[Freeipa-users] AD - Freeipa trust confusion
Jakub Hrozek
jhrozek at redhat.com
Fri Jan 3 11:32:07 UTC 2014
On Fri, Jan 03, 2014 at 12:29:11PM +0100, Jakub Hrozek wrote:
> On Thu, Jan 02, 2014 at 08:06:31PM +0000, Andrew Holway wrote:
> > /var/log/sssd/*
> > this is using bob at host (prattle.com is the windows domain)
> > https://gist.github.com/anonymous/ff817a251948ff58bdb1
> >
> > this is using bob at prattle.com@host (prattle.com is the windows domain)
>
> Thanks, these logs have somewhat more info than those in the other
> thread.
>
> It seems that Winbind on the IPA server has trouble talking to the AD
> server:
>
> (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [fo_set_port_status]
> (0x0100): Marking port 0 of server 'ipa.wibble.com' as 'working'
> (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]]
> [set_server_common_status] (0x0100): Marking server 'ipa.wibble.com' as
> 'working'
> (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [ipa_s2n_get_user_done]
> (0x0040): s2n exop request failed.
>
> (The s2n exop does a special LDAP call to IPA which in turn calls
> winbind on the server).
>
> To generate the winbind logs on the server, can you do 'smbcontrol winbindd
> debug 100', then request the trusted user. The winbind logs would be at
> /var/log/samba/log.w*
>
> I'd advise to restart SSSD on the client before the test to get rid of
> the negative cache and make sure the request actually hits the server.
>
Oh and after you gather the info, you should also re-set the debug logs
back:
smbcontrol winbindd debug 1
Running with a verbose log level would flood your disk soon.
More information about the Freeipa-users
mailing list