[Freeipa-users] it's a weird one - how AD users get into IPA ?
lejeczek
peljasz at yahoo.co.uk
Fri Jun 10 14:41:47 UTC 2016
On Fri, 2016-06-10 at 11:08 +0200, Sumit Bose wrote:
> On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote:
> > hi everyone
> >
> > there is a master IPA which in some weird way puts AD users into
> > its ldap
> > catalog. I say weird cause there is no trust nor other sync
> > established,
> > there was a trust agreement, one way type, but now 'trust-find'
> > shows
> > nothing, that trust was removed.
> >
> > but still when I create a user @AD DS a second later I see it in
> > IPA's ldap,
> > eg.
> >
> > dn: uid=ccnrtest at ccnr.aaa.private.dom,cn=users,cn=compat,dc=private
> > ,dc=c
> > cnr,dc=aaa,dc=private,dc=dom
> >
> > how to trace the culprit config responsible for this?
> >
> > and funny(?) thing is that these users do not get replicated to IPA
> > replicas.
>
> Did you remove the trust on the AD side as well. If not SSSD running
> on
> the IPA server might still have valid credentials in a keytab in
> /var/lib/sss/db and is able to read the user data from AD.
nope, not agreements left @AD,
I tried: $ sss_cache -E -d ad.domain
but it segfaulted:
[1316003.857780] sss_cache[31028]: segfault at 0 ip 00007fab730f434c sp
00007fffbf576c10 error 4 in libsss_util.so[7fab730c8000+68000]
so that would be sssd actually pulling and inserting these entries in
IPA's ldap?
many thanks,
L
> HTH
>
> bye,
> Sumit
>
>
> >
> >
> > many thanks,
> >
> > L
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> >
https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> > Go to http://freeipa.org for more info on the project
> > for more info on the project
> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160610/aee950ce/attachment.htm>
More information about the Freeipa-users
mailing list