On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote:
> hi everyone
> there is a master IPA which in some weird way puts AD users into its ldap
> catalog. I say weird cause there is no trust nor other sync established,
> there was a trust agreement, one way type, but now 'trust-find' shows
> nothing, that trust was removed.
> but still when I create a user @AD DS a second later I see it in IPA's ldap,
> dn: uid=ccnrt...@ccnr.aaa.private.dom,cn=users,cn=compat,dc=private,dc=c
> how to trace the culprit config responsible for this?
> and funny(?) thing is that these users do not get replicated to IPA
Did you remove the trust on the AD side as well. If not SSSD running on
the IPA server might still have valid credentials in a keytab in
/var/lib/sss/db and is able to read the user data from AD.
> many thanks,
> Manage your subscription for the Freeipa-users mailing list:
> Go to http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project