Environment
Microfocus Open Enterprise Server 2015 (OES 2015)
Situation
Running Micro Focus Open Enterprise Server 2015 without Active Directory integration is spawning many error messages filling up syslog.
The following type messages can be observed :
server01 /usr/sbin/nit[4506]: [NIT_THRD 0x7f3fecd52700] : edir_get_userinfo_from_guid_handler: Failed to get a DN from MapGUIDToDN, error is -765
server01 ndpapp[9038]: [NIT_IPC 0x7fa02d6e9700] : nitlib_get_sevlist_from_name: Got error -649 from NCPID for getting the SEV list from DN
server01 ndpapp[19520]: [NIT_IPC 0x7fa0286df700] : nitlib_get_userinfo_from_guid: Error response from nitd for getting the userinfo with GUID: 46148c00-aca1-11e2-af-59-005056a24eeb, error: -9001
server01 /usr/sbin/nit[5010]: [NIT_THRD 0x7f94f7dac700] : edir_get_userinfo_from_guid_handler: Failed to insert user into cache!
server01 /usr/sbin/nit[5010]: [NIT_THRD 0x7f94f7dac700] : edir_get_userinfo_from_guid_handler: Failed to insert user into cache!
On OES2018 and OES2018.SP1 the error looks like this:
The following type messages can be observed :
server01 /usr/sbin/nit[4506]: [NIT_THRD 0x7f3fecd52700] : edir_get_userinfo_from_guid_handler: Failed to get a DN from MapGUIDToDN, error is -765
server01 ndpapp[9038]: [NIT_IPC 0x7fa02d6e9700] : nitlib_get_sevlist_from_name: Got error -649 from NCPID for getting the SEV list from DN
server01 ndpapp[19520]: [NIT_IPC 0x7fa0286df700] : nitlib_get_userinfo_from_guid: Error response from nitd for getting the userinfo with GUID: 46148c00-aca1-11e2-af-59-005056a24eeb, error: -9001
server01 /usr/sbin/nit[5010]: [NIT_THRD 0x7f94f7dac700] : edir_get_userinfo_from_guid_handler: Failed to insert user into cache!
server01 /usr/sbin/nit[5010]: [NIT_THRD 0x7f94f7dac700] : edir_get_userinfo_from_guid_handler: Failed to insert user into cache!
On OES2018 and OES2018.SP1 the error looks like this:
.. nitd[3312]: [NIT_THRD 0x7fa8f5740700]: ERROR: nitd_get_domain_admins_sid: Error, NIT is configured to run in eDirectory only mode.
.. ndpapp[23200]: [NIT_IPC 0x7f98a3401700]: ERROR: nitlib_get_domain_admins_sid: Error response from nit for getting the Domains Admins group SID, error: -9008
.. nitd[3312]: [NIT_THRD 0x7fa8f5740700]: ERROR: nitd_get_adlicense_group_handler: Error, NIT is configured to run in eDirectory only mode.
.. ndpapp[23202]: [NIT_IPC 0x7f98a3c02700]: ERROR: nitlib_get_adlicense_group: Error response from nitd for getting the AD license group details, error: -9008
Resolution
The has been resolved with the Scheduled Maintenance Update for May '16 (May 2016 Update - OES 2015 10911)
Cause
On OES2015, the novell-nssad pattern is always installed even when no AD integration is required or needed.
NSS requires NIT to be functional for mapping identities (between name, GUID, UID, SID etc), for both eDir and AD. This is irrespective of what is the access protocol that is working on top of NSS. In case of NCP access for eDir users, the basic NSS file access is done as a 'root' user (by NCP) and hence there is no need to map identities from NSS side. So, you can say you may not require NIT because there is no need for NSS to map eDir identities.
On the other hand, functionalities like salvage / purge from NCP are done as the respective eDir user inside NSS and hence NSS needs to map these users. So, there exists a need to have NIT even in case of NCP only access
Along with NSS and CIFS, more components are directly depending on NIT's functionality, like SMS, NRM,etc to deal with identities (both eDir and AD), and going forward, even FTP.
NSS requires NIT to be functional for mapping identities (between name, GUID, UID, SID etc), for both eDir and AD. This is irrespective of what is the access protocol that is working on top of NSS. In case of NCP access for eDir users, the basic NSS file access is done as a 'root' user (by NCP) and hence there is no need to map identities from NSS side. So, you can say you may not require NIT because there is no need for NSS to map eDir identities.
On the other hand, functionalities like salvage / purge from NCP are done as the respective eDir user inside NSS and hence NSS needs to map these users. So, there exists a need to have NIT even in case of NCP only access
Along with NSS and CIFS, more components are directly depending on NIT's functionality, like SMS, NRM,etc to deal with identities (both eDir and AD), and going forward, even FTP.