OES2015 NIT related error messages are observed even when no AD integration has been configured.

  • 7017654
  • 01-Jun-2016
  • 15-Nov-2019

Environment

Microfocus Open Enterprise Server 2015 (OES 2015)

Situation

Running Micro Focus Open Enterprise Server 2015 without Active Directory integration is spawning many error messages filling up syslog.

The following type messages can be observed :
server01 /usr/sbin/nit[4506]:  [NIT_THRD  0x7f3fecd52700] : edir_get_userinfo_from_guid_handler: Failed to get a DN from MapGUIDToDN, error is -765
server01 ndpapp[9038]:  [NIT_IPC   0x7fa02d6e9700] : nitlib_get_sevlist_from_name: Got error -649 from NCPID for getting the SEV list from DN

server01 ndpapp[19520]:  [NIT_IPC   0x7fa0286df700] : nitlib_get_userinfo_from_guid: Error response from nitd for getting the userinfo with GUID: 46148c00-aca1-11e2-af-59-005056a24eeb, error: -9001

server01 /usr/sbin/nit[5010]:  [NIT_THRD  0x7f94f7dac700] : edir_get_userinfo_from_guid_handler: Failed to insert user into cache!
server01 /usr/sbin/nit[5010]:  [NIT_THRD  0x7f94f7dac700] : edir_get_userinfo_from_guid_handler: Failed to insert user into cache!

On OES2018 and OES2018.SP1 the error looks like this:
.. nitd[3312]: [NIT_THRD 0x7fa8f5740700]: ERROR: nitd_get_domain_admins_sid: Error, NIT is configured to run in eDirectory only mode.
.. ndpapp[23200]: [NIT_IPC  0x7f98a3401700]: ERROR: nitlib_get_domain_admins_sid: Error response from nit  for getting the Domains Admins group SID, error: -9008
.. nitd[3312]: [NIT_THRD 0x7fa8f5740700]: ERROR: nitd_get_adlicense_group_handler: Error, NIT is configured to run in eDirectory only mode.
.. ndpapp[23202]: [NIT_IPC  0x7f98a3c02700]: ERROR: nitlib_get_adlicense_group: Error response from nitd for getting the AD license group details, error: -9008



Resolution

The has been resolved with the Scheduled Maintenance Update for May '16  (May 2016 Update - OES 2015 10911)

Cause

On OES2015, the novell-nssad pattern is always installed even when no AD integration is required or needed.

NSS requires NIT to be functional for mapping identities (between name, GUID, UID, SID etc), for both eDir and AD. This is irrespective of what is the access protocol that is working on top of NSS. In case of NCP access for eDir users, the basic NSS file access is done as a 'root' user (by NCP) and hence there is no need to map identities from NSS side. So, you can say you may not require NIT because there is no need for NSS to map eDir identities.
On the other hand, functionalities like salvage / purge from NCP are done as the respective eDir user inside NSS and hence NSS needs to map these users. So, there exists a need to have NIT even in case of NCP only access

Along with NSS and CIFS, more components are directly depending on NIT's functionality, like SMS, NRM,etc to deal with identities (both eDir and AD), and going forward, even FTP.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.