[Freeipa-users] ipa replica is ad trust controller but refuses ad users
Jakub Hrozek
jhrozek at redhat.com
Thu Jan 28 14:45:29 UTC 2016
On Thu, Jan 28, 2016 at 03:36:04PM +0100, Jakub Hrozek wrote:
> On Thu, Jan 28, 2016 at 02:39:47PM +0100, Rob Verduijn wrote:
> > hmmm
> > It suddenly started to work.....weird.
> >
> > On both servers I changed dns_lookup_realm = true (was false)
> > stoped sssd and cleared the sssd cache
> > rm /var/lib/sss/db/*
> > started sssd and it works now
>
> it's hard to tell w/o logs but the sssd re-fetches the keytab it uses to
> establish the connection to the AD DCs on sssd restart (we implemeted
> this precisely so that admins have a known point -- sssd restart) when
> things go wrong. Maybe sssd just picked the trust keytab only after
oops, sorry, wrong parens. sssd always re-fetches the keytab from IPA
master it's running on, not only when things go wrong. The sssd restart
just is just a way for the admin to trigger this.
> restart, not sure..
More information about the Freeipa-users
mailing list