Hi everybody,
I have an IPA setup with AD trust and when I added a new group in AD it is detected only on one ipa server (I have 2 ipa servers in replication mode). getent group correctly returns the group only on one IPA server, therefore only the ipa clients enrolled to that ipa server can see the group. In the sssd logs I can see the following error:
[ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null).
If i try to add the AD group as external to a IPA group , by executing: ipa group-add-member ad_group --external "infosec@example.local" , I get the following error:
member group: infosec@example.local: trusted domain object not found
Any idea how can I solve or troubleshoot it?
iulian roman via FreeIPA-users wrote:
Hi everybody,
I have an IPA setup with AD trust and when I added a new group in AD it is detected only on one ipa server (I have 2 ipa servers in replication mode). getent group correctly returns the group only on one IPA server, therefore only the ipa clients enrolled to that ipa server can see the group. In the sssd logs I can see the following error:
[ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null).
If i try to add the AD group as external to a IPA group , by executing: ipa group-add-member ad_group --external "infosec@example.local" , I get the following error:
member group: infosec@example.local: trusted domain object not found
Any idea how can I solve or troubleshoot it?
Did you run ipa-adtrust-install on the other servers? They need to be configured as trust agents.
rob
Both IPA servers are configured as trust agents. For all the other groups everything works as expected, only for the newly defined group is not displayed on one if the IPA servers.
Regards, iulian
freeipa-users@lists.fedorahosted.org