On Mon, 13 Apr 2015, Traiano Welcome wrote:
The deployment I'm contemplating is as follows:
1. FreeIPA master at a central site,with AD Trust established to the primary DC.
2. Replicas of the FreeIPA master at 4 other sites (with varying WAN
latency between central and site),with replication agreements only
with to the master at the central site.
(So the AD trust is estalished only between the master IPA server and
the primary AD domain controller)
There is also an existing domain controller at each site that synchs
to the primary domain controller at the main site.
I'd like AD user access to Linux systems at each site to be stable
and consistent as possible, so to rule out the effect of WAN latency
and possibly intermittent connectivity (and a host of possibly other
unknown factors), I plan to establish an AD trust between the replica
at each site and the local AD domain controller. My thinking is that
AD user accounts information will then be available to the replica
almost as soon as it's available to the AD dc at that site.
So ultimately, the consistency of user information should be as good
as can be expected from AD's cross wan replication to remote sites,
even if the synchronisation between a replica and master is not 100%
sin synch at all times (e.g due to WAN latency).
My concern is that multiple trusts established this way may lead to
replication inconsistency betweend master IPA server and it's
replicas,especially in the case where the replica is seeing AD
information in different stages of replication.
My question: Does IPA cope with this scenario? Is it safe, and will it
improve AD authentication performance (at least from the user point of
view) to establish trust between each replica and the local domain
controller in each given site?
This topic was raised already in March on this list so please study
archives for more details about site-awareness in SSSD.
One thing I must note is that you seem to share a common
misunderstanding of how trust to Active Directory is established. There
is *no* need to 'establish an AD trust between the replica at each site
and the local AD domain controller'. The trust is established once and
for whole forest. Information about the trust is replicated to all IPA
masters. In order to get them activated to *provide* access to already
established trust you need to run 'ipa-adtrust-install' on each IPA
master. However, you *don't* need to run 'ipa trust-add' again, and even
if you ran it, it would fail because each of your local AD DCs are not
a primary domain controllers for your forest root domain.
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project