Some of the hive queries , DDL statements were failing due to sentry privileges exception

A 5 star hangout for overworked and underpaid system admins.
Post Reply
ehtrammir
Posts: 2
Joined: 2020/01/07 23:45:04

Some of the hive queries , DDL statements were failing due to sentry privileges exception

Post by ehtrammir » 2020/01/08 00:04:47

User encounter login issues sporadically upon research found the following:
================================================================

Root Cause :
It was the problem with one of the master/sentry node : calv-cl-dev-nn1d.med.usc.edu where few AD group names were not resolvable to their gid , it was clear from the below errors in Sentry logs :

9:48:56.016 PM WARN ShellBasedUnixGroupsMapping
Some group names for 'priv.sorabhjain' are not resolvable. id: cannot find name for group ID 357609136
9:48:56.031 PM WARN ShellBasedUnixGroupsMapping
unable to return groups for user priv.sorabhjain
PartialGroupNameException Can't execute the shell command to get the list of group id for user 'priv.sorabhjain'

Also , there were errors from the groups information on the priv account like : priv.sorabhjain , gid was not resolved to group names for some of groups , see below output :
(It was working expected on other hosts ) .

[root@calv-cl-dev-nn1d db]# groups priv.sorabhjain
priv.sorabhjain : domain users sg_clairvoyant_consultant pwd_privleged groups: cannot find name for group ID 357609136
357609136 duo_enable ctx_putty ctx_rdp lsa-calv-optumvbso-rdp ctx_upm ctx_duo-enrollment lsa-calv-optumvbso-full


Temporary Solution:
==================

Cleared the sssd cache and restarted sssd on affected host : calv-cl-dev-nn1d.med.usc.edu .

The cached results in sssd can potentially be problematic if the stored records become stale and are no longer in sync with the identity provider, so it was important to flush the SSSD cache to fix various problems and update the cache.

After clearing the cache and re-starting sssd , all the gid’s were resolved to group names , see below expected output:

[root@calv-cl-dev-nn1d db]# groups priv.sorabhjain
priv.sorabhjain : domain users ctx_duo-enrollment ctx_putty ctx_chrome lsa-calv-optumvbso-full duo_enable ctx_upm pwd_privleged lsa-calv-optumvbso-rdp ctx_rdp sg_clairvoyant_consultant

This require manual work please let me know if there is any fix for this?

Post Reply