Hi,

On Mon, Apr 15, 2024 at 9:03 AM John Doe via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> I'm playing around with IPA trying to figure out how to set it up to be
> redundant. The problem is that the IPA Replica isn't able to authenticate
> AD users if IPA Master is down.
> My setup;
> One Windows Server set up with Active Direcory Domain Services, Active
> Directory Certificate Services and DNS server hosting the ad.labnet.org
> domain and the Root CA.
>
> Two Linux servers setup in the labnet.org domain. Both using the Windows
> Server DNS server.
> The first one is setup as a IPA Master server hosting the domain
> ipa.labnet.org and act as a subordinate CA server. It was setup with the
> following commands;
>   sudo ipa-server-install --external-ca --external-ca-type=ms-cs
>   sudo ipa-server-install --external-cert-file=/home/$USER/ipa.cer
> --external-cert-file=/home/$USER/certnew.cer
>   kinit admin
>   sudo ipa-adtrust-install
>   sudo ipa trust-add --type=ad ad.labnet.org --admin Administrator
> --password --two-way=true
>
> The second one is setup as a IPA Replica also hosting the domain
> ipa.labnet.org It has been setup with the following commands;
>   sudo ipa-client-install --mkhomedir
>   sudo ipa-replica-install
>   sudo ipa-ca-install
>   kinit admin
>   sudo ipa-adtrust-install
>   sudo ipa trust-add --type=ad ad.labnet.org --admin Administrator
> --password --two-way=true
>
The above command (ipa trust-add) probably exited on error as the trust was
already established. Please read Trust controllers and Trust Agents
<https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/planning_identity_management/planning-a-cross-forest-trust-between-idm-and-ad_planning-identity-management#trust-controllers-and-trust-agents_planning-a-cross-forest-trust-between-idm-and-ad>
to
understand how the replica should be setup in order to be able to resolve
AD users and groups. With your set of commands, both master and replica are
configured as AD Trust Controllers and should be able to resolve users and
groups, but there is no need to run twice the trust-add part.


>
> All needed DNS records have been created in the DNS server on the Windows
> server. At least I hope so.
> IPA Healthceck on both IPA servers don't complain about anything missing.
>   sudo ipa-healthcheck --output-type human
>
> One IPA Client also setup in the labnet.org domain and using the Windows
> server DNS, was setup with the following command;
> sudo ipa-client-install --domain=ipa.labnet.org --mkhomedir
>
> Testing authentication on the IPA Client as a user in the ad.labnet.org
> works  out like this;
> Both IPA Servers up works OK
> Only IPA Master up works OK
> Only IPA Replica up doesn't work.
>
Did you test authentication on the IPA replica?
Is your master a DNS server for ipa.labnet.org Is the replica a DNS server
for ipa.labnet.org

flo

>
> After this check with IPA Healthcheck on the IPA Replica now comes back
> with this;
> WARNING: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.{}: Look up of ID
> {} for ad.labnet.org returned nothing
> ERROR: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.AD Global Catalog:
> AD Global Catalog not found in /usr/sbin/sssctl 'domain-status' output:
> Active servers:
> IPA: lab003.labnet.org
> ERROR: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.AD Domain
> Controller: AD Domain Controller not found in /usr/sbin/sssctl
> 'domain-status' output: Active servers:
> IPA: lab003.labnet.org
>
> Can anyone suggest what I have done wrong or missed? As far as I can tell
> there are no commands that let me write to the GLobal Catalog?
> Thanks!
> --
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to