On ma, 16 tammi 2023, Ronald Wimmer via FreeIPA-users wrote:
I have a setup where we have four IPA servers. Two of them are able to
talk to the AD Domain Controllers directly. I set them up as AD Trust
controllers.
The other two IPA servers can only talk to these IPA servers and not
to the AD DCs directly. Thats why I wanted them to have the Trust
Agent Role only.
Trust Agent also should be able to talk to AD DCs. If those servers
cannot talk to AD DCs, they cannot be trust agents.
I used "ipa-adtrust-install --add-agents" on these servers. After
configuring the roles and finishing the setup I did a "ipa
server-role-find" to check if the roles where set correctly. I found
out that all four IPA servers do have the Trust Controller role. And
here comes my question... why? Why have the two servers been added as
trust controllers and not as agents only?
You should have ran 'ipa-adtrust-install --add-agents' on existing trust
controllers, not on agents-to-be. This is what documentation says you to
do.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
