Den mån 15 apr. 2024 kl 09:35 skrev Florence Blanc-Renaud <[email protected]>:
> Hi, > > On Mon, Apr 15, 2024 at 9:03 AM John Doe via FreeIPA-users < > [email protected]> wrote: > >> I'm playing around with IPA trying to figure out how to set it up to be >> redundant. The problem is that the IPA Replica isn't able to authenticate >> AD users if IPA Master is down. >> My setup; >> One Windows Server set up with Active Direcory Domain Services, Active >> Directory Certificate Services and DNS server hosting the ad.labnet.org >> domain and the Root CA. >> >> Two Linux servers setup in the labnet.org domain. Both using the Windows >> Server DNS server. >> The first one is setup as a IPA Master server hosting the domain >> ipa.labnet.org and act as a subordinate CA server. It was setup with the >> following commands; >> sudo ipa-server-install --external-ca --external-ca-type=ms-cs >> sudo ipa-server-install --external-cert-file=/home/$USER/ipa.cer >> --external-cert-file=/home/$USER/certnew.cer >> kinit admin >> sudo ipa-adtrust-install >> sudo ipa trust-add --type=ad ad.labnet.org --admin Administrator >> --password --two-way=true >> >> The second one is setup as a IPA Replica also hosting the domain >> ipa.labnet.org It has been setup with the following commands; >> sudo ipa-client-install --mkhomedir >> sudo ipa-replica-install >> sudo ipa-ca-install >> kinit admin >> sudo ipa-adtrust-install >> sudo ipa trust-add --type=ad ad.labnet.org --admin Administrator >> --password --two-way=true >> > The above command (ipa trust-add) probably exited on error as the trust > was already established. Please read Trust controllers and Trust Agents > <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/planning_identity_management/planning-a-cross-forest-trust-between-idm-and-ad_planning-identity-management#trust-controllers-and-trust-agents_planning-a-cross-forest-trust-between-idm-and-ad> > to > understand how the replica should be setup in order to be able to resolve > AD users and groups. With your set of commands, both master and replica are > configured as AD Trust Controllers and should be able to resolve users and > groups, but there is no need to run twice the trust-add part. > They both show up in IPA Admin GUI as being both Trust Controllers and Trust Agents. I read that at least two trust controllers should be configured per IdM deployment. Thanks I will check the document again. > All needed DNS records have been created in the DNS server on the Windows >> server. At least I hope so. >> IPA Healthceck on both IPA servers don't complain about anything missing. >> sudo ipa-healthcheck --output-type human >> >> One IPA Client also setup in the labnet.org domain and using the Windows >> server DNS, was setup with the following command; >> sudo ipa-client-install --domain=ipa.labnet.org --mkhomedir >> >> Testing authentication on the IPA Client as a user in the ad.labnet.org >> works out like this; >> Both IPA Servers up works OK >> Only IPA Master up works OK >> Only IPA Replica up doesn't work. >> > Did you test authentication on the IPA replica? > Is your master a DNS server for ipa.labnet.org? Is the replica a DNS > server for ipa.labnet.org? > > I may have missed that, but just tried it out now. No I'm not able to authenticate as an AD user on the IPA Replica :-( No only the Windows DNS server is a DNS server, hosting all the domains labnet.org, ad.labnet.org and ipa.labnet.org Thanks! flo > >> >> After this check with IPA Healthcheck on the IPA Replica now comes back >> with this; >> WARNING: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.{}: Look up of ID >> {} for ad.labnet.org returned nothing >> ERROR: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.AD Global Catalog: >> AD Global Catalog not found in /usr/sbin/sssctl 'domain-status' output: >> Active servers: >> IPA: lab003.labnet.org >> ERROR: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.AD Domain >> Controller: AD Domain Controller not found in /usr/sbin/sssctl >> 'domain-status' output: Active servers: >> IPA: lab003.labnet.org >> >> Can anyone suggest what I have done wrong or missed? As far as I can tell >> there are no commands that let me write to the GLobal Catalog? >> Thanks! >> -- >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> To unsubscribe send an email to >> [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
