On 15 June 2018 at 16:03, Alexander Bokovoy <abokovoy@redhat.com> wrote:
On pe, 15 kesä 2018, Lachlan Musicman via FreeIPA-users wrote:

https://github.com/freeipa/freeipa/pull/1825

And from here
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/RLWBXYP6PPHGXMJZZNEAO6TF7BCB6EDS/

it looks like I need to run

ipa-adtrust-install --add-agents

on the master and follow the prompts?
 Exactly.



Alex, thanks for the confirmation.

FWIW, running ipa-adtrust-install --add-agents on the current ipa master asked me:

WARNING: 1 IPA masters are not yet able to serve information about users from trusted forests.
Installer can add them to the list of IPA masters allowed to access information about trusts.
If you choose to do so, you also need to restart LDAP service on those masters.
Refer to ipa-adtrust-install(1) man page for details.

IPA master [ipa-replica.company.com]? [no]:   

which, when I said no, exited without making any changes that I could see.

When I ran same on the replica, I got the same question, but this time answered yes. I can now id users successfully - but fwiw, when I run

Server name: ipa-replica.company.com 
  Server name: ipa-replica.company.com
  Managed suffixes: domain, ca
  Min domain level: 0
  Max domain level: 1
  Enabled server roles: CA server, NTP server, AD trust agent, AD trust controller

So it has become a trust controller as well.

Is that because it's also a CA server?

cheers
L.