[Freeipa-users] Clients are reading AD info inconsistently
Sumit Bose
sbose at redhat.com
Fri Mar 27 17:36:26 UTC 2015
On Fri, Mar 27, 2015 at 05:16:20PM +0000, Guertin, David S. wrote:
> >The most likely reason for 'Protocol error' is that the server this client is
> >connected to does not support the special LDAP extended operation used by
> >SSSD on IPA clients to get the data for users and groups from trusted
> >domains. And the most likely reason for this is that ipa-adtrust-install is not
> >run on that server. Please note that while 'ipa trust-add ...' must be only run
> >once on one of the IPA servers, ipa-adtrust-install must be run on all, e.g. to
> >enable the LDAP extended operation mentioned above.
> >
> >You can check if the exop is enabled on the servers by running
> >
> >ldapsearch -h localhost -x -b '' -s base|grep 2.16.840.1.113730.3.8.10.4
> >
> >on each server. YOu should see 1, for RHEL-7.1 even 2 lines of output.
>
> You are correct; I had not run ipa-adtrust-install on the replica servers. I have done that, and now the
> ldapsearch command works correctly and the "Protocol error" statement is gone from the logs. But
> there was something else going on and users still could not log in to the client.
>
> The log files indicated that there was a permissions problem with /tmp. I changed it to root: root 777, and
> now logins are working. Thanks!
Thank you for the feedback. Please note that /tmp/ should be 1777
(sticky bit set) so that only owners can delete files.
bye,
Sumit
>
> David Guertin
>
More information about the Freeipa-users
mailing list