On 15 June 2018 at 16:03, Alexander Bokovoy <abokovoy(a)redhat.com> wrote:
On pe, 15 kesä 2018, Lachlan Musicman via FreeIPA-users wrote:
>
>
https://github.com/freeipa/freeipa/pull/1825
>
> And from here
>
https://lists.fedorahosted.org/archives/list/freeipa-users@
>
lists.fedorahosted.org/thread/RLWBXYP6PPHGXMJZZNEAO6TF7BCB6EDS/
>
> it looks like I need to run
>
> ipa-adtrust-install --add-agents
>
> on the master and follow the prompts?
>
Exactly.
Alex, thanks for the confirmation.
FWIW, running ipa-adtrust-install --add-agents on the current ipa master
asked me:
WARNING: 1 IPA masters are not yet able to serve information about users
from trusted forests.
Installer can add them to the list of IPA masters allowed to access
information about trusts.
If you choose to do so, you also need to restart LDAP service on those
masters.
Refer to ipa-adtrust-install(1) man page for details.
IPA master [ipa-replica.company.com]? [no]:
which, when I said no, exited without making any changes that I could see.
When I ran same on the replica, I got the same question, but this time
answered yes. I can now id users successfully - but fwiw, when I run
Server name:
ipa-replica.company.com
Server name:
ipa-replica.company.com
Managed suffixes: domain, ca
Min domain level: 0
Max domain level: 1
Enabled server roles: CA server, NTP server, AD trust agent, AD trust
controller
So it has become a trust controller as well.
Is that because it's also a CA server?
cheers
L.