domain trust not working all the time

Hello,

  We have 2 domains with a trust both ways and normally the authentification works correctly wether we have a user from a domain1 or from domain2. However, sometimes for some unknow reason the authentication doesn't work for some users.

  From what we've seen, this only seems to happen a user from domain2 is trying to log to a machine connected on domain1. It doesn't happen all the time but when it does even restarting centrify doesn't fix the issue. I checked with adinfo that it is connected, adinfo -T doesn't show any problem and adinfo -g in the domain info map I see both domains. All seems to indicate that it should be working but it's only working on the « local » domain.

I activated the centrify debugging and rand the id command:

/usr/share/centrifydc/bin/addebug on
/usr/share/centrifydc/bin/addebug clear
id qwertyuiop
/usr/share/centrifydc/bin/addebug off

adinfo -v
adinfo (CentrifyDC 5.3.1-398)

I'm including some of the logs. Any idea what's going on?

Thanks for your help.

Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:18 id(20730)> -> getpwnam_centrifydc_r  user="qwertyuiop"
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:18 id(20730)> User="qwertyuiop" str2ent=(nil) result=0x7f713a67f260, buffer=0x14d0060
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:18 id(20730)> User 'qwertyuiop' is not an override user
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <main> daemon.ipcserver Accepted new lrpc2 client on <fd:21> with flags 0x00000802
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > daemon.ipcclient2 executing request 'NSSGetPasswdDataByName' in thread 139758834870016
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > daemon.ipcclient2 Getting passwd data for 'qwertyuiop'
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.adagent Find GUID: 72136703214c4d24ab8ce0806e949adb (7)
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.objecthelper age 25, expire age 3600, cutoff time 0, refresh 5, negative=true, cacheOps 7
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.adagent findObject ADNames: qwertyuiop#012name: qwertyuiop type=SAM domain=domain1.lan
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(sAMAccountName=qwertyuiop)), attrs 2 (cacheOps=7, GC=0)
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.objecthelper age 25, expire age 3600, cutoff time 0, refresh 5, negative=true, cacheOps 7
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(sAMAccountName=qwertyuiop)), attrs 1e (cacheOps=7, GC=1)
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.objecthelper age 25, expire age 3600, cutoff time 0, refresh 5, negative=true, cacheOps 7
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.adagent findByAttr: Not Found:qwertyuiop category:user attr=sAMAccountName
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(displayName=qwertyuiop)), attrs 2 (cacheOps=7, GC=0)
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.objecthelper age 25, expire age 3600, cutoff time 0, refresh 5, negative=true, cacheOps 7
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(displayName=qwertyuiop)), attrs 1e (cacheOps=7, GC=1)
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.objecthelper age 25, expire age 3600, cutoff time 0, refresh 5, negative=true, cacheOps 7
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.adagent findByAttr: Not Found:qwertyuiop category:user attr=displayName
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(cn=qwertyuiop)), attrs 2 (cacheOps=7, GC=0)
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.objecthelper age 25, expire age 3600, cutoff time 0, refresh 5, negative=true, cacheOps 7
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(cn=qwertyuiop)), attrs 1e (cacheOps=7, GC=1)
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.objecthelper age 25, expire age 3600, cutoff time 0, refresh 5, negative=true, cacheOps 7
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.adagent findByAttr: Not Found:qwertyuiop category:user attr=cn
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.adagent findObject: NotFound:qwertyuiop Category:user
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.objecthelper 'qwertyuiop' is not a canonical name
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > util.except (NotFound) : No such unix user 'qwertyuiop' (reference ipcclient2.cpp:936 rc: 0)
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > daemon.ipcclient2 No user data: No such unix user 'qwertyuiop'
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > daemon.ipcclient2 request 'NSSGetPasswdDataByName' complete