Hi and thank you,
I’ve enabled debug on the IPA server, to me it looks like it’s trying to lookup the
account in AD (testuser(a)corp2.ad2.test.net) but ends up looking for the username at the
IPA-domain in the end?
sssd_idm.test.net.log:
On 22 Jan 2018, at 21:37, Justin Stephenson
<jstephen(a)redhat.com> wrote:
If the trust was added successfully and IPA servers were promoted to Trust Controllers or
Trust Agents with ipa-adtrust-install then you followed the necessary setup steps.
The 's2n' log messages are client-specific requests made to the IPA server for AD
trust user and group information. These ipa_s2n* errors will require you to analyze the
IPA server SSSD logs at the same timeframe as the client failures to understand why the
IPA server failed to respond to the client request for AD trust object information. I
would suggest first checking the domain log if the AD domain is getting marked offline by
SSSD.
The information here may be helpful for you
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
Kind regards,
Justin Stephenson
> On 01/22/2018 02:45 PM, Henrik Johansson via FreeIPA-users wrote:
> Hi,
> I have a working trust between my IPA server and an AD domain, I can lookup accounts
and login to the IPA-server using AD accounts. I am however unable to to do the same when
I connect a client to the IPA-server, the local IPA-accounts are available such as admin,
but not AD accounts. I have tried to to a realm join and also using the ipa-client-install
directly without success. Are there any additional steps that needs to be done to access
accounts over the trust? I have some debug output on pastebin also:
https://pastebin.com/xy9SbCw4 <
https://pastebin.com/xy9SbCw4>
> Regards
> Henrik
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org