Re: [Freeipa-users] ipa replica is ad trust controller but refuses ad users

2016-01-28 Thread Jakub Hrozek
On Thu, Jan 28, 2016 at 02:39:47PM +0100, Rob Verduijn wrote:
> hmmm
> It suddenly started to work.weird.
> 
> On both servers I changed  dns_lookup_realm = true (was false)
> stoped sssd and cleared the sssd cache
> rm /var/lib/sss/db/*
> started sssd and it works now

it's hard to tell w/o logs but the sssd re-fetches the keytab it uses to
establish the connection to the AD DCs on sssd restart (we implemeted
this precisely so that admins have a known point -- sssd restart) when
things go wrong. Maybe sssd just picked the trust keytab only after
restart, not sure..

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] ipa replica is ad trust controller but refuses ad users

2016-01-28 Thread Rob Verduijn
hmmm
It suddenly started to work.weird.

On both servers I changed  dns_lookup_realm = true (was false)
stoped sssd and cleared the sssd cache
rm /var/lib/sss/db/*
started sssd and it works now

But I find it hard to believe that was the cause.
Is there a cache involved somewhere ?

Rob Verduijn

2016-01-28 13:26 GMT+01:00 Rob Verduijn :
> Hello,
>
> I've set up an ipa-server with an one way trust to a windows 2012r2 
> controller.
> All works on this server.
> I can login with ad accounts on this server.
>
> I added an ipa replica, and checked it all worked.
>
> Now I tried
> ipa-trust-add --add-agents on the first ipa server.
> restarted ipa on both servers
>
> but this did not help
> then i did a
> ipa-adtrust-install on the second ipa server
> and a ipa trust-add --type=ad windows.domain
>
> all dns queries from the docs work
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html#verify-dns-configuration
>
> I get both ipa servers returned in the queries.
> On the windows server and the ipa server.
>
> On the first ipaserver I can issue : id WINDOWS.DOMAIN\\ad-user
> and get an answer
> On the second I get : unknown user
>
> What could be the cause of this, why does the second server not do
> ad-authentication ?
>
> Rob Verduijn

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] ipa replica is ad trust controller but refuses ad users

2016-01-28 Thread Jakub Hrozek
On Thu, Jan 28, 2016 at 03:36:04PM +0100, Jakub Hrozek wrote:
> On Thu, Jan 28, 2016 at 02:39:47PM +0100, Rob Verduijn wrote:
> > hmmm
> > It suddenly started to work.weird.
> > 
> > On both servers I changed  dns_lookup_realm = true (was false)
> > stoped sssd and cleared the sssd cache
> > rm /var/lib/sss/db/*
> > started sssd and it works now
> 
> it's hard to tell w/o logs but the sssd re-fetches the keytab it uses to
> establish the connection to the AD DCs on sssd restart (we implemeted
> this precisely so that admins have a known point -- sssd restart) when
> things go wrong. Maybe sssd just picked the trust keytab only after

oops, sorry, wrong parens. sssd always re-fetches the keytab from IPA
master it's running on, not only when things go wrong. The sssd restart
just is just a way for the admin to trigger this.

> restart, not sure..

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project