On ma, 18 kesä 2018, Lachlan Musicman wrote:
On Mon., 18 Jun. 2018, 16:15 Alexander Bokovoy, <aboko...@redhat.com> wrote:
On ma, 18 kesä 2018, Lachlan Musicman wrote:
>On 15 June 2018 at 16:03, Alexander Bokovoy <aboko...@redhat.com> wrote:
>
>> On pe, 15 kesä 2018, Lachlan Musicman via FreeIPA-users wrote:
>>
>>>
>>> https://github.com/freeipa/freeipa/pull/1825
>>>
>>> And from here
>>> https://lists.fedorahosted.org/archives/list/freeipa-users@
>>> lists.fedorahosted.org/thread/RLWBXYP6PPHGXMJZZNEAO6TF7BCB6EDS/
>>>
>>> it looks like I need to run
>>>
>>> ipa-adtrust-install --add-agents
>>>
>>> on the master and follow the prompts?
>>>
>> Exactly.
>>
>>
>
>Alex, thanks for the confirmation.
>
>FWIW, running ipa-adtrust-install --add-agents on the current ipa master
>asked me:
>
>WARNING: 1 IPA masters are not yet able to serve information about users
>from trusted forests.
>Installer can add them to the list of IPA masters allowed to access
>information about trusts.
>If you choose to do so, you also need to restart LDAP service on those
>masters.
>Refer to ipa-adtrust-install(1) man page for details.
>
>IPA master [ipa-replica.company.com]? [no]:
>
>which, when I said no, exited without making any changes that I could see.
When you run ipa-adtrust-install --add-agents on existing trust
controller, it asks you whether you want to convert *another* IPA master
to a trust agent.
This is what you should do if you only want to have that *another* IPA
master as a trust agent. So you needed to answer 'yes' there.
>When I ran same on the replica, I got the same question, but this time
>answered yes. I can now id users successfully - but fwiw, when I run
This converted the replica to trust controller, not trust agent.
>So it has become a trust controller as well.
Yes, because you asked it to do so by running ipa-adtrust-install on it.
>Is that because it's also a CA server?
No. It is because you asked it to become a trust controller by runnning
ipa-adtrust-install on the host.
If you want to make a replica a trust agent, run ipa-adtrust-install
--add-agents on _existing_ trust controller
Ok. Thank you.
Is it an issue to have two trust controllers?
No, it is not an issue. However, it depends on what you are planning to
deploy. Some people would like to reduce an attack surface for most
cases and using trust agent instead of trust controller makes that
master arguably more secure.
You only need one trust controller to establish and validate trust in a
place where AD DCs can reach it.
If it is, is there an easy way to remove trust controller status?
There is no way to demote the controller status.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/TPCR3TMUON7LNB7DJ4HROEHAPMGCPG3O/
