>The most likely reason for 'Protocol error' is that the server this client is >connected to does not support the special LDAP extended operation used by >SSSD on IPA clients to get the data for users and groups from trusted >domains. And the most likely reason for this is that ipa-adtrust-install is not >run on that server. Please note that while 'ipa trust-add ...' must be only run >once on one of the IPA servers, ipa-adtrust-install must be run on all, e.g. to >enable the LDAP extended operation mentioned above. > >You can check if the exop is enabled on the servers by running > >ldapsearch -h localhost -x -b '' -s base|grep 2.16.840.1.113730.3.8.10.4 > >on each server. YOu should see 1, for RHEL-7.1 even 2 lines of output.
You are correct; I had not run ipa-adtrust-install on the replica servers. I have done that, and now the ldapsearch command works correctly and the "Protocol error" statement is gone from the logs. But there was something else going on and users still could not log in to the client. The log files indicated that there was a permissions problem with /tmp. I changed it to root: root 777, and now logins are working. Thanks! David Guertin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
