Hi and thank you, I’ve enabled debug on the IPA server, to me it looks like it’s trying to lookup the account in AD (testu...@corp2.ad2.test.net) but ends up looking for the username at the IPA-domain in the end?
sssd_idm.test.net.log: https://pastebin.com/Az9kyiaK sssd_nss.log: https://pastebin.com/sx4yfZCB Regards Henrik > On 22 Jan 2018, at 21:37, Justin Stephenson <jstep...@redhat.com> wrote: > > If the trust was added successfully and IPA servers were promoted to Trust > Controllers or Trust Agents with ipa-adtrust-install then you followed the > necessary setup steps. > > The 's2n' log messages are client-specific requests made to the IPA server > for AD trust user and group information. These ipa_s2n* errors will require > you to analyze the IPA server SSSD logs at the same timeframe as the client > failures to understand why the IPA server failed to respond to the client > request for AD trust object information. I would suggest first checking the > domain log if the AD domain is getting marked offline by SSSD. > > The information here may be helpful for you > > https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html > > Kind regards, > Justin Stephenson > >> On 01/22/2018 02:45 PM, Henrik Johansson via FreeIPA-users wrote: >> Hi, >> I have a working trust between my IPA server and an AD domain, I can lookup >> accounts and login to the IPA-server using AD accounts. I am however unable >> to to do the same when I connect a client to the IPA-server, the local >> IPA-accounts are available such as admin, but not AD accounts. I have tried >> to to a realm join and also using the ipa-client-install directly without >> success. Are there any additional steps that needs to be done to access >> accounts over the trust? I have some debug output on pastebin also: >> https://pastebin.com/xy9SbCw4 <https://pastebin.com/xy9SbCw4> >> Regards >> Henrik >> _______________________________________________ >> FreeIPA-users mailing list -- email@example.com >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________ FreeIPA-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org