It suddenly started to work.....weird.

On both servers I changed  dns_lookup_realm = true (was false)
stoped sssd and cleared the sssd cache
rm /var/lib/sss/db/*
started sssd and it works now

But I find it hard to believe that was the cause.
Is there a cache involved somewhere ?

Rob Verduijn

2016-01-28 13:26 GMT+01:00 Rob Verduijn <>:
> Hello,
> I've set up an ipa-server with an one way trust to a windows 2012r2 
> controller.
> All works on this server.
> I can login with ad accounts on this server.
> I added an ipa replica, and checked it all worked.
> Now I tried
> ipa-trust-add --add-agents on the first ipa server.
> restarted ipa on both servers
> but this did not help
> then i did a
> ipa-adtrust-install on the second ipa server
> and a ipa trust-add --type=ad windows.domain
> all dns queries from the docs work
> I get both ipa servers returned in the queries.
> On the windows server and the ipa server.
> On the first ipaserver I can issue : id WINDOWS.DOMAIN\\ad-user
> and get an answer
> On the second I get : unknown user
> What could be the cause of this, why does the second server not do
> ad-authentication ?
> Rob Verduijn

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to