If the trust was added successfully and IPA servers were promoted to Trust Controllers or Trust Agents with ipa-adtrust-install then you followed the necessary setup steps.

The 's2n' log messages are client-specific requests made to the IPA server for AD trust user and group information. These ipa_s2n* errors will require you to analyze the IPA server SSSD logs at the same timeframe as the client failures to understand why the IPA server failed to respond to the client request for AD trust object information. I would suggest first checking the domain log if the AD domain is getting marked offline by SSSD.


The information here may be helpful for you

   https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html

Kind regards,
Justin Stephenson

On 01/22/2018 02:45 PM, Henrik Johansson via FreeIPA-users wrote:
Hi,

I have a working trust between my IPA server and an AD domain, I can lookup accounts 
and login to the IPA-server using AD accounts. I am however unable to to do the same 
when I connect a client to the IPA-server, the local IPA-accounts are available such 
as admin, but not AD accounts. I have tried to to a realm join and also using the 
ipa-client-install directly without success. Are there any additional steps that 
needs to be done to access accounts over the trust? I have some debug output on 
pastebin also: https://pastebin.com/xy9SbCw4 <https://pastebin.com/xy9SbCw4>

Regards
Henrik



_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to