On Wed, 2018-04-11 at 14:36 -0400, Chris Dagdigian via FreeIPA-users wrote: > Hi folks, > > Multi-region AWS IPA user here. We've got an ancient and brittle IPA > setup with broken replication and an inability to upgrade. Rather than > fix I want to stand up a whole new set of IPA servers running the latest > version so I can get replication working again as well as leverage all > the great new features in IPA and SSSD subsystem. > > However in my environment it's an incredibly complex process to set up a > 1-way trust with Active Directory. > > The administrators work for a managed service provider and they are > outside of the normal support loop so they rarely interact with peons > and outsiders like myself. Just getting their attention is a procedural > and political effort. The first AD trust took more than 3 months to > setup (!) > > > I need to start the process again for requesting a new AD trust > arrangement for the new IPA servers I intend to build. > > Realized that I had a really dumb question ... > > If my goal is to have a 4-node replicating cluster (2x in us-east AWS > region and 2x in eu-central-2 region) how many discrete AD trusts do I > actually have to arrange with my remote AD administrators? > > If I get a good 1-way trust working on a single IPA node in the cluster, > will the replicating targets inherit this trust? > > Do I need to set up the trust individually on each of the 4 planned IPA > boxes?
Hi Chris, not a stupid question. A Trust is a domain level property, when you establish a trust your whole IPA domain is in a trust relationship with the AD domain. Not all IPA servers are also trust controllers automatically, IIRC, but you also do not need all of them to be for redundancy. You may want to read https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/active-directory-trust for a better understanding of what is involved in managing AD trusts, 5.1.6 explains the difference between trust controllers and trust agents. HTH, Simo. > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org -- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
