Hello,
I have setup a pair of FreeIPA 4.5.2 servers. One via ipa-server-install, the other via ipa-replica-install. I have tried them both as trust controllers and I have tried them in a controller/agent setup.
My problem is that no AD users can login to the self service UI on the secondary IPA server. Is this by design, or is it merely a bug? I can provide more details/logs/configs on request.
Thanks, Jason
To elaborate further, the authentication request works on the secondary IPA server, but I am immediately greeted with this WSGI error screen.
On Thu, Jun 29, 2017 at 3:47 PM, Jason Hensley jhensley@subfx.net wrote:
Hello,
I have setup a pair of FreeIPA 4.5.2 servers. One via ipa-server-install, the other via ipa-replica-install. I have tried them both as trust controllers and I have tried them in a controller/agent setup.
My problem is that no AD users can login to the self service UI on the secondary IPA server. Is this by design, or is it merely a bug? I can provide more details/logs/configs on request.
Thanks, Jason
On 06/29/2017 09:47 PM, Jason Hensley via FreeIPA-users wrote:
Hello,
I have setup a pair of FreeIPA 4.5.2 servers. One via ipa-server-install, the other via ipa-replica-install. I have tried them both as trust controllers and I have tried them in a controller/agent setup.
My problem is that no AD users can login to the self service UI on the secondary IPA server. Is this by design, or is it merely a bug? I can provide more details/logs/configs on request.
Hi,
did you also open the required ports on the replica? https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm...
You can also check that the clocks are in sync and that kinit aduser@ad.domain.com succeeds on the replica.
Flo
Thanks, Jason
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
The clocks are in sync and yes, I can kinit successfully on the replica as an AD user@AD domain.
One thing I noticed in the Web UI as admin user, browsing to Identity -> Groups -> ad_external_group -> External, on the primary IPA server, I see:
ad_user@ad_domain
but on the replica, instead of the user@domain.tld string I just see a SID
On Fri, Jun 30, 2017 at 4:02 AM, Florence Blanc-Renaud flo@redhat.com wrote:
On 06/29/2017 09:47 PM, Jason Hensley via FreeIPA-users wrote:
Hello,
I have setup a pair of FreeIPA 4.5.2 servers. One via ipa-server-install, the other via ipa-replica-install. I have tried them both as trust controllers and I have tried them in a controller/agent setup.
My problem is that no AD users can login to the self service UI on the secondary IPA server. Is this by design, or is it merely a bug? I can provide more details/logs/configs on request.
Hi,
did you also open the required ports on the replica? https://access.redhat.com/documentation/en-US/Red_Hat_Enterp rise_Linux/7/html/Windows_Integration_Guide/trust- during.html#trust-req-ports
You can also check that the clocks are in sync and that kinit aduser@ad.domain.com succeeds on the replica.
Flo
Thanks, Jason
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
freeipa-users@lists.fedorahosted.org