Hi,
I have a working trust between my IPA server and an AD domain, I can lookup accounts and login to the IPA-server using AD accounts. I am however unable to to do the same when I connect a client to the IPA-server, the local IPA-accounts are available such as admin, but not AD accounts. I have tried to to a realm join and also using the ipa-client-install directly without success. Are there any additional steps that needs to be done to access accounts over the trust? I have some debug output on pastebin also: https://pastebin.com/xy9SbCw4 https://pastebin.com/xy9SbCw4
Regards Henrik
If the trust was added successfully and IPA servers were promoted to Trust Controllers or Trust Agents with ipa-adtrust-install then you followed the necessary setup steps.
The 's2n' log messages are client-specific requests made to the IPA server for AD trust user and group information. These ipa_s2n* errors will require you to analyze the IPA server SSSD logs at the same timeframe as the client failures to understand why the IPA server failed to respond to the client request for AD trust object information. I would suggest first checking the domain log if the AD domain is getting marked offline by SSSD.
The information here may be helpful for you
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
Kind regards, Justin Stephenson
On 01/22/2018 02:45 PM, Henrik Johansson via FreeIPA-users wrote:
Hi,
I have a working trust between my IPA server and an AD domain, I can lookup accounts and login to the IPA-server using AD accounts. I am however unable to to do the same when I connect a client to the IPA-server, the local IPA-accounts are available such as admin, but not AD accounts. I have tried to to a realm join and also using the ipa-client-install directly without success. Are there any additional steps that needs to be done to access accounts over the trust? I have some debug output on pastebin also: https://pastebin.com/xy9SbCw4 https://pastebin.com/xy9SbCw4
Regards Henrik
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi and thank you,
I’ve enabled debug on the IPA server, to me it looks like it’s trying to lookup the account in AD (testuser@corp2.ad2.test.net) but ends up looking for the username at the IPA-domain in the end?
sssd_idm.test.net.log: https://pastebin.com/Az9kyiaK sssd_nss.log: https://pastebin.com/sx4yfZCB
Regards Henrik
On 22 Jan 2018, at 21:37, Justin Stephenson jstephen@redhat.com wrote:
If the trust was added successfully and IPA servers were promoted to Trust Controllers or Trust Agents with ipa-adtrust-install then you followed the necessary setup steps.
The 's2n' log messages are client-specific requests made to the IPA server for AD trust user and group information. These ipa_s2n* errors will require you to analyze the IPA server SSSD logs at the same timeframe as the client failures to understand why the IPA server failed to respond to the client request for AD trust object information. I would suggest first checking the domain log if the AD domain is getting marked offline by SSSD.
The information here may be helpful for you
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
Kind regards, Justin Stephenson
On 01/22/2018 02:45 PM, Henrik Johansson via FreeIPA-users wrote: Hi, I have a working trust between my IPA server and an AD domain, I can lookup accounts and login to the IPA-server using AD accounts. I am however unable to to do the same when I connect a client to the IPA-server, the local IPA-accounts are available such as admin, but not AD accounts. I have tried to to a realm join and also using the ipa-client-install directly without success. Are there any additional steps that needs to be done to access accounts over the trust? I have some debug output on pastebin also: https://pastebin.com/xy9SbCw4 https://pastebin.com/xy9SbCw4 Regards Henrik _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org