[Freeipa-users] replica running trust-agents can't resolve AD users - which of these sssd errors should I be focusing on?

[Chris Dagdigian]

Oddly enough the keytab location on the replica is sort of empty ...

  ls -al /var/lib/sss/keytabs/

total 4
drwx------. 2 sssd sssd  32 Dec 23 13:58 .
drwxr-xr-x. 9 root root  94 Dec 19 17:05 ..
-rw-------  1 sssd sssd 219 Dec 20 20:40 company.org.keytab



Jakub Hrozek wrote:
> In addition, can you also see if the keytab with the trust principal is
> there? Probably it would be /var/lib/sss/keytabs/shanetest.org.
>
> At15:43:11,  sssd tried to fetch the keytab for this trust:
> (ThuDec 22 15:43:11  2016) [sssd[be[companyidm.org]]] [ipa_server_trusted_dom_setup_1way] (0x0400): Will re-fetch keytab for shanetest.org
> (ThuDec 22 15:43:11  2016) [sssd[be[companyidm.org]]] [ipa_getkeytab_send] (0x0400): Retrieving keytab forcompanyidm$@SHANETEST.ORG  from usaeilidmp002.companyidm.org into /var/lib/sss/keytabs/shanetest.org.keytabRw7Iai using ccache /var/lib/sss/db/ccache_companyidm.ORG
>
> But fails:
> SASL Bind failed Can't contact LDAP server (-1) !
> Failed to bind to server!
> Failed to get keytab
> (ThuDec 22 15:43:11  2016) [sssd[be[companyidm.org]]] [ipa_getkeytab_done] (0x0040): ipa-getkeytab failed with status [2304]
> (ThuDec 22 15:43:11  2016) [sssd[be[companyidm.org]]] [ipa_getkeytab_recv] (0x2000): ipa-getkeytab status 2304
> (ThuDec 22 15:43:11  2016) [sssd[be[companyidm.org]]] [ipa_server_trust_1way_kt_done] (0x0080): ipa_getkeytab_recv failed: 1432158265
>
> What I don't see in the logs, though is that if we try and re-fetch the
> keytab after going online (we should, though).