resolved on the server side.
HTH
bye, Sumit
-- Cheers, Tom K.
Living on earth is expensive, but it includes a free trip around the sun. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Thank you!
-- Cheers, Tom K.
Living on earth is expensive, but it includes a free trip around the sun.
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On 7/5/2017 3:40 AM, Sumit Bose wrote:
On Tue, Jul 04, 2017 at 04:39:35PM -0400, Tom wrote:
Is there a way in the sssd config to force the return of the user for only the main domain?
You can skip some domains completely, please have a look at the ad_enabled_domains option in 'man sssd-ad' for details.
The only way I can think of to ignore only specific users from a sub-domain is to use specific search filters for the sub-domain. Please see the 'TRUSTED DOMAIN SECTION' of man sssd.conf for details about how to configure a search filter for a sub-domain.
Maybe local overrides can be used here as well. You might want to try to set a different UID to the user from the sub-domain with the sss_override utility. But I haven't tried this, so chances are that this might still fail.
bye, Sumit
In some cases user cannot be removed or AD config is setup that way on purpose.
Cheers, Tom
Sent from my iPhone
On Apr 7, 2017, at 11:16 PM, TomK tk@mdevsys.com wrote:
On 4/6/2017 2:44 PM, Sumit Bose wrote:
On Thu, Apr 06, 2017 at 02:30:41PM -0400, TomK wrote: Hey All,
We're receiving the following message on an older installation of SSSD and RHEL 6.7. SSSD version is sssd-1.12.4-47.el6_7.4.x86_64.
I'm wondering under what conditions could "Expected one user entry and got 2" be thrown and if it's fixed in higher SSSD versions.
This message typically occurs if SSSD found a duplicate user or group name or a duplicated UID or GID on the server side. If that's the case a newer version won't help, the name or ID collision must be resolved on the server side.
HTH
bye, Sumit
-- Cheers, Tom K.
Living on earth is expensive, but it includes a free trip around the sun. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Thank you!
-- Cheers, Tom K.
Living on earth is expensive, but it includes a free trip around the sun.
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Could not find the first option in the help pages. My version therefore doesn't support it.
I tried to set subdomains_provider = none but this had no effect. This is not really surprising given that the AD team indicated that SUB.DOMAIN.COM was not really a subdomain of DOMAIN.COM but a totally separate domain in itself.
So now I'm wondering if SUB.DOMAIN.COM is not really a subdomain, what can I do to handle this case?
REF: subdomains_provider (string) The provider which should handle fetching of subdomains. This value should be always the same as id_provider. Supported subdomain providers are:
"ipa" to load a list of subdomains from an IPA server. See sssd-ipa(5) for more information on configuring IPA.
"ad" to load a list of subdomains from an Active Directory server. See sssd-ad(5) for more information on configuring the AD provider.
"none" disallows fetching subdomains explicitly.
Default: The value of "id_provider" is used if it is set.
On 7/4/2017 4:39 PM, Tom wrote:
Is there a way in the sssd config to force the return of the user for only the main domain?
In some cases user cannot be removed or AD config is setup that way on purpose.
Cheers, Tom
Sent from my iPhone
On Apr 7, 2017, at 11:16 PM, TomK tk@mdevsys.com wrote:
On 4/6/2017 2:44 PM, Sumit Bose wrote:
On Thu, Apr 06, 2017 at 02:30:41PM -0400, TomK wrote: Hey All,
We're receiving the following message on an older installation of SSSD and RHEL 6.7. SSSD version is sssd-1.12.4-47.el6_7.4.x86_64.
I'm wondering under what conditions could "Expected one user entry and got 2" be thrown and if it's fixed in higher SSSD versions.
This message typically occurs if SSSD found a duplicate user or group name or a duplicated UID or GID on the server side. If that's the case a newer version won't help, the name or ID collision must be resolved on the server side.
HTH
bye, Sumit
-- Cheers, Tom K.
Living on earth is expensive, but it includes a free trip around the sun. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Thank you!
-- Cheers, Tom K.
Living on earth is expensive, but it includes a free trip around the sun.
Adding in some details (I filtered based on the timestamp of 17:45:52). Authentication is direct between SSSD and AD. Version is sssd-1.12.4-47.el6_7.4.x86_64 .
On Wed, Jul 05, 2017 at 04:24:25PM -0400, TomK wrote:
On 7/4/2017 4:39 PM, Tom wrote:
Is there a way in the sssd config to force the return of the user for only the main domain?
In some cases user cannot be removed or AD config is setup that way on purpose.
Cheers, Tom
Sent from my iPhone
On Apr 7, 2017, at 11:16 PM, TomK tk@mdevsys.com wrote:
On 4/6/2017 2:44 PM, Sumit Bose wrote:
On Thu, Apr 06, 2017 at 02:30:41PM -0400, TomK wrote: Hey All,
We're receiving the following message on an older installation of SSSD and RHEL 6.7. SSSD version is sssd-1.12.4-47.el6_7.4.x86_64.
Thank you for the logs, I think they helped me to understand the issue better. My guess is that it is related to https://pagure.io/SSSD/sssd/issue/3199 and https://pagure.io/SSSD/sssd/issue/3230. The fix for the second one is available since sssd-1.15.1. So you might want to try the el6 build from https://copr.fedorainfracloud.org/coprs/g/sssd/sssd-1-15/ to see if the issue is fixed in this version.
bye, Sumit
I'm wondering under what conditions could "Expected one user entry and got 2" be thrown and if it's fixed in higher SSSD versions.
This message typically occurs if SSSD found a duplicate user or group name or a duplicated UID or GID on the server side. If that's the case a newer version won't help, the name or ID collision must be resolved on the server side.
HTH
bye, Sumit
-- Cheers, Tom K.
Living on earth is expensive, but it includes a free trip around the sun. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Thank you!
-- Cheers, Tom K.
Living on earth is expensive, but it includes a free trip around the sun.
Adding in some details (I filtered based on the timestamp of 17:45:52). Authentication is direct between SSSD and AD. Version is sssd-1.12.4-47.el6_7.4.x86_64 .
-- Cheers, Tom K.
Living on earth is expensive, but it includes a free trip around the sun.
sssd-users@lists.fedorahosted.org
-
Sumit Bose -
Tom -
TomK