Am Thu, Apr 25, 2024 at 03:03:41PM -0000 schrieb slek kus via FreeIPA-users:
> Hi, the only replica cannot retrieve AD trust users (one way trust). Trust
> agent had been installed on this replica.
> I noticed this issue, since clients that point to the replica started to fail
> authenticating users. This replica worked OK before.
> All functions and syncs except for the AD user lookup. overrides are synced
> over but replica cannot find the user.
>
> Can't get it fixed. Is this repairable? Can I uninstall the replica and
> reinstall?
>
> [root@idm01 ~]# ipa server-role-find
> -----------------------
> 10 server roles matched
> -----------------------
> Server name: idm01.linux.redacted.domain
> Role name: AD trust agent
> Role status: enabled
>
> Server name: idm02.linux.redacted.domain
> Role name: AD trust agent
> Role status: enabled
>
> Server name: idm01.linux.redacted.domain
> Role name: AD trust controller
> Role status: enabled
>
> Server name: idm02.linux.redacted.domain
> Role name: AD trust controller
> Role status: enabled
>
> <...>
>
> On the main server, the AD user can be looked up. On the "replica" it returns
> empty.
>
> working on main server:
> [root@idm01 ~]# getent passwd [email protected]
> [email protected]:*:683005154:683005154:CHANGED:/home/testuser:/usr/bin/bash
>
>
>
> Checking the sssd_doamin.log of the replica, I see the message that the
> domain is not active while fetching ad user. Further in the same log there's
> mention of another subdomain be inactive.
> The trust is wirth a AD forest with 2 subdomains.
> -----
> (2024-04-25 16:40:11): [be[linux.redacted.domain]]
> [ipa_srv_ad_acct_lookup_done] (0x0040): [RID#34] ipa_get_*_acct request
> failed: [1432158277]: Subdomain is inactive.
> * ... skipping repetitive backtrace ...
>
> <...>
>
> (2024-04-25 16:39:44): [be[linux.redacted.domain]] [resolv_discover_srv_done]
> (0x0040): [RID#33] SRV query failed [11]: Could not contact DNS servers
Hi,
looks like DNS issues, does
host -t SRV _ldap._tcp.SUBDOMB.redacted.domain
return anything?
bye,
Sumit
> * ... skipping repetitive backtrace ...
> (2024-04-25 16:39:44): [be[linux.redacted.domain]]
> [fo_discover_servers_primary_done] (0x0040): [RID#33] Unable to retrieve
> primary servers [1432158238]: SRV lookup error
> * ... skipping repetitive backtrace ...
> (2024-04-25 16:39:44): [be[linux.redacted.domain]] [resolve_srv_done]
> (0x0040): [RID#33] Unable to resolve SRV [1432158238]: SRV lookup error
> * ... skipping repetitive backtrace ...
> (2024-04-25 16:39:44): [be[linux.redacted.domain]] [fo_resolve_service_send]
> (0x0020): [RID#33] No available servers for service
> 'sd_SUBDOMB.redacted.domain'
> * ... skipping repetitive backtrace ...
> (2024-04-25 16:39:44): [be[linux.redacted.domain]]
> [ipa_srv_ad_acct_lookup_done] (0x0040): [RID#33] ipa_get_*_acct request
> failed: [1432158277]: Subdomain is inactive.
> ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING
> BACKTRACE:
> * (2024-04-25 16:39:44): [be[linux.redacted.domain]]
> [be_resolve_server_done] (0x1000): [RID#33] Server [NULL] resolution failed:
> [5]: Input/output error
> * (2024-04-25 16:39:44): [be[linux.redacted.domain]]
> [sdap_id_op_connect_done] (0x0400): [RID#33] Failed to connect to server, but
> ignore mark offline is enabled.
> * (2024-04-25 16:39:44): [be[linux.redacted.domain]]
> [sdap_id_op_connect_done] (0x4000): [RID#33] notify error to op #1: 5
> [Input/output error]
> * (2024-04-25 16:39:44): [be[linux.redacted.domain]]
> [be_mark_dom_offline] (0x1000): [RID#33] Marking subdomain
> SUBDOMB.redacted.domain offline
> * (2024-04-25 16:39:44): [be[linux.redacted.domain]]
> [be_mark_subdom_offline] (0x1000): [RID#33] Marking subdomain
> SUBDOMB.redacted.domain as inactive
> * (2024-04-25 16:39:44): [be[linux.redacted.domain]]
> [ipa_srv_ad_acct_lookup_done] (0x0040): [RID#33] ipa_get_*_acct request
> failed: [1432158277]: Subdomain is inactive.
> ********************** BACKTRACE DUMP ENDS HERE
> *********************************
>
> There are not replication issues:
> ----
> [root@idm01 ~]# ipa-healthcheck --source=ipahealthcheck.ds.replication
> [
> {
> "source": "ipahealthcheck.ds.replication",
> "check": "ReplicationCheck",
> "result": "WARNING",
> "uuid": "4a5341db-bf65-4350-bf2c-c81872db536b",
> "when": "20240425145134Z",
> "duration": "0.391402",
> "kw": {
> "key": "DSREPLLE0002",
> "items": [
> "Replication",
> "Conflict Entries"
> ],
> "msg": "There were 1 conflict entries found under the replication
> suffix \"dc=linux,dc=redacted,dc=domain\"."
> }
> }
> ]
>
>
>
>
> --
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
