On Fri, Mar 27, 2015 at 05:16:20PM +0000, Guertin, David S. wrote:
> >The most likely reason for 'Protocol error' is that the server this client is
> >connected to does not support the special LDAP extended operation used by
> >SSSD on IPA clients to get the data for users and groups from trusted
> >domains. And the most likely reason for this is that ipa-adtrust-install is 
> >not
> >run on that server. Please note that while 'ipa trust-add ...' must be only 
> >run
> >once on one of the IPA servers, ipa-adtrust-install must be run on all, e.g. 
> >to
> >enable the LDAP extended operation mentioned above.
> >
> >You can check if the exop is enabled on the servers by running
> >
> >ldapsearch -h localhost -x -b '' -s base|grep 2.16.840.1.113730.
> >
> >on each server. YOu should see 1, for RHEL-7.1 even 2 lines of output.
> You are correct; I had not run ipa-adtrust-install on the replica servers. I 
> have done that, and now the 
> ldapsearch command works correctly and the "Protocol error" statement is gone 
> from the logs. But 
> there was something else going on and users still could not log in to the 
> client.
> The log files indicated that there was a permissions problem with /tmp. I 
> changed it to root: root 777, and 
> now logins are working. Thanks!

Thank you for the feedback. Please note that /tmp/ should be 1777
(sticky bit set) so that only owners can delete files.


> David Guertin

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to