The following is a portion of the sssd log on the client reflecting the same inability to
retrieve keytab:
***
(Fri Feb 12 10:11:54 2021) [sssd[be[ipa.domain.edu]]] [sss_domain_get_state] (0x1000):
Domain
domain.edu is Active
(Fri Feb 12 10:11:54 2021) [sssd[be[ipa.domain.edu]]] [ipa_server_trusted_dom_setup_send]
(0x1000): Trust direction of subdom
domain.edu from forest
domain.edu is: one-way inbound:
local domain trusts the remote domain
(Fri Feb 12 10:11:54 2021) [sssd[be[ipa.domain.edu]]] [ipa_server_trusted_dom_setup_1way]
(0x0400): Will re-fetch keytab for
domain.edu
(Fri Feb 12 10:11:54 2021) [sssd[be[ipa.domain.edu]]] [ipa_getkeytab_send] (0x0400):
Retrieving keytab for IPA$(a)domain.EDU from
test.ipa.domain.edu into
/var/lib/sss/keytabs/domain.edu.keytabENwf67 using ccache
/var/lib/sss/db/ccache_IPA.DOMAIN.EDU
(Fri Feb 12 10:11:54 2021) [sssd[be[ipa.domain.edu]]] [child_handler_setup] (0x2000):
Setting up signal handler up for pid [88300]
(Fri Feb 12 10:11:54 2021) [sssd[be[ipa.domain.edu]]] [child_handler_setup] (0x2000):
Signal handler set up for pid [88300]
(Fri Feb 12 10:11:54 2021) [sssd[be[ipa.domain.edu]]] [sbus_dispatch] (0x4000): dbus conn:
0x5578611b8b00
(Fri Feb 12 10:11:54 2021) [sssd[be[ipa.domain.edu]]] [sbus_dispatch] (0x4000): dbus conn:
0x5578611b8b00
(Fri Feb 12 10:11:54 2021) [sssd[be[ipa.domain.edu]]] [sbus_toggle_watch] (0x4000):
0x55786117b780/0x5578611b8700 (14), R/- (disabled)
(Fri Feb 12 10:11:54 2021) [sssd[be[ipa.domain.edu]]] [sbus_toggle_watch] (0x4000):
0x55786117b780/0x5578611b86b0 (14), -/W (enabled)
***
At the same time, the errors log on the IPA server
(/var/log/dirsrv/slapd_IPA-DOMAIN-EDU/errors) does not log any errors (TLS or otherwise):
***
[12/Feb/2021:10:08:10.990268019 -0600] - INFO - slapd_daemon - slapd started. Listening
on All Interfaces port 389 for LDAP requests
[12/Feb/2021:10:08:10.992126928 -0600] - INFO - slapd_daemon - Listening on All Interfaces
port 636 for LDAPS requests
[12/Feb/2021:10:08:10.993036367 -0600] - INFO - slapd_daemon - Listening on
/var/run/slapd-IPA-DOMAIN-EDU.socket for LDAPI requests
[12/Feb/2021:10:08:11.058722880 -0600] - ERR - schema-compat-plugin - schema-compat-plugin
tree scan will start in about 5 seconds!
[12/Feb/2021:10:08:16.148838179 -0600] - ERR - schema-compat-plugin - warning: no entries
set up under cn=computers, cn=compat,dc=ipa,dc=domain,dc=edu
[12/Feb/2021:10:08:16.150531968 -0600] - ERR - schema-compat-plugin - Finished plugin
initialization.
***
Thanks!