[Freeipa-users] Clients are reading AD info inconsistently
Guertin, David S.
guertin at middlebury.edu
Fri Mar 27 17:16:20 UTC 2015
>The most likely reason for 'Protocol error' is that the server this client is
>connected to does not support the special LDAP extended operation used by
>SSSD on IPA clients to get the data for users and groups from trusted
>domains. And the most likely reason for this is that ipa-adtrust-install is not
>run on that server. Please note that while 'ipa trust-add ...' must be only run
>once on one of the IPA servers, ipa-adtrust-install must be run on all, e.g. to
>enable the LDAP extended operation mentioned above.
>
>You can check if the exop is enabled on the servers by running
>
>ldapsearch -h localhost -x -b '' -s base|grep 2.16.840.1.113730.3.8.10.4
>
>on each server. YOu should see 1, for RHEL-7.1 even 2 lines of output.
You are correct; I had not run ipa-adtrust-install on the replica servers. I have done that, and now the
ldapsearch command works correctly and the "Protocol error" statement is gone from the logs. But
there was something else going on and users still could not log in to the client.
The log files indicated that there was a permissions problem with /tmp. I changed it to root: root 777, and
now logins are working. Thanks!
David Guertin
More information about the Freeipa-users
mailing list