IPA: Improve DEBUG message if a group has no ipaNTSecurityIdentifierHEAD master

There was an issue in a production deployment where the admin selected a GID outside the IDM range for a group that contained a user from the trusted domain. This resulted in not adding a SID for the IPA group, which in turn meant the group couldn't be resolved on the client. This patch just improves the DEBUG message so that it's clearer for the admins where the issue is. Reviewed-by: Lukáš Slebodník <[email protected]>
author: Jakub Hrozek <[email protected]> 2017-04-21 12:39:44 +0200
committer: Jakub Hrozek <[email protected]> 2017-04-24 10:21:24 +0200
commit: ef019268d2d112ebff3577e551cd19478d73d93b (patch)
tree: cd636e18d05e8d53d53b85d69b143f53cc575626
parent: 0e8f0c06cad5805b1a1161f60e3f2cdb7a5a2921 (diff)
download: sssd-master.tar.gz
sssd-master.tar.xz
sssd-master.zip
1 files changed, 4 insertions, 1 deletions
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index 2173db357..55ec904ca 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -1308,7 +1308,10 @@ static void ipa_s2n_get_list_next(struct tevent_req *subreq)
     ret = sysdb_attrs_get_string(state->attrs->sysdb_attrs, SYSDB_SID_STR,
                                  &sid_str);
     if (ret != EOK) {
-        DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "Object [%s] has no SID, please check the "
+              "ipaNTSecurityIdentifier attribute on the server-side",
+              state->attrs->a.name);
         goto fail;
     }
author	Jakub Hrozek <[email protected]>	2017-04-21 12:39:44 +0200
committer	Jakub Hrozek <[email protected]>	2017-04-24 10:21:24 +0200
commit	ef019268d2d112ebff3577e551cd19478d73d93b (patch)
tree	cd636e18d05e8d53d53b85d69b143f53cc575626
parent	0e8f0c06cad5805b1a1161f60e3f2cdb7a5a2921 (diff)
download	sssd-master.tar.gz sssd-master.tar.xz sssd-master.zip