Hi and thank you,

I’ve enabled debug on the IPA server, to me it looks like it’s trying to lookup the account in AD (testuser@corp2.ad2.test.net) but ends up looking for the username at the IPA-domain in the end?

sssd_idm.test.net.log: https://pastebin.com/Az9kyiaK

sssd_nss.log: https://pastebin.com/sx4yfZCB


Regards
Henrik

On 22 Jan 2018, at 21:37, Justin Stephenson <jstephen@redhat.com> wrote:

If the trust was added successfully and IPA servers were promoted to Trust Controllers or Trust Agents with ipa-adtrust-install then you followed the necessary setup steps.

The 's2n' log messages are client-specific requests made to the IPA server for AD trust user and group information. These ipa_s2n* errors will require you to analyze the IPA server SSSD logs at the same timeframe as the client failures to understand why the IPA server failed to respond to the client request for AD trust object information. I would suggest first checking the domain log if the AD domain is getting marked offline by SSSD.

The information here may be helpful for you

  https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html

Kind regards,
Justin Stephenson

On 01/22/2018 02:45 PM, Henrik Johansson via FreeIPA-users wrote:
Hi,
I have a working trust between my IPA server and an AD domain, I can lookup accounts and login to the IPA-server using AD accounts. I am however unable to to do the same when I connect a client to the IPA-server, the local IPA-accounts are available such as admin, but not AD accounts. I have tried to to a realm join and also using the ipa-client-install directly without success. Are there any additional steps that needs to be done to access accounts over the trust? I have some debug output on pastebin also: https://pastebin.com/xy9SbCw4 <https://pastebin.com/xy9SbCw4>
Regards
Henrik
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org