On ti, 10 heinä 2018, tolotos--- via FreeIPA-users wrote:
Hi,
we have a setup with a Forest Trust to an AD Domain.
Everything looks good on the FreeIPA Servers itself. We can see User
information if we do "getent passwd user@ad.domain" or "id
user@ad.domain" or "sssctl user-checks user@ad.domain".
But on a connected client, we get only the user of the ipa domain and
no user information on ad user.
In the logs, we found no obvious error.
The only thing we see in sssd.log is:
(Tue Jul 10 16:19:27 2018) [sssd[be[ipa.domain]]]
[delayed_online_authentication_callback] (0x0200): Backend is online, starting
delayed online authentication.
(Tue Jul 10 16:19:28 2018) [sssd[be[ipa.domain]]] [dp_get_account_info_handler]
(0x0200): Got request for [0x1][BE_REQ_USER][name=user@ad.domain]
(Tue Jul 10 16:19:28 2018) [sssd[be[ipa.domain]]] [ipa_s2n_exop_done] (0x0040):
ldap_extended_operation result: No such object(32), (null).
(Tue Jul 10 16:19:28 2018) [sssd[be[ipa.domain]]] [ipa_s2n_get_user_done]
(0x0040): s2n exop request failed.
Enable sssd logs on IPA server (debug_level=9 in the domain section),
restart sssd, retry access for the client so that you get the same s2n
exop request failed response. Collect logs from sssd domain log for the
time period, show them.
Also show versions of freeipa-server and sssd.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/WEVSHQZM7QFQPITOAJEBM77AUMAEDY6A/
