[Freeipa-users] it's a weird one - how AD users get into IPA ?
Sumit Bose
sbose at redhat.com
Fri Jun 10 09:08:06 UTC 2016
On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote:
> hi everyone
>
> there is a master IPA which in some weird way puts AD users into its ldap
> catalog. I say weird cause there is no trust nor other sync established,
> there was a trust agreement, one way type, but now 'trust-find' shows
> nothing, that trust was removed.
>
> but still when I create a user @AD DS a second later I see it in IPA's ldap,
> eg.
>
> dn: uid=ccnrtest at ccnr.aaa.private.dom,cn=users,cn=compat,dc=private,dc=c
> cnr,dc=aaa,dc=private,dc=dom
>
> how to trace the culprit config responsible for this?
>
> and funny(?) thing is that these users do not get replicated to IPA
> replicas.
Did you remove the trust on the AD side as well. If not SSSD running on
the IPA server might still have valid credentials in a keytab in
/var/lib/sss/db and is able to read the user data from AD.
HTH
bye,
Sumit
>
> many thanks,
>
> L
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list