Re: [Freeipa-users] multimaster ad one way trust setup
Cool Thanx Rob Verduijn 2016-01-25 12:59 GMT+01:00 Alexander Bokovoy : > On Mon, 25 Jan 2016, Rob Verduijn wrote: >> >> Since the first option has less impact, that one sounds the most >> interesting. >> However, does this also remain functional when the first ipa server is >> taken offline ? > > Yes. What this option enables is to allow IPA master to become 'trust > agent' which means SSSD on that master will be able to use cross-forest > trust credentials to talk to AD for user/group information and > authentication purposes. It does not allow that master to *manage* the > trust itself. > >> >> Rob Verduijn >> >> 2016-01-25 12:41 GMT+01:00 Alexander Bokovoy : >>> >>> On Mon, 25 Jan 2016, Rob Verduijn wrote: Hi all, When you have an ipa 4.2 server with an one way trust to the ad. What steps are needed to install a second ipa master that also has a one way trust to the ad ? >>> >>> >>> Depends on what you want to achieve. >>> >>> If you want second IPA master to be able to resolve AD users, just >>> install the master and run 'ipa-adtrust-install --add-agents' on the >>> *first* master. This will prompt you to be asked on adding the second >>> master to the list of hosts allowed to use cross-forest trust >>> credentials. >>> >>> If you want to use the second IPA master to *manage* trust, you'd need >>> to run 'ipa-adtrust-install' on the it. No need to specify >>> '--add-agents' because the master where 'ipa-adtrust-install' is being >>> run will be automatically added to the list. >>> -- >>> / Alexander Bokovoy >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > > -- > / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] multimaster ad one way trust setup
On Mon, 25 Jan 2016, Rob Verduijn wrote: Since the first option has less impact, that one sounds the most interesting. However, does this also remain functional when the first ipa server is taken offline ? Yes. What this option enables is to allow IPA master to become 'trust agent' which means SSSD on that master will be able to use cross-forest trust credentials to talk to AD for user/group information and authentication purposes. It does not allow that master to *manage* the trust itself. Rob Verduijn 2016-01-25 12:41 GMT+01:00 Alexander Bokovoy : On Mon, 25 Jan 2016, Rob Verduijn wrote: Hi all, When you have an ipa 4.2 server with an one way trust to the ad. What steps are needed to install a second ipa master that also has a one way trust to the ad ? Depends on what you want to achieve. If you want second IPA master to be able to resolve AD users, just install the master and run 'ipa-adtrust-install --add-agents' on the *first* master. This will prompt you to be asked on adding the second master to the list of hosts allowed to use cross-forest trust credentials. If you want to use the second IPA master to *manage* trust, you'd need to run 'ipa-adtrust-install' on the it. No need to specify '--add-agents' because the master where 'ipa-adtrust-install' is being run will be automatically added to the list. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] multimaster ad one way trust setup
Since the first option has less impact, that one sounds the most interesting. However, does this also remain functional when the first ipa server is taken offline ? Rob Verduijn 2016-01-25 12:41 GMT+01:00 Alexander Bokovoy : > On Mon, 25 Jan 2016, Rob Verduijn wrote: >> >> Hi all, >> >> When you have an ipa 4.2 server with an one way trust to the ad. >> What steps are needed to install a second ipa master that also has a >> one way trust to the ad ? > > Depends on what you want to achieve. > > If you want second IPA master to be able to resolve AD users, just > install the master and run 'ipa-adtrust-install --add-agents' on the > *first* master. This will prompt you to be asked on adding the second > master to the list of hosts allowed to use cross-forest trust > credentials. > > If you want to use the second IPA master to *manage* trust, you'd need > to run 'ipa-adtrust-install' on the it. No need to specify > '--add-agents' because the master where 'ipa-adtrust-install' is being > run will be automatically added to the list. > -- > / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] multimaster ad one way trust setup
On Mon, 25 Jan 2016, Rob Verduijn wrote: Hi all, When you have an ipa 4.2 server with an one way trust to the ad. What steps are needed to install a second ipa master that also has a one way trust to the ad ? Depends on what you want to achieve. If you want second IPA master to be able to resolve AD users, just install the master and run 'ipa-adtrust-install --add-agents' on the *first* master. This will prompt you to be asked on adding the second master to the list of hosts allowed to use cross-forest trust credentials. If you want to use the second IPA master to *manage* trust, you'd need to run 'ipa-adtrust-install' on the it. No need to specify '--add-agents' because the master where 'ipa-adtrust-install' is being run will be automatically added to the list. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
