Hi, the only replica cannot retrieve AD trust users (one way trust). Trust agent had been installed on this replica. I noticed this issue, since clients that point to the replica started to fail authenticating users. This replica worked OK before. All functions and syncs except for the AD user lookup. overrides are synced over but replica cannot find the user.
Can't get it fixed. Is this repairable? Can I uninstall the replica and reinstall? [root@idm01 ~]# ipa server-role-find ----------------------- 10 server roles matched ----------------------- Server name: idm01.linux.redacted.domain Role name: AD trust agent Role status: enabled Server name: idm02.linux.redacted.domain Role name: AD trust agent Role status: enabled Server name: idm01.linux.redacted.domain Role name: AD trust controller Role status: enabled Server name: idm02.linux.redacted.domain Role name: AD trust controller Role status: enabled <...> On the main server, the AD user can be looked up. On the "replica" it returns empty. working on main server: [root@idm01 ~]# getent passwd testuser@subdoma.redacted.domain testuser@subdomA.redacted.domain:*:683005154:683005154:CHANGED:/home/testuser:/usr/bin/bash Checking the sssd_doamin.log of the replica, I see the message that the domain is not active while fetching ad user. Further in the same log there's mention of another subdomain be inactive. The trust is wirth a AD forest with 2 subdomains. ----- (2024-04-25 16:40:11): [be[linux.redacted.domain]] [ipa_srv_ad_acct_lookup_done] (0x0040): [RID#34] ipa_get_*_acct request failed: [1432158277]: Subdomain is inactive. * ... skipping repetitive backtrace ... <...> (2024-04-25 16:39:44): [be[linux.redacted.domain]] [resolv_discover_srv_done] (0x0040): [RID#33] SRV query failed [11]: Could not contact DNS servers * ... skipping repetitive backtrace ... (2024-04-25 16:39:44): [be[linux.redacted.domain]] [fo_discover_servers_primary_done] (0x0040): [RID#33] Unable to retrieve primary servers [1432158238]: SRV lookup error * ... skipping repetitive backtrace ... (2024-04-25 16:39:44): [be[linux.redacted.domain]] [resolve_srv_done] (0x0040): [RID#33] Unable to resolve SRV [1432158238]: SRV lookup error * ... skipping repetitive backtrace ... (2024-04-25 16:39:44): [be[linux.redacted.domain]] [fo_resolve_service_send] (0x0020): [RID#33] No available servers for service 'sd_SUBDOMB.redacted.domain' * ... skipping repetitive backtrace ... (2024-04-25 16:39:44): [be[linux.redacted.domain]] [ipa_srv_ad_acct_lookup_done] (0x0040): [RID#33] ipa_get_*_acct request failed: [1432158277]: Subdomain is inactive. ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: * (2024-04-25 16:39:44): [be[linux.redacted.domain]] [be_resolve_server_done] (0x1000): [RID#33] Server [NULL] resolution failed: [5]: Input/output error * (2024-04-25 16:39:44): [be[linux.redacted.domain]] [sdap_id_op_connect_done] (0x0400): [RID#33] Failed to connect to server, but ignore mark offline is enabled. * (2024-04-25 16:39:44): [be[linux.redacted.domain]] [sdap_id_op_connect_done] (0x4000): [RID#33] notify error to op #1: 5 [Input/output error] * (2024-04-25 16:39:44): [be[linux.redacted.domain]] [be_mark_dom_offline] (0x1000): [RID#33] Marking subdomain SUBDOMB.redacted.domain offline * (2024-04-25 16:39:44): [be[linux.redacted.domain]] [be_mark_subdom_offline] (0x1000): [RID#33] Marking subdomain SUBDOMB.redacted.domain as inactive * (2024-04-25 16:39:44): [be[linux.redacted.domain]] [ipa_srv_ad_acct_lookup_done] (0x0040): [RID#33] ipa_get_*_acct request failed: [1432158277]: Subdomain is inactive. ********************** BACKTRACE DUMP ENDS HERE ********************************* There are not replication issues: ---- [root@idm01 ~]# ipa-healthcheck --source=ipahealthcheck.ds.replication [ { "source": "ipahealthcheck.ds.replication", "check": "ReplicationCheck", "result": "WARNING", "uuid": "4a5341db-bf65-4350-bf2c-c81872db536b", "when": "20240425145134Z", "duration": "0.391402", "kw": { "key": "DSREPLLE0002", "items": [ "Replication", "Conflict Entries" ], "msg": "There were 1 conflict entries found under the replication suffix \"dc=linux,dc=redacted,dc=domain\"." } } ] -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue