El sáb, 23 abr 2022 a las 23:55, Alexander Bokovoy (<aboko...@redhat.com>) escribió: > > On la, 23 huhti 2022, Cyrus via FreeIPA-users wrote: > >Hello!, > > > >I'm looking to deploy a multisite setup of FreeIPA, it would be 4 > >sites and 2 nodes per site. Alongside FreeIPA, there will also be: > >- a pair of Samba4 controllers per site that I would like to setup trust with > >- sites 5 & 6 from a third party running Windows 2019 AD (single > >domain, DR setup), with which I also need to setup an AD trust. > > > >Is it required that my 8 replicas establish trust with all Samba4 and > >Windows 2019 servers? > > You are using wrong terminology and mixing up preparation of the > replicas with actual trust agreement. Please read > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/planning_identity_management/planning-a-cross-forest-trust-between-idm-and-ad_planning-identity-management#trust-controllers-and-trust-agents_planning-a-cross-forest-trust-between-idm-and-ad > > You do not need to establish trust again and again from different > replicas. > > In short, trust between IPA and an Active Directory forest is > established once, there is no need to re-establish it multiple times > from different replicas. A replica that can establish trust is called > 'Trust Controller'. A replica that can use trust to resolve users and > groups is called 'Trust Agent'. If you need to ensure that users and > groups from trusted forests can be resolved everywhere, then all those > replicas need to be trust agents. You don't need to re-establish trust > or to make all of those replicas trust controllers. > > So all you need to do is: > > - make at least one Trust Controller > - use a Trust Controller to designate other replicas Trust Agents > - establish trust to the Active Directory forest(s) > > Then all clients connected to Trust Agents and Trust Controllers will be > able to resolve users and groups from trusted forests. > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > Good night Alexander,
Thanks a lot for the clarification. After reading the documentation, my understanding is that if my users reside on that trusted external domain, I will need to have connectivity from all my FreeIPA nodes (regardless of Trust Controller or Trust Agent role) in order to authenticate those users with my FreeIPA managed machines.. Regards, CI.- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
