Re: [Freeipa-users] ipa replica is ad trust controller but refuses ad users
On Thu, Jan 28, 2016 at 02:39:47PM +0100, Rob Verduijn wrote: > hmmm > It suddenly started to work.weird. > > On both servers I changed dns_lookup_realm = true (was false) > stoped sssd and cleared the sssd cache > rm /var/lib/sss/db/* > started sssd and it works now it's hard to tell w/o logs but the sssd re-fetches the keytab it uses to establish the connection to the AD DCs on sssd restart (we implemeted this precisely so that admins have a known point -- sssd restart) when things go wrong. Maybe sssd just picked the trust keytab only after restart, not sure.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa replica is ad trust controller but refuses ad users
hmmm It suddenly started to work.weird. On both servers I changed dns_lookup_realm = true (was false) stoped sssd and cleared the sssd cache rm /var/lib/sss/db/* started sssd and it works now But I find it hard to believe that was the cause. Is there a cache involved somewhere ? Rob Verduijn 2016-01-28 13:26 GMT+01:00 Rob Verduijn: > Hello, > > I've set up an ipa-server with an one way trust to a windows 2012r2 > controller. > All works on this server. > I can login with ad accounts on this server. > > I added an ipa replica, and checked it all worked. > > Now I tried > ipa-trust-add --add-agents on the first ipa server. > restarted ipa on both servers > > but this did not help > then i did a > ipa-adtrust-install on the second ipa server > and a ipa trust-add --type=ad windows.domain > > all dns queries from the docs work > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html#verify-dns-configuration > > I get both ipa servers returned in the queries. > On the windows server and the ipa server. > > On the first ipaserver I can issue : id WINDOWS.DOMAIN\\ad-user > and get an answer > On the second I get : unknown user > > What could be the cause of this, why does the second server not do > ad-authentication ? > > Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa replica is ad trust controller but refuses ad users
On Thu, Jan 28, 2016 at 03:36:04PM +0100, Jakub Hrozek wrote: > On Thu, Jan 28, 2016 at 02:39:47PM +0100, Rob Verduijn wrote: > > hmmm > > It suddenly started to work.weird. > > > > On both servers I changed dns_lookup_realm = true (was false) > > stoped sssd and cleared the sssd cache > > rm /var/lib/sss/db/* > > started sssd and it works now > > it's hard to tell w/o logs but the sssd re-fetches the keytab it uses to > establish the connection to the AD DCs on sssd restart (we implemeted > this precisely so that admins have a known point -- sssd restart) when > things go wrong. Maybe sssd just picked the trust keytab only after oops, sorry, wrong parens. sssd always re-fetches the keytab from IPA master it's running on, not only when things go wrong. The sssd restart just is just a way for the admin to trigger this. > restart, not sure.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project