[Freeipa-users] IPA replica cannot lookup AD trust users (worked before)

Thu, 25 Apr 2024 08:03:58 -0700 

Hi, the only replica cannot retrieve AD trust users (one way trust). Trust 
agent had been installed on this replica.
I noticed this issue, since clients that point to the replica started to fail 
authenticating users. This replica worked OK before.
All functions and syncs except for the AD user lookup. overrides are synced 
over but replica cannot find the user. 

Can't get it fixed. Is this repairable? Can I uninstall the replica and 
reinstall?

[root@idm01 ~]# ipa server-role-find
-----------------------
10 server roles matched
-----------------------
  Server name: idm01.linux.redacted.domain
  Role name: AD trust agent
  Role status: enabled

  Server name: idm02.linux.redacted.domain
  Role name: AD trust agent
  Role status: enabled

  Server name: idm01.linux.redacted.domain
  Role name: AD trust controller
  Role status: enabled

  Server name: idm02.linux.redacted.domain
  Role name: AD trust controller
  Role status: enabled

<...>

On the main server, the AD user can be looked up. On the "replica" it returns 
empty.

working on main server:
[root@idm01 ~]# getent passwd testuser@subdoma.redacted.domain
testuser@subdomA.redacted.domain:*:683005154:683005154:CHANGED:/home/testuser:/usr/bin/bash



Checking the sssd_doamin.log of the replica, I see the message that the domain 
is not active while fetching ad user. Further in the same log there's mention 
of another subdomain be inactive. 
The trust is wirth a AD forest with 2 subdomains. 
-----
(2024-04-25 16:40:11): [be[linux.redacted.domain]] 
[ipa_srv_ad_acct_lookup_done] (0x0040): [RID#34] ipa_get_*_acct request failed: 
[1432158277]: Subdomain is inactive.
   *  ... skipping repetitive backtrace ...
   
<...>

(2024-04-25 16:39:44): [be[linux.redacted.domain]] [resolv_discover_srv_done] 
(0x0040): [RID#33] SRV query failed [11]: Could not contact DNS servers
   *  ... skipping repetitive backtrace ...
(2024-04-25 16:39:44): [be[linux.redacted.domain]] 
[fo_discover_servers_primary_done] (0x0040): [RID#33] Unable to retrieve 
primary servers [1432158238]: SRV lookup error
   *  ... skipping repetitive backtrace ...
(2024-04-25 16:39:44): [be[linux.redacted.domain]] [resolve_srv_done] (0x0040): 
[RID#33] Unable to resolve SRV [1432158238]: SRV lookup error
   *  ... skipping repetitive backtrace ...
(2024-04-25 16:39:44): [be[linux.redacted.domain]] [fo_resolve_service_send] 
(0x0020): [RID#33] No available servers for service 'sd_SUBDOMB.redacted.domain'
   *  ... skipping repetitive backtrace ...
(2024-04-25 16:39:44): [be[linux.redacted.domain]] 
[ipa_srv_ad_acct_lookup_done] (0x0040): [RID#33] ipa_get_*_acct request failed: 
[1432158277]: Subdomain is inactive.
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING 
BACKTRACE:
   *  (2024-04-25 16:39:44): [be[linux.redacted.domain]] 
[be_resolve_server_done] (0x1000): [RID#33] Server [NULL] resolution failed: 
[5]: Input/output error
   *  (2024-04-25 16:39:44): [be[linux.redacted.domain]] 
[sdap_id_op_connect_done] (0x0400): [RID#33] Failed to connect to server, but 
ignore mark offline is enabled.
   *  (2024-04-25 16:39:44): [be[linux.redacted.domain]] 
[sdap_id_op_connect_done] (0x4000): [RID#33] notify error to op #1: 5 
[Input/output error]
   *  (2024-04-25 16:39:44): [be[linux.redacted.domain]] [be_mark_dom_offline] 
(0x1000): [RID#33] Marking subdomain SUBDOMB.redacted.domain offline
   *  (2024-04-25 16:39:44): [be[linux.redacted.domain]] 
[be_mark_subdom_offline] (0x1000): [RID#33] Marking subdomain 
SUBDOMB.redacted.domain as inactive
   *  (2024-04-25 16:39:44): [be[linux.redacted.domain]] 
[ipa_srv_ad_acct_lookup_done] (0x0040): [RID#33] ipa_get_*_acct request failed: 
[1432158277]: Subdomain is inactive.
********************** BACKTRACE DUMP ENDS HERE 
*********************************

There are not replication issues:
----
[root@idm01 ~]# ipa-healthcheck --source=ipahealthcheck.ds.replication
[
  {
    "source": "ipahealthcheck.ds.replication",
    "check": "ReplicationCheck",
    "result": "WARNING",
    "uuid": "4a5341db-bf65-4350-bf2c-c81872db536b",
    "when": "20240425145134Z",
    "duration": "0.391402",
    "kw": {
      "key": "DSREPLLE0002",
      "items": [
        "Replication",
        "Conflict Entries"
      ],
      "msg": "There were 1 conflict entries found under the replication suffix 
\"dc=linux,dc=redacted,dc=domain\"."
    }
  }
]

  
   

--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to