On Fri, 2016-06-10 at 11:08 +0200, Sumit Bose wrote: > On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote: > > hi everyone > > > > there is a master IPA which in some weird way puts AD users into > > its ldap > > catalog. I say weird cause there is no trust nor other sync > > established, > > there was a trust agreement, one way type, but now 'trust-find' > > shows > > nothing, that trust was removed. > > > > but still when I create a user @AD DS a second later I see it in > > IPA's ldap, > > eg. > > > > dn: [email protected],cn=users,cn=compat,dc=private > > ,dc=c > > cnr,dc=aaa,dc=private,dc=dom > > > > how to trace the culprit config responsible for this? > > > > and funny(?) thing is that these users do not get replicated to IPA > > replicas. > > Did you remove the trust on the AD side as well. If not SSSD running > on > the IPA server might still have valid credentials in a keytab in > /var/lib/sss/db and is able to read the user data from AD. nope, not agreements left @AD, I tried: $ sss_cache -E -d ad.domain but it segfaulted: [1316003.857780] sss_cache[31028]: segfault at 0 ip 00007fab730f434c sp 00007fffbf576c10 error 4 in libsss_util.so[7fab730c8000+68000] so that would be sssd actually pulling and inserting these entries in IPA's ldap? many thanks, L > HTH > > bye, > Sumit > > > > > > > > many thanks, > > > > L > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > Go to http://freeipa.org for more info on the project > > for more info on the project > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
