The clocks are in sync and yes, I can kinit successfully on the replica as an AD user@AD domain.
One thing I noticed in the Web UI as admin user, browsing to Identity -> Groups -> ad_external_group -> External, on the primary IPA server, I see: ad_user@ad_domain but on the replica, instead of the u...@domain.tld string I just see a SID On Fri, Jun 30, 2017 at 4:02 AM, Florence Blanc-Renaud <f...@redhat.com> wrote: > On 06/29/2017 09:47 PM, Jason Hensley via FreeIPA-users wrote: > >> Hello, >> >> I have setup a pair of FreeIPA 4.5.2 servers. One via >> ipa-server-install, the other via ipa-replica-install. I have tried >> them both as trust controllers and I have tried them in a >> controller/agent setup. >> >> My problem is that no AD users can login to the self service UI on the >> secondary IPA server. Is this by design, or is it merely a bug? I can >> provide more details/logs/configs on request. >> > Hi, > > did you also open the required ports on the replica? > https://access.redhat.com/documentation/en-US/Red_Hat_Enterp > rise_Linux/7/html/Windows_Integration_Guide/trust- > during.html#trust-req-ports > > You can also check that the clocks are in sync and that kinit > adu...@ad.domain.com succeeds on the replica. > > Flo > >> >> Thanks, >> Jason >> >> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedo >> rahosted.org >> >> >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org