Hi,

Thank you for your continued support.
However after reading up on the chapters on Replicas and Trust Controller
and Trust Agents I was able to deduce my misstake ;-)

The problem was that I on the replica ran both of these commands, which had
already been run on the master;
  sudo ipa-adtrust-install
  sudo ipa trust-add --type=ad ad.labnet.org --admin Administrator
--password --two-way=true

Instead I should only have run the following command on the replica;
   sudo ipa-adtrust-install --add-agents

So I redid the setup and correctd my misstake, now it all works :-)
Both IPA servers now have the roles Trust Controller and Trust Agent.
Now I can authenticate users from IPA clients no matter if both IPA servers
are or just one of them are up and running.

Thanks a million!


Den fre 19 apr. 2024 kl 10:25 skrev Florence Blanc-Renaud <f...@redhat.com>:

> Hi,
>
> On Mon, Apr 15, 2024 at 10:10 AM John Doe <jdoe53...@gmail.com> wrote:
>
>>
>>
>> Den mån 15 apr. 2024 kl 09:35 skrev Florence Blanc-Renaud <f...@redhat.com
>> >:
>>
>>> Hi,
>>>
>>> On Mon, Apr 15, 2024 at 9:03 AM John Doe via FreeIPA-users <
>>> freeipa-users@lists.fedorahosted.org> wrote:
>>>
>>>> I'm playing around with IPA trying to figure out how to set it up to be
>>>> redundant. The problem is that the IPA Replica isn't able to authenticate
>>>> AD users if IPA Master is down.
>>>> My setup;
>>>> One Windows Server set up with Active Direcory Domain Services, Active
>>>> Directory Certificate Services and DNS server hosting the ad.labnet.org
>>>> domain and the Root CA.
>>>>
>>>> Two Linux servers setup in the labnet.org domain. Both using the
>>>> Windows Server DNS server.
>>>> The first one is setup as a IPA Master server hosting the domain
>>>> ipa.labnet.org and act as a subordinate CA server. It was setup with
>>>> the following commands;
>>>>   sudo ipa-server-install --external-ca --external-ca-type=ms-cs
>>>>   sudo ipa-server-install --external-cert-file=/home/$USER/ipa.cer
>>>> --external-cert-file=/home/$USER/certnew.cer
>>>>   kinit admin
>>>>   sudo ipa-adtrust-install
>>>>   sudo ipa trust-add --type=ad ad.labnet.org --admin Administrator
>>>> --password --two-way=true
>>>>
>>>> The second one is setup as a IPA Replica also hosting the domain
>>>> ipa.labnet.org It has been setup with the following commands;
>>>>   sudo ipa-client-install --mkhomedir
>>>>   sudo ipa-replica-install
>>>>   sudo ipa-ca-install
>>>>   kinit admin
>>>>   sudo ipa-adtrust-install
>>>>   sudo ipa trust-add --type=ad ad.labnet.org --admin Administrator
>>>> --password --two-way=true
>>>>
>>> The above command (ipa trust-add) probably exited on error as the trust
>>> was already established. Please read Trust controllers and Trust Agents
>>> <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/planning_identity_management/planning-a-cross-forest-trust-between-idm-and-ad_planning-identity-management#trust-controllers-and-trust-agents_planning-a-cross-forest-trust-between-idm-and-ad>
>>>  to
>>> understand how the replica should be setup in order to be able to resolve
>>> AD users and groups. With your set of commands, both master and replica are
>>> configured as AD Trust Controllers and should be able to resolve users and
>>> groups, but there is no need to run twice the trust-add part.
>>>
>>
>> They both show up in IPA Admin GUI as being both Trust Controllers and
>> Trust Agents. I read that at least two trust controllers should be
>> configured per IdM deployment.
>> Thanks I will check the document again.
>>
>>
>>> All needed DNS records have been created in the DNS server on the
>>>> Windows server. At least I hope so.
>>>> IPA Healthceck on both IPA servers don't complain about anything
>>>> missing.
>>>>   sudo ipa-healthcheck --output-type human
>>>>
>>>> One IPA Client also setup in the labnet.org domain and using the
>>>> Windows server DNS, was setup with the following command;
>>>> sudo ipa-client-install --domain=ipa.labnet.org --mkhomedir
>>>>
>>>> Testing authentication on the IPA Client as a user in the ad.labnet.org
>>>> works  out like this;
>>>> Both IPA Servers up works OK
>>>> Only IPA Master up works OK
>>>> Only IPA Replica up doesn't work.
>>>>
>>> Did you test authentication on the IPA replica?
>>> Is your master a DNS server for ipa.labnet.org? Is the replica a DNS
>>> server for ipa.labnet.org?
>>>
>>> I may have missed that, but just tried it out now. No I'm not able to
>> authenticate as an AD user on the IPA Replica :-(
>>
> You can enable debug level in the replica: add debug_level=9 in all the
> sections in /etc/sssd/sssd.conf, restart sssd with systemctl restart sssd
> and clean the cache. Then retry authentication of an AD user on the replica
> and gather the logs from /var/log/sssd/*. We may be able to help with the
> logs. Do not forget to remove the debug_level when you're done.
>
> If authentication works on the master but not on the replica, it is often
> related to DNS or firewall issues between the trust controller and the AD
> domain controller.
> You can refer to
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/planning_identity_management/planning-a-cross-forest-trust-between-idm-and-ad_planning-identity-management#guidelines-for-setting-up-dns-for-an-idm-ad-trust_planning-a-cross-forest-trust-between-idm-and-ad
> and
>
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/installing_trust_between_idm_and_ad/configuring-dns-and-realm-settings-for-a-trust_installing-trust-between-idm-and-ad#doc-wrapper
>
> flo
>
>
> No only the Windows DNS server is a DNS server, hosting all the domains
>> labnet.org, ad.labnet.org and ipa.labnet.org
>>
>> Thanks!
>>
>> flo
>>>
>>>>
>>>> After this check with IPA Healthcheck on the IPA Replica now comes back
>>>> with this;
>>>> WARNING: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.{}: Look up of
>>>> ID {} for ad.labnet.org returned nothing
>>>> ERROR: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.AD Global
>>>> Catalog: AD Global Catalog not found in /usr/sbin/sssctl 'domain-status'
>>>> output: Active servers:
>>>> IPA: lab003.labnet.org
>>>> ERROR: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.AD Domain
>>>> Controller: AD Domain Controller not found in /usr/sbin/sssctl
>>>> 'domain-status' output: Active servers:
>>>> IPA: lab003.labnet.org
>>>>
>>>> Can anyone suggest what I have done wrong or missed? As far as I can
>>>> tell there are no commands that let me write to the GLobal Catalog?
>>>> Thanks!
>>>> --
>>>> _______________________________________________
>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>>> To unsubscribe send an email to
>>>> freeipa-users-le...@lists.fedorahosted.org
>>>> Fedora Code of Conduct:
>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>> List Archives:
>>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>>>> Do not reply to spam, report it:
>>>> https://pagure.io/fedora-infrastructure/new_issue
>>>>
>>>
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to