[Freeipa-users] Re: Replica can ipa-find but can't id

[Alexander Bokovoy via FreeIPA-users]

On pe, 15 kesä 2018, Lachlan Musicman via FreeIPA-users wrote:

CentOS 7.5
ipa --version VERSION: 4.5.4, API_VERSION: 2.228

When on my replica, and I use

ipa idoverrideuser-find 'Default Trust View' <user> I get the expected
results:

--------------------------
1 User ID override matched
--------------------------
 Anchor to override: :SID:S-1-5-21-55386287-1424373824-1154838474-51686
 User login: <user>
 UID: 1503
 GECOS: User Name
 GID: 1503
 Home directory: /home/uname
 Login shell: /bin/bash
----------------------------
Number of entries returned 1
----------------------------

But when I do

id <user>

I get

id: uname: no such user


What have I done wrong?

I've also seen the error listed on this thread - could it be that my
replica is not a trust agent?

https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/6LDXSQW5H3CE44CVXPMK53FOMG4LBGYN/

Having read

https://bugzilla.redhat.com/show_bug.cgi?id=1206613
and
https://pagure.io/freeipa/issue/7410

I see that I can test this

[root@ipa-replica ~]# ipa server-show
Server name: ipa-master.company.com
 Server name: ipa-master.company.com
 Managed suffixes: domain, ca
 Min domain level: 0
 Max domain level: 1
 Enabled server roles: CA server, NTP server, AD trust agent, AD trust
controller
[root@ipa-replica ~]# ipa server-show
Server name: ipa-replica.company.com
 Server name: ipa-replica.company.com
 Managed suffixes: domain, ca
 Min domain level: 0
 Max domain level: 1
 Enabled server roles: CA server, NTP server

It's not a trust agent or controller. I presume it should be? Yes, having
now read to the end of ticket 7410 I see that I should have set the replica
up with --setup-adtrust

No, you don't need that. You need it to be a trust agent, not a trust
controller.

https://github.com/freeipa/freeipa/pull/1825

And from here
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/RLWBXYP6PPHGXMJZZNEAO6TF7BCB6EDS/

it looks like I need to run

ipa-adtrust-install --add-agents

on the master and follow the prompts?

Exactly.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/7VPWB4E4II5UT2D3AZPTFRO42AV3JD43/