On pe, 03 heinä 2020, Vinícius Ferrão wrote:
Hi Alexander,
But is it ok to not being controller trust or trust agent? It’s a good
idea to be a trust agent at least? How can I check both?
'trust agent' is IPA server which resolves AD users and groups. So if
you want your IPA clients to resolve AD users and groups, it needs to
talk to a master/replica with "Trust Agent' server role.
However, resolution of SIDs in web UI and IPA CLI requires that a
master/replica you talk to has 'freeipa-server-trust-ad' package
installed because that one pulls in actual required packages that allow
us to resolve SIDs from Python. That has an overhead of installing all
Samba components, inclulding server side.
If you don't want that, you might want to install only
python3-libsss_nss_idmap
python3-samba
python3-sss
addition to python3-ipaserver and make the host 'Trust agent'. I haven't
checked that this recipe indeed works, only validated the dependencies.
'trust controller' is what makes possible to establish trust to AD
forest. You don't need more than one of those, typically.
I can fetch from IPA the data regarding the trust, on the replica
server normally.
[root@ipa2 ~]# ipa trust-show
Realm name:
ad.example.com
Realm name:
ad.example.com
Domain NetBIOS name: EXAMPLE
Domain Security Identifier: S-1-5-21-3644117338-1171143469-618167831
Trust direction: Trusting forest
Trust type: Active Directory domain
UPN suffixes:
example.com,
invalid.com
[root@ipa2 ~]# ipa trustdomain-find
Realm name:
ad.example.com
Domain name:
ad.example.com
Domain NetBIOS name: EXAMPLE
Domain Security Identifier: S-1-5-21-3644117338-1171143469-618167831
Domain enabled: True
Thank you.
> On 3 Jul 2020, at 04:20, Alexander Bokovoy <abokovoy(a)redhat.com> wrote:
>
> On pe, 03 heinä 2020, Vinícius Ferrão via FreeIPA-users wrote:
>> Hello, I
have two FreeIPA servers with AD trust enabled. Usually I do everything on the IPA #1
server, but I just observed that SIDs aren’t resolved on the replica, is it normal?
I’m attaching a picture of the issue
to illustrate it. If this is not right, someone can help with
debugging steps? I observed that I can’t do getent passwd ferrao on the
replica either. Only on master:
[root@ipa1 ~]# getent passwd ferrao
[1]ferrao@ad.example.com:*:1499401105:1499401105:Vinícius
Ferrão:/home/ferrao: [root@ipa2
~]# getent passwd ferrao
>
> Looks like the second server is neither trust controller nor trust
> agent.
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland