> On Fri, 05 Jun 2015, Nathan Peters wrote: >>I had originally set this up with AD trust but when we found out that >>our alternative UPNs were not supported we switched to ad sync. I >>removed the trust relationship from the webui by deleting all trusts >>showing in the ui. >> >>I then set it up for sync. >> >>Do I need to remove the trust from the command line as well? Does >>deleting a trust in the web ui not remove *all* settings related to >>that trust? > No, it removes the trust the same way. > > However, do you have anything in /var/log/krb5kdc.log which points to > SID filtering or a crash? > > -- > / Alexander Bokovoy >
I have searched the entire /var/log/krb5kdc.log for the last week and there is nothing matching "sid" or "SID" in that file. Here are the only relevant errors I could find in krb5kdc.log (filtered to remove duplicate entries) Jun 04 23:06:43 dc1.ipadomain.net krb5kdc[1845](Error): preauth pkinit failed to initialize: No realms configured correctly for pkinit support Jun 04 23:08:24 dc1.ipadomain.net krb5kdc[1848](Error): TGS_REQ: UNKNOWN SERVER: server='krbtgt/[email protected]' Jun 04 23:08:24 dc1.ipadomain.net krb5kdc[1848](info): TGS_REQ (5 etypes {18 17 23 24 -135}) 10.5.5.57: PROCESS_TGS: authtime 0, <unknown client> for HTTP/dc1.ipadomain.net @ipadomain.net, Server not found in Kerberos database And here are some things from /var/log/dirsrv logs Jun 06 00:44:10 dc1.ipadomain.net krb5kdc[11447](Error): preauth pkinit failed to initialize: No realms configured correctly for pkinit support Jun 06 02:53:52 dc1.ipadomain.net krb5kdc[11449](Error): TGS_REQ: UNKNOWN SERVER: server='krbtgt/[email protected]' Jun 06 04:14:17 dc1.ipadomain.net krb5kdc[11449](Error): TGS_REQ: UNKNOWN SERVER: server='krbtgt/[email protected]' Jun 06 11:54:37 dc1.ipadomain.net krb5kdc[11450](Error): TGS_REQ: UNKNOWN SERVER: server='krbtgt/[email protected]' Jun 06 13:46:07 dc1.ipadomain.net krb5kdc[11450](Error): TGS_REQ: UNKNOWN SERVER: server='krbtgt/[email protected]' Jun 06 13:50:52 dc1.ipadomain.net krb5kdc[11450](Error): TGS_REQ: UNKNOWN SERVER: server='krbtgt/[email protected]' Jun 06 18:38:18 dc1.ipadomain.net krb5kdc[11449](Error): TGS_REQ: UNKNOWN SERVER: server='krbtgt/[email protected]' Jun 06 21:59:10 dc1.ipadomain.net krb5kdc[11450](Error): TGS_REQ: UNKNOWN SERVER: server='krbtgt/[email protected]' So it appears that even though I removed the trust and rebooted both servers, there is still some remnant of it sticking around somewhere. The krb5kdc logs seem to indicate that we are still trying to get a shared ticket for the AD realm? The dirsrv logs also seem to point to trying to get a ticket for that realm also. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
