The clocks are in sync and yes, I can kinit successfully on the replica as
an AD user@AD domain.
One thing I noticed in the Web UI as admin user, browsing to Identity ->
Groups -> ad_external_group -> External, on the primary IPA server, I see:
but on the replica, instead of the user(a)domain.tld string I just see a SID
On Fri, Jun 30, 2017 at 4:02 AM, Florence Blanc-Renaud <flo(a)redhat.com>
On 06/29/2017 09:47 PM, Jason Hensley via FreeIPA-users wrote:
> I have setup a pair of FreeIPA 4.5.2 servers. One via
> ipa-server-install, the other via ipa-replica-install. I have tried
> them both as trust controllers and I have tried them in a
> controller/agent setup.
> My problem is that no AD users can login to the self service UI on the
> secondary IPA server. Is this by design, or is it merely a bug? I can
> provide more details/logs/configs on request.
did you also open the required ports on the replica?
You can also check that the clocks are in sync and that kinit
aduser(a)ad.domain.com succeeds on the replica.
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedo