[Freeipa-users] ipa replica is ad trust controller but refuses ad users
Jakub Hrozek
jhrozek at redhat.com
Thu Jan 28 14:36:04 UTC 2016
On Thu, Jan 28, 2016 at 02:39:47PM +0100, Rob Verduijn wrote:
> hmmm
> It suddenly started to work.....weird.
>
> On both servers I changed dns_lookup_realm = true (was false)
> stoped sssd and cleared the sssd cache
> rm /var/lib/sss/db/*
> started sssd and it works now
it's hard to tell w/o logs but the sssd re-fetches the keytab it uses to
establish the connection to the AD DCs on sssd restart (we implemeted
this precisely so that admins have a known point -- sssd restart) when
things go wrong. Maybe sssd just picked the trust keytab only after
restart, not sure..
More information about the Freeipa-users
mailing list