On Tue, 03 Feb 2015, William wrote:

>Wow! From all this it really sounds like adding a replica in to an IPA
>domain where adtrust has been run could have a few edge cases. For
>example, what would happen if I create a new account on a replica
>without adtrust? Would sidgen run on the adtrust machine when it get's
>the record replicated to it?
I think it might work. sidgen is a post operation and replication
protocol uses normal ldap_*_ext() API to send new objects.

Maybe something to test?
You can create a user on the replica without ipa-adtrust-install and
watch after replication on whether ipaNTSecurityIdentifier appeared in
the user's object in LDAP.

>This should be configured on replicas added to the network if adtrust
>has been run already. Perhaps this is something to consider also?
>Consistency through out the domain is a good thing.
Exactly. Good suggestion. One thing we need to solve here is that
enabling sidgen and other components will require installing Samba
libraries. This is something to consider -- do we want these libraries
(not daemons) installed on every master?

Well, ipa-adtrust is a seperate package already isn't it? If you were in
the position to be setting up an adtrust on freeipa, you would document
that it should be installed on all hosts anyway, so then the adtrust
package would pull in the adtrust libs.

Once the adtrust is installed, be it trust controller or agent, perhaps
this should be added into the domain services tree under cn=etc. That
way, after the adtrust is run, you can see a list of hosts that do not
yet have it installed, so that the trust agent can be configured on all
other replicas. Additionally, adding a new replica could be hinted that
if this exists to configure itself as a trust agent automatically as
part of ipa-replica-install.

Does that sound like a reasonable suggestion?
Yes, this is what ipa-adtrust-install implements right now. My issue
with this approach is the fact that we don't want to run
smbd/winbindd/etc for trust agent case. Yet, ipa-adtrust-install forces
packages to be installed and services to be active.

We can start with disabling ADTRUST and EXTID services on trust agents
(these are smb and winbind in ipactl speak) and, maybe, rename them to
something less confusing. Then we can decide whether not installing
samba server packages would really be needed.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to