On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote: > hi everyone > > there is a master IPA which in some weird way puts AD users into its ldap > catalog. I say weird cause there is no trust nor other sync established, > there was a trust agreement, one way type, but now 'trust-find' shows > nothing, that trust was removed. > > but still when I create a user @AD DS a second later I see it in IPA's ldap, > eg. > > dn: uid=ccnrt...@ccnr.aaa.private.dom,cn=users,cn=compat,dc=private,dc=c > cnr,dc=aaa,dc=private,dc=dom > > how to trace the culprit config responsible for this? > > and funny(?) thing is that these users do not get replicated to IPA > replicas.
Did you remove the trust on the AD side as well. If not SSSD running on the IPA server might still have valid credentials in a keytab in /var/lib/sss/db and is able to read the user data from AD. HTH bye, Sumit > > many thanks, > > L > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project