Unable to query AD users after upgrading to RHEL 7.7

Solution Verified - Updated -


  • After upgrading IdM servers to RHEL 7.7, querying AD users returns no output.
  • Errors like below are noticed in dirsrv errors log:

    [18/Sep/2019:15:23:40.813229014 +0400] - ERR - is_allowed_to_access_attr - [file ipa_pwd_extop.c, line 787]: slapi_access_allowed does not allow READ to ipaProtectedOperation;read_keys!
    [18/Sep/2019:15:23:40.815093644 +0400] - ERR - ipapwd_getkeytab - [file ipa_pwd_extop.c, line 1647]: Not allowed to retrieve keytab on [CLOUD$@EXAMPLE.COM] as user [fqdn=ipaserver.cloud.example.com,cn=computers,cn=accounts,dc=cloud,dc=example,dc=com]!


  • Red Hat Enterprise Linux (RHEL) 7.7
  • Identity Management (IdM), version ipa-server-4.6.5-11 and above.
  • One way trust established with Active Directory prior to RHEL 7.3.

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In