On pe, 03 heinä 2020, Vinícius Ferrão wrote:
Hi Alexander,
But is it ok to not being controller trust or trust agent? It’s a good
idea to be a trust agent at least? How can I check both?
'trust agent' is IPA server which resolves AD users and groups. So if
you want your IPA clients to resolve AD users and groups, it needs to
talk to a master/replica with "Trust Agent' server role.
However, resolution of SIDs in web UI and IPA CLI requires that a
master/replica you talk to has 'freeipa-server-trust-ad' package
installed because that one pulls in actual required packages that allow
us to resolve SIDs from Python. That has an overhead of installing all
Samba components, inclulding server side.
If you don't want that, you might want to install only
python3-libsss_nss_idmap
python3-samba
python3-sss
addition to python3-ipaserver and make the host 'Trust agent'. I haven't
checked that this recipe indeed works, only validated the dependencies.
'trust controller' is what makes possible to establish trust to AD
forest. You don't need more than one of those, typically.
I can fetch from IPA the data regarding the trust, on the replica server
normally.
[root@ipa2 ~]# ipa trust-show
Realm name: ad.example.com
Realm name: ad.example.com
Domain NetBIOS name: EXAMPLE
Domain Security Identifier: S-1-5-21-3644117338-1171143469-618167831
Trust direction: Trusting forest
Trust type: Active Directory domain
UPN suffixes: example.com, invalid.com
[root@ipa2 ~]# ipa trustdomain-find
Realm name: ad.example.com
Domain name: ad.example.com
Domain NetBIOS name: EXAMPLE
Domain Security Identifier: S-1-5-21-3644117338-1171143469-618167831
Domain enabled: True
Thank you.
On 3 Jul 2020, at 04:20, Alexander Bokovoy <[email protected]> wrote:
On pe, 03 heinä 2020, Vinícius Ferrão via FreeIPA-users wrote:
Hello,
I have two FreeIPA servers with AD trust enabled. Usually I do everything
on the IPA #1 server, but I just observed that SIDs aren’t resolved on the
replica, is it normal?
I’m attaching a picture of the issue to illustrate it.
If this is not right, someone can help with debugging steps?
I observed that I can’t do getent passwd ferrao on the replica either.
Only on master:
[root@ipa1 ~]# getent passwd ferrao
[1][email protected]:*:1499401105:1499401105:Vinícius
Ferrão:/home/ferrao:
[root@ipa2 ~]# getent passwd ferrao
Looks like the second server is neither trust controller nor trust
agent.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
