The clocks are in sync and yes, I can kinit successfully on the replica as an AD user@AD domain.

One thing I noticed in the Web UI as admin user, browsing to Identity -> Groups -> ad_external_group -> External, on the primary IPA server, I see:


but on the replica, instead of the user@domain.tld string I just see a SID  

On Fri, Jun 30, 2017 at 4:02 AM, Florence Blanc-Renaud <> wrote:
On 06/29/2017 09:47 PM, Jason Hensley via FreeIPA-users wrote:

  I have setup a pair of FreeIPA 4.5.2 servers.  One via
ipa-server-install, the other via ipa-replica-install.  I have tried
them both as trust controllers and I have tried them in a
controller/agent setup.

  My problem is that no AD users can login to the self service UI on the
secondary IPA server.  Is this by design, or is it merely a bug?  I can
provide more details/logs/configs on request.

did you also open the required ports on the replica?

You can also check that the clocks are in sync and that kinit succeeds on the replica.



FreeIPA-users mailing list --
To unsubscribe send an email to