[Freeipa-users] ipa replica is ad trust controller but refuses ad users
Rob Verduijn
rob.verduijn at gmail.com
Thu Jan 28 13:39:47 UTC 2016
hmmm
It suddenly started to work.....weird.
On both servers I changed dns_lookup_realm = true (was false)
stoped sssd and cleared the sssd cache
rm /var/lib/sss/db/*
started sssd and it works now
But I find it hard to believe that was the cause.
Is there a cache involved somewhere ?
Rob Verduijn
2016-01-28 13:26 GMT+01:00 Rob Verduijn <rob.verduijn at gmail.com>:
> Hello,
>
> I've set up an ipa-server with an one way trust to a windows 2012r2 controller.
> All works on this server.
> I can login with ad accounts on this server.
>
> I added an ipa replica, and checked it all worked.
>
> Now I tried
> ipa-trust-add --add-agents on the first ipa server.
> restarted ipa on both servers
>
> but this did not help
> then i did a
> ipa-adtrust-install on the second ipa server
> and a ipa trust-add --type=ad windows.domain
>
> all dns queries from the docs work
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html#verify-dns-configuration
>
> I get both ipa servers returned in the queries.
> On the windows server and the ipa server.
>
> On the first ipaserver I can issue : id WINDOWS.DOMAIN\\ad-user
> and get an answer
> On the second I get : unknown user
>
> What could be the cause of this, why does the second server not do
> ad-authentication ?
>
> Rob Verduijn
More information about the Freeipa-users
mailing list