sssd_idm.test.net.log: https://pastebin.com/Az9kyiaK
sssd_nss.log: https://pastebin.com/sx4yfZCB
If the trust was added successfully and IPA servers were promoted to Trust Controllers or Trust Agents with ipa-adtrust-install then you followed the necessary setup steps.
The 's2n' log messages are client-specific requests made to the IPA server for AD trust user and group information. These ipa_s2n* errors will require you to analyze the IPA server SSSD logs at the same timeframe as the client failures to understand why the IPA server failed to respond to the client request for AD trust object information. I would suggest first checking the domain log if the AD domain is getting marked offline by SSSD.
The information here may be helpful for you
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
Kind regards,
Justin Stephenson
On 01/22/2018 02:45 PM, Henrik Johansson via FreeIPA-users wrote:Hi,I have a working trust between my IPA server and an AD domain, I can lookup accounts and login to the IPA-server using AD accounts. I am however unable to to do the same when I connect a client to the IPA-server, the local IPA-accounts are available such as admin, but not AD accounts. I have tried to to a realm join and also using the ipa-client-install directly without success. Are there any additional steps that needs to be done to access accounts over the trust? I have some debug output on pastebin also: https://pastebin.com/xy9SbCw4 <https://pastebin.com/xy9SbCw4>RegardsHenrik_______________________________________________FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.orgTo unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org