I have setup a pair of FreeIPA 4.5.2 servers.  One via ipa-server-install, the other via ipa-replica-install.  I have tried them both as trust controllers and I have tried them in a controller/agent setup.

  My problem is that no AD users can login to the self service UI on the secondary IPA server.  Is this by design, or is it merely a bug?  I can provide more details/logs/configs on request.