On Fri, Mar 27, 2015 at 05:16:20PM +0000, Guertin, David S. wrote:
> >The most likely reason for 'Protocol error' is that the server this client is
> >connected to does not support the special LDAP extended operation used by
> >SSSD on IPA clients to get the data for users and groups from trusted
> >domains. And the most likely reason for this is that ipa-adtrust-install is
> >run on that server. Please note that while 'ipa trust-add ...' must be only
> >once on one of the IPA servers, ipa-adtrust-install must be run on all, e.g.
> >enable the LDAP extended operation mentioned above.
> >You can check if the exop is enabled on the servers by running
> >ldapsearch -h localhost -x -b '' -s base|grep 2.16.840.1.1137126.96.36.199.4
> >on each server. YOu should see 1, for RHEL-7.1 even 2 lines of output.
> You are correct; I had not run ipa-adtrust-install on the replica servers. I
> have done that, and now the
> ldapsearch command works correctly and the "Protocol error" statement is gone
> from the logs. But
> there was something else going on and users still could not log in to the
> The log files indicated that there was a permissions problem with /tmp. I
> changed it to root: root 777, and
> now logins are working. Thanks!
Thank you for the feedback. Please note that /tmp/ should be 1777
(sticky bit set) so that only owners can delete files.
> David Guertin
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project