Hi All, We are trying to get to the bottom of an issue with a (single instance) IPA server in a trust relationship with AD. IPA will (intermittently) fail to resolve all of a users’ groups.
The IPA domain is ‘unix.domain.com<http://unix.domain.com>’ and the AD domain is ‘domain.com<http://domain.com>’. Having been through the logs for clues as to why this is happening, one error that stands out is this one: (Sun Aug 2 03:20:03 2020) [sssd[be[unix.domain.com<http://unix.domain.com>]]] [be_mark_subdom_offline] (0x1000): Marking subdomain domain.com<http://domain.com> as inactive This error is present in the log on the IPA server many, many thousands of times. The output of ‘sssctl domain-status domain.com<http://domain.com>’ on the IPA server also seems to see AD as being offline: root@vmpr-linuxidm:~# ==> sssctl domain-status domain.com<http://domain.com> Online status: Offline Active servers: AD Global Catalog: papr-dc1.domain.com<http://papr-dc1.domain.com> AD Domain Controller: papr-dc1.domain.com<http://papr-dc1.domain.com> IPA: vmpr-linuxidm.unix.domain.com<http://vmpr-linuxidm.unix.domain.com> Discovered AD Global Catalog servers: - vmpr-fac-dc2.facility.domain.com<http://vmpr-fac-dc2.facility.domain.com> - papr-dc1.domain.com<http://papr-dc1.domain.com> - papr-dc3.domain.com<http://papr-dc3.domain.com> - vmpr-fac-dc1.facility.domain.com<http://vmpr-fac-dc1.facility.domain.com> - papr-dc2.domain.com<http://papr-dc2.domain.com> - azspr-dc1.domain.com<http://azspr-dc1.domain.com> - stpr-dc1.domain.com<http://stpr-dc1.domain.com> - stpr-dc2.domain.com<http://stpr-dc2.domain.com> - papr-dc4.domain.com<http://papr-dc4.domain.com> Discovered AD Domain Controller servers: - papr-dc1.domain.com<http://papr-dc1.domain.com> - papr-dc2.domain.com<http://papr-dc2.domain.com> - papr-dc3.domain.com<http://papr-dc3.domain.com> - papr-dc4.domain.com<http://papr-dc4.domain.com> - azspr-dc1.domain.com<http://azspr-dc1.domain.com> - stpr-dc2.domain.com<http://stpr-dc2.domain.com> - stpr-dc1.domain.com<http://stpr-dc1.domain.com> Discovered IPA servers: - vmpr-linuxidm.unix.domain.com<http://vmpr-linuxidm.unix.domain.com> I don’t know whether this error is related to the symptom we’re seeing with the groups, but it seems like an obvious problem that we should endeavour to fix as a first step. If AD were truly ‘offline’, then I’d expect NO resolution of trust users/groups to occur at all, but that’s not the case. Can anyone provide some pointers to help debug why IPA would think the AD domain is offline? Regards, Robert.
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org