On Fri, Mar 27, 2015 at 05:16:20PM +0000, Guertin, David S. wrote: > >The most likely reason for 'Protocol error' is that the server this client is > >connected to does not support the special LDAP extended operation used by > >SSSD on IPA clients to get the data for users and groups from trusted > >domains. And the most likely reason for this is that ipa-adtrust-install is > >not > >run on that server. Please note that while 'ipa trust-add ...' must be only > >run > >once on one of the IPA servers, ipa-adtrust-install must be run on all, e.g. > >to > >enable the LDAP extended operation mentioned above. > > > >You can check if the exop is enabled on the servers by running > > > >ldapsearch -h localhost -x -b '' -s base|grep 2.16.840.1.113730.3.8.10.4 > > > >on each server. YOu should see 1, for RHEL-7.1 even 2 lines of output. > > You are correct; I had not run ipa-adtrust-install on the replica servers. I > have done that, and now the > ldapsearch command works correctly and the "Protocol error" statement is gone > from the logs. But > there was something else going on and users still could not log in to the > client. > > The log files indicated that there was a permissions problem with /tmp. I > changed it to root: root 777, and > now logins are working. Thanks!
Thank you for the feedback. Please note that /tmp/ should be 1777 (sticky bit set) so that only owners can delete files. bye, Sumit > > David Guertin > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project