[Freeipa-users] Re: Problems after updating to OL 8.3 (Ootpa)
On 18.11.20 09:46, Alexander Bokovoy wrote:
On ke, 18 marras 2020, Ronald Wimmer via FreeIPA-users wrote:
> On 18.11.20 09:20, Ronald Wimmer via FreeIPA-users wrote:
>> After upgrading our IPA servers AD user resolution seems to have
>> stopped working.
>>
>> id myADUser says:
>> id: ‘myADUser’: no such user
>
> It might have something to do with:
> sssctl domain-status org.mydomain.at
> Online status: Offline
>
> But why is it seen as offline?
In your original log you can see that ipa_s2n requests return an error.
Check SSSD logs on IPA masters that the client talks to. This all is
covered at
https://sssd.io/docs/users/troubleshooting.html#common-ipa-provider-issues
As it turned out I had to enable an encryption policy in order to allow
the deprecated type RC4 for communication to AD.
This is done by issuing the command (on every 8.3 server that needs to
communicate to AD) by:
update-crypto-policies --set DEFAULT:AD-SUPPORT
Details can be found in the Ootpa Release Notes:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
Cheers,
Ronald