Hi, On Mon, Apr 15, 2024 at 10:10 AM John Doe <[email protected]> wrote:
> > > Den mån 15 apr. 2024 kl 09:35 skrev Florence Blanc-Renaud <[email protected] > >: > >> Hi, >> >> On Mon, Apr 15, 2024 at 9:03 AM John Doe via FreeIPA-users < >> [email protected]> wrote: >> >>> I'm playing around with IPA trying to figure out how to set it up to be >>> redundant. The problem is that the IPA Replica isn't able to authenticate >>> AD users if IPA Master is down. >>> My setup; >>> One Windows Server set up with Active Direcory Domain Services, Active >>> Directory Certificate Services and DNS server hosting the ad.labnet.org >>> domain and the Root CA. >>> >>> Two Linux servers setup in the labnet.org domain. Both using the >>> Windows Server DNS server. >>> The first one is setup as a IPA Master server hosting the domain >>> ipa.labnet.org and act as a subordinate CA server. It was setup with >>> the following commands; >>> sudo ipa-server-install --external-ca --external-ca-type=ms-cs >>> sudo ipa-server-install --external-cert-file=/home/$USER/ipa.cer >>> --external-cert-file=/home/$USER/certnew.cer >>> kinit admin >>> sudo ipa-adtrust-install >>> sudo ipa trust-add --type=ad ad.labnet.org --admin Administrator >>> --password --two-way=true >>> >>> The second one is setup as a IPA Replica also hosting the domain >>> ipa.labnet.org It has been setup with the following commands; >>> sudo ipa-client-install --mkhomedir >>> sudo ipa-replica-install >>> sudo ipa-ca-install >>> kinit admin >>> sudo ipa-adtrust-install >>> sudo ipa trust-add --type=ad ad.labnet.org --admin Administrator >>> --password --two-way=true >>> >> The above command (ipa trust-add) probably exited on error as the trust >> was already established. Please read Trust controllers and Trust Agents >> <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/planning_identity_management/planning-a-cross-forest-trust-between-idm-and-ad_planning-identity-management#trust-controllers-and-trust-agents_planning-a-cross-forest-trust-between-idm-and-ad> >> to >> understand how the replica should be setup in order to be able to resolve >> AD users and groups. With your set of commands, both master and replica are >> configured as AD Trust Controllers and should be able to resolve users and >> groups, but there is no need to run twice the trust-add part. >> > > They both show up in IPA Admin GUI as being both Trust Controllers and > Trust Agents. I read that at least two trust controllers should be > configured per IdM deployment. > Thanks I will check the document again. > > >> All needed DNS records have been created in the DNS server on the Windows >>> server. At least I hope so. >>> IPA Healthceck on both IPA servers don't complain about anything missing. >>> sudo ipa-healthcheck --output-type human >>> >>> One IPA Client also setup in the labnet.org domain and using the >>> Windows server DNS, was setup with the following command; >>> sudo ipa-client-install --domain=ipa.labnet.org --mkhomedir >>> >>> Testing authentication on the IPA Client as a user in the ad.labnet.org >>> works out like this; >>> Both IPA Servers up works OK >>> Only IPA Master up works OK >>> Only IPA Replica up doesn't work. >>> >> Did you test authentication on the IPA replica? >> Is your master a DNS server for ipa.labnet.org Is the replica a DNS >> server for ipa.labnet.org >> >> I may have missed that, but just tried it out now. No I'm not able to > authenticate as an AD user on the IPA Replica :-( > You can enable debug level in the replica: add debug_level=9 in all the sections in /etc/sssd/sssd.conf, restart sssd with systemctl restart sssd and clean the cache. Then retry authentication of an AD user on the replica and gather the logs from /var/log/sssd/*. We may be able to help with the logs. Do not forget to remove the debug_level when you're done. If authentication works on the master but not on the replica, it is often related to DNS or firewall issues between the trust controller and the AD domain controller. You can refer to https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/planning_identity_management/planning-a-cross-forest-trust-between-idm-and-ad_planning-identity-management#guidelines-for-setting-up-dns-for-an-idm-ad-trust_planning-a-cross-forest-trust-between-idm-and-ad and https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/installing_trust_between_idm_and_ad/configuring-dns-and-realm-settings-for-a-trust_installing-trust-between-idm-and-ad#doc-wrapper flo No only the Windows DNS server is a DNS server, hosting all the domains > labnet.org, ad.labnet.org and ipa.labnet.org > > Thanks! > > flo >> >>> >>> After this check with IPA Healthcheck on the IPA Replica now comes back >>> with this; >>> WARNING: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.{}: Look up of ID >>> {} for ad.labnet.org returned nothing >>> ERROR: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.AD Global Catalog: >>> AD Global Catalog not found in /usr/sbin/sssctl 'domain-status' output: >>> Active servers: >>> IPA: lab003.labnet.org >>> ERROR: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.AD Domain >>> Controller: AD Domain Controller not found in /usr/sbin/sssctl >>> 'domain-status' output: Active servers: >>> IPA: lab003.labnet.org >>> >>> Can anyone suggest what I have done wrong or missed? As far as I can >>> tell there are no commands that let me write to the GLobal Catalog? >>> Thanks! >>> -- >>> _______________________________________________ >>> FreeIPA-users mailing list -- [email protected] >>> To unsubscribe send an email to >>> [email protected] >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/[email protected] >>> Do not reply to spam, report it: >>> https://pagure.io/fedora-infrastructure/new_issue >>> >>
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
