Hi, Thank you for your continued support. However after reading up on the chapters on Replicas and Trust Controller and Trust Agents I was able to deduce my misstake ;-)
The problem was that I on the replica ran both of these commands, which had already been run on the master; sudo ipa-adtrust-install sudo ipa trust-add --type=ad ad.labnet.org --admin Administrator --password --two-way=true Instead I should only have run the following command on the replica; sudo ipa-adtrust-install --add-agents So I redid the setup and correctd my misstake, now it all works :-) Both IPA servers now have the roles Trust Controller and Trust Agent. Now I can authenticate users from IPA clients no matter if both IPA servers are or just one of them are up and running. Thanks a million! Den fre 19 apr. 2024 kl 10:25 skrev Florence Blanc-Renaud <[email protected]>: > Hi, > > On Mon, Apr 15, 2024 at 10:10 AM John Doe <[email protected]> wrote: > >> >> >> Den mån 15 apr. 2024 kl 09:35 skrev Florence Blanc-Renaud <[email protected] >> >: >> >>> Hi, >>> >>> On Mon, Apr 15, 2024 at 9:03 AM John Doe via FreeIPA-users < >>> [email protected]> wrote: >>> >>>> I'm playing around with IPA trying to figure out how to set it up to be >>>> redundant. The problem is that the IPA Replica isn't able to authenticate >>>> AD users if IPA Master is down. >>>> My setup; >>>> One Windows Server set up with Active Direcory Domain Services, Active >>>> Directory Certificate Services and DNS server hosting the ad.labnet.org >>>> domain and the Root CA. >>>> >>>> Two Linux servers setup in the labnet.org domain. Both using the >>>> Windows Server DNS server. >>>> The first one is setup as a IPA Master server hosting the domain >>>> ipa.labnet.org and act as a subordinate CA server. It was setup with >>>> the following commands; >>>> sudo ipa-server-install --external-ca --external-ca-type=ms-cs >>>> sudo ipa-server-install --external-cert-file=/home/$USER/ipa.cer >>>> --external-cert-file=/home/$USER/certnew.cer >>>> kinit admin >>>> sudo ipa-adtrust-install >>>> sudo ipa trust-add --type=ad ad.labnet.org --admin Administrator >>>> --password --two-way=true >>>> >>>> The second one is setup as a IPA Replica also hosting the domain >>>> ipa.labnet.org It has been setup with the following commands; >>>> sudo ipa-client-install --mkhomedir >>>> sudo ipa-replica-install >>>> sudo ipa-ca-install >>>> kinit admin >>>> sudo ipa-adtrust-install >>>> sudo ipa trust-add --type=ad ad.labnet.org --admin Administrator >>>> --password --two-way=true >>>> >>> The above command (ipa trust-add) probably exited on error as the trust >>> was already established. Please read Trust controllers and Trust Agents >>> <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/planning_identity_management/planning-a-cross-forest-trust-between-idm-and-ad_planning-identity-management#trust-controllers-and-trust-agents_planning-a-cross-forest-trust-between-idm-and-ad> >>> to >>> understand how the replica should be setup in order to be able to resolve >>> AD users and groups. With your set of commands, both master and replica are >>> configured as AD Trust Controllers and should be able to resolve users and >>> groups, but there is no need to run twice the trust-add part. >>> >> >> They both show up in IPA Admin GUI as being both Trust Controllers and >> Trust Agents. I read that at least two trust controllers should be >> configured per IdM deployment. >> Thanks I will check the document again. >> >> >>> All needed DNS records have been created in the DNS server on the >>>> Windows server. At least I hope so. >>>> IPA Healthceck on both IPA servers don't complain about anything >>>> missing. >>>> sudo ipa-healthcheck --output-type human >>>> >>>> One IPA Client also setup in the labnet.org domain and using the >>>> Windows server DNS, was setup with the following command; >>>> sudo ipa-client-install --domain=ipa.labnet.org --mkhomedir >>>> >>>> Testing authentication on the IPA Client as a user in the ad.labnet.org >>>> works out like this; >>>> Both IPA Servers up works OK >>>> Only IPA Master up works OK >>>> Only IPA Replica up doesn't work. >>>> >>> Did you test authentication on the IPA replica? >>> Is your master a DNS server for ipa.labnet.org? Is the replica a DNS >>> server for ipa.labnet.org? >>> >>> I may have missed that, but just tried it out now. No I'm not able to >> authenticate as an AD user on the IPA Replica :-( >> > You can enable debug level in the replica: add debug_level=9 in all the > sections in /etc/sssd/sssd.conf, restart sssd with systemctl restart sssd > and clean the cache. Then retry authentication of an AD user on the replica > and gather the logs from /var/log/sssd/*. We may be able to help with the > logs. Do not forget to remove the debug_level when you're done. > > If authentication works on the master but not on the replica, it is often > related to DNS or firewall issues between the trust controller and the AD > domain controller. > You can refer to > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/planning_identity_management/planning-a-cross-forest-trust-between-idm-and-ad_planning-identity-management#guidelines-for-setting-up-dns-for-an-idm-ad-trust_planning-a-cross-forest-trust-between-idm-and-ad > and > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/installing_trust_between_idm_and_ad/configuring-dns-and-realm-settings-for-a-trust_installing-trust-between-idm-and-ad#doc-wrapper > > flo > > > No only the Windows DNS server is a DNS server, hosting all the domains >> labnet.org, ad.labnet.org and ipa.labnet.org >> >> Thanks! >> >> flo >>> >>>> >>>> After this check with IPA Healthcheck on the IPA Replica now comes back >>>> with this; >>>> WARNING: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.{}: Look up of >>>> ID {} for ad.labnet.org returned nothing >>>> ERROR: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.AD Global >>>> Catalog: AD Global Catalog not found in /usr/sbin/sssctl 'domain-status' >>>> output: Active servers: >>>> IPA: lab003.labnet.org >>>> ERROR: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.AD Domain >>>> Controller: AD Domain Controller not found in /usr/sbin/sssctl >>>> 'domain-status' output: Active servers: >>>> IPA: lab003.labnet.org >>>> >>>> Can anyone suggest what I have done wrong or missed? As far as I can >>>> tell there are no commands that let me write to the GLobal Catalog? >>>> Thanks! >>>> -- >>>> _______________________________________________ >>>> FreeIPA-users mailing list -- [email protected] >>>> To unsubscribe send an email to >>>> [email protected] >>>> Fedora Code of Conduct: >>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> https://lists.fedorahosted.org/archives/list/[email protected] >>>> Do not reply to spam, report it: >>>> https://pagure.io/fedora-infrastructure/new_issue >>>> >>>
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
