Hi all,

I set up an instance of FreeIPA server and established trust with AD domain. I 
configured AD users and they can successfully log in to the web UI. Then, I set 
up a replica. Although the trust is visible for that instance both in the web 
UI and CLI, AD users cannot log in to it, nor can I execute su - for them. Upon 
unsuccessful login I get this error message from web UI:

Runtime error
Web UI got in unrecoverable state during "profile" phase.

Technical details:

Cannot read property 'cn' of undefined
TypeError: Cannot read property 'cn' of undefined
    at Object.update_logged_in 
(https://idm2.ipa.domain.com/ipa/ui/js/freeipa/app.js?40503:1:18183)
    at Object.choose_profile 
(https://idm2.ipa.domain.com/ipa/ui/js/freeipa/app.js?40503:1:16656)
    at Object.<anonymous> 
(https://idm2.ipa.domain.com/ipa/ui/js/freeipa/app.js?40503:1:1190)
    at https://idm2.ipa.domain.com/ipa/ui/js/freeipa/app.js?40503:1:3478
    at Object.forEach 
(https://idm2.ipa.domain.com/ipa/ui/js/dojo/dojo.js?v=40503:1:29752)
    at Object._run_phase 
(https://idm2.ipa.domain.com/ipa/ui/js/freeipa/app.js?40503:1:3442)
    at Object.next_phase 
(https://idm2.ipa.domain.com/ipa/ui/js/freeipa/app.js?40503:1:3904)
    at Object.<anonymous> 
(https://idm2.ipa.domain.com/ipa/ui/js/freeipa/app.js?40503:1:3631)
    at c (https://idm2.ipa.domain.com/ipa/ui/js/dojo/dojo.js?v=40503:1:60960)
    at Object.then.t.then 
(https://idm2.ipa.domain.com/ipa/ui/js/dojo/dojo.js?v=40503:1:62246)

When I try to verify trust on the replica server, it behaves exactly as 
described in the documentation:

[root@idm2 ~]# kinit testu...@domain.com
Password for testu...@domain.com: 
[root@idm2 ~]# kvno -S host idm2.ipa.domain.com
host/idm2.ipa.domain....@ipa.domain.com: kvno = 1
[root@idm2 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_kwhpOWN
Default principal: testu...@domain.com

Valid starting       Expires              Service principal
10/19/2017 08:35:05  10/19/2017 18:34:55  
host/idm2.ipa.domain....@ipa.domain.com
        renew until 10/20/2017 08:34:49
10/19/2017 08:35:05  10/19/2017 18:34:55  krbtgt/ipa.domain.com....@domain.com
        renew until 10/20/2017 08:34:49
10/19/2017 08:34:55  10/19/2017 18:34:55  krbtgt/domain....@domain.com
        renew until 10/20/2017 08:34:49

What's more, FreeIPA can't seem to find testuser for idm2 host:

[root@idm2 ~]# su - testu...@domain.com
su: user testu...@domain.com does not exist

Whereas this works for idm1 - primary FreeIPA server.

Can you please advise on how to solve it?

Many thanks,
Bart
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to