On to, 19 loka 2017, Bart J via FreeIPA-users wrote:
Hi all,
I set up an instance of FreeIPA server and established trust with AD
domain. I configured AD users and they can successfully log in to the
web UI. Then, I set up a replica. Although the trust is visible for
that instance both in the web UI and CLI, AD users cannot log in to it,
nor can I execute su - for them. Upon unsuccessful login I get this
error message from web UI:
Runtime error
Web UI got in unrecoverable state during "profile" phase.
You need to show more logs. In particular, /var/log/httpd/error_log
would say what was wrong with a request to it.
Also, is this replica running as a trust agent or a trust controller? Did
you explicitly configured it to do so via ipa-adtrust-install? By
default, if you didn't use 'ipa-adtrust-install --add-agents' on
existing trust controller your other replicas aren't trust agents. If
you didn't run 'ipa-adtrust-install' on those replicas, they aren't
trust controllers either.
Technical details:
Cannot read property 'cn' of undefined
TypeError: Cannot read property 'cn' of undefined
at Object.update_logged_in
(https://idm2.ipa.domain.com/ipa/ui/js/freeipa/app.js?40503:1:18183)
at Object.choose_profile
(https://idm2.ipa.domain.com/ipa/ui/js/freeipa/app.js?40503:1:16656)
at Object.<anonymous>
(https://idm2.ipa.domain.com/ipa/ui/js/freeipa/app.js?40503:1:1190)
at https://idm2.ipa.domain.com/ipa/ui/js/freeipa/app.js?40503:1:3478
at Object.forEach
(https://idm2.ipa.domain.com/ipa/ui/js/dojo/dojo.js?v=40503:1:29752)
at Object._run_phase
(https://idm2.ipa.domain.com/ipa/ui/js/freeipa/app.js?40503:1:3442)
at Object.next_phase
(https://idm2.ipa.domain.com/ipa/ui/js/freeipa/app.js?40503:1:3904)
at Object.<anonymous>
(https://idm2.ipa.domain.com/ipa/ui/js/freeipa/app.js?40503:1:3631)
at c (https://idm2.ipa.domain.com/ipa/ui/js/dojo/dojo.js?v=40503:1:60960)
at Object.then.t.then
(https://idm2.ipa.domain.com/ipa/ui/js/dojo/dojo.js?v=40503:1:62246)
When I try to verify trust on the replica server, it behaves exactly as
described in the documentation:
[root@idm2 ~]# kinit testu...@domain.com
Password for testu...@domain.com:
[root@idm2 ~]# kvno -S host idm2.ipa.domain.com
host/idm2.ipa.domain....@ipa.domain.com: kvno = 1
[root@idm2 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_kwhpOWN
Default principal: testu...@domain.com
Valid starting Expires Service principal
10/19/2017 08:35:05 10/19/2017 18:34:55
host/idm2.ipa.domain....@ipa.domain.com
renew until 10/20/2017 08:34:49
10/19/2017 08:35:05 10/19/2017 18:34:55 krbtgt/ipa.domain.com....@domain.com
renew until 10/20/2017 08:34:49
10/19/2017 08:34:55 10/19/2017 18:34:55 krbtgt/domain....@domain.com
renew until 10/20/2017 08:34:49
What's more, FreeIPA can't seem to find testuser for idm2 host:
[root@idm2 ~]# su - testu...@domain.com
su: user testu...@domain.com does not exist
Whereas this works for idm1 - primary FreeIPA server.
Can you please advise on how to solve it?
Many thanks,
Bart
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org