Description of problem:ipa trust-find shows 'Cannot connect to .... Exceeded number of tries to forward a request'. Version-Release number of selected component (if applicable): How reproducible: Always. Steps to Reproduce: 1.ipa-replica-manage connect --winsync --passsync=password --cacert=/root/windows.cer root-dc.ad.test --binddn "cn=Administrator,cn=users,dc=ad,dc=test" --bindpw password -v -p password 2.ipa-replica-manage list 3.ipa trust-add --type=ad ad.test --admin 'Administrator' --password 4. ipa-winsync-migrate -U --realm ad.test --server root-dc.ad.test 5. ipa-replica-manage list root-dc.ad.test 6. ipa trust-find Actual results: 1. Added CA certificate /root/windows.cer to certificate database for master.testrelm.test ipa: INFO: AD Suffix is: DC=ad,DC=test The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=testrelm,dc=test Adding Windows PassSync system account ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: False: status: Error (0) Replica acquired successfully: Incremental update started: start: 20230626110027: end: 20230626110027 ipa: INFO: Agreement is ready, starting replication . . . ipa: WARNING: This configuration ("--winsync") may imply that the log file contains clear text passwords. Please ensure that these files can be accessed only by trusted accounts. Starting replication, please wait until this has completed. Update succeeded Connected 'master.testrelm.test' to 'root-dc.ad.test' 2. [root@master slapd-TESTRELM-TEST]# ipa-replica-manage list master.testrelm.test: master root-dc.ad.test: winsync 3. [root@master ~]# ipa trust-add --type=ad ad.test --admin 'Administrator' --password Active Directory domain administrator's password: ------------------------------------------------ Added Active Directory trust for realm "ad.test" ------------------------------------------------ Realm name: ad.test Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-2348683041-784792550-297300638 Trust direction: Trusting forest Trust type: Active Directory domain Trust status: Established and verified 4. [root@master ~]# ipa-winsync-migrate -U --realm ad.test --server root-dc.ad.test Migration completed. Please note that if PassSync was configured on the given Active Directory server, it needs to be manually removed, otherwise it may try to reset password for accounts that are no longer existent. The ipa-winsync-migrate command was successful 5. #ipa-replica-manage list Directory Manager password: master.testrelm.test: master #ipa-replica-manage list root-dc.ad.test Directory Manager password: Cannot find root-dc.ad.test in public server list [root@master ~]# ipa trust-find ipa: ERROR: cannot connect to 'https://master.testrelm.test/ipa/session/json': Exceeded number of tries to forward a request. Expected results: ipa trust-find should display the result rather than the error. Additional info:
From the logs, we can see that ipa-winsync-migrate happens between 2023-06-21T08:59:09-0400 and 2023-06-21T08:59:16-0400. Directory server audit log shows that the admin user gets deleted during this time: time: 20230621085913 dn: uid=admin,cn=users,cn=accounts,dc=testrelm,dc=test result: 0 changetype: delete modifiersname: cn=Directory Manager ipa-winsync-migrate looks for the users that were mirrored from AD with a search equivalent to ldapsearch -b cn=users,cn=accounts,$BASEDN "(&(objectclass=ntuser)(ntUserDomainId=*))" For each of these users, it performs a list of operations: creates an ID override, migrate membership etc and finally delete the user from the IPA server. We need to understand why uid=admin is returned by the search with the ntuser filter (it should not). Maybe there is another user with the name "admin" on Windows and the sync added the objectclass?