Hi folks,

Multi-region AWS IPA user here. We've got an ancient and brittle IPA setup with broken replication and an inability to upgrade. Rather than fix I want to stand up a whole new set of IPA servers running the latest version so I can get replication working again as well as leverage all the great new features in IPA and SSSD subsystem.

However in my environment it's an incredibly complex process to set up a 1-way trust with Active Directory.

The administrators work for a managed service provider and they are outside of the normal support loop so they rarely interact with peons and outsiders like myself. Just getting their attention is a procedural and political effort. The first AD trust took more than 3 months to setup (!)

I need to start the process again for requesting a new AD trust arrangement for the new IPA servers I intend to build.

Realized that I had a really dumb question ...

If my goal is to have a 4-node replicating cluster (2x in us-east AWS region and 2x in eu-central-2 region) how many discrete AD trusts do I actually have to arrange with my remote AD administrators?

If I get a good 1-way trust working on a single IPA node in the cluster, will the replicating targets inherit this trust?

Do I need to set up the trust individually on each of the 4 planned IPA boxes?



FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to