>The most likely reason for 'Protocol error' is that the server this client is
>connected to does not support the special LDAP extended operation used by
>SSSD on IPA clients to get the data for users and groups from trusted
>domains. And the most likely reason for this is that ipa-adtrust-install is not
>run on that server. Please note that while 'ipa trust-add ...' must be only run
>once on one of the IPA servers, ipa-adtrust-install must be run on all, e.g. to
>enable the LDAP extended operation mentioned above.
>You can check if the exop is enabled on the servers by running
>ldapsearch -h localhost -x -b '' -s base|grep 2.16.840.1.113730.
>on each server. YOu should see 1, for RHEL-7.1 even 2 lines of output.

You are correct; I had not run ipa-adtrust-install on the replica servers. I 
have done that, and now the 
ldapsearch command works correctly and the "Protocol error" statement is gone 
from the logs. But 
there was something else going on and users still could not log in to the 

The log files indicated that there was a permissions problem with /tmp. I 
changed it to root: root 777, and 
now logins are working. Thanks!

David Guertin

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to