On Mon., 18 Jun. 2018, 16:15 Alexander Bokovoy, <abokovoy(a)redhat.com> wrote:
On ma, 18 kesä 2018, Lachlan Musicman wrote:
>On 15 June 2018 at 16:03, Alexander Bokovoy <abokovoy(a)redhat.com> wrote:
>> On pe, 15 kesä 2018, Lachlan Musicman via
FreeIPA-users wrote:
>
>>
>>>
https://github.com/freeipa/freeipa/pull/1825
>>
>>> And from here
>>>
https://lists.fedorahosted.org/archives/list/freeipa-users@
>>>
lists.fedorahosted.org/thread/RLWBXYP6PPHGXMJZZNEAO6TF7BCB6EDS/
>>
>>> it looks like I need
to run
>>
>>> ipa-adtrust-install
--add-agents
>>
>>> on the master and
follow the prompts?
>>
>> Exactly.
>
>
>Alex, thanks for the confirmation.
>FWIW, running ipa-adtrust-install --add-agents on the
current ipa master
>asked me:
>WARNING: 1 IPA masters are not yet able to serve
information about users
>from trusted forests.
>Installer can add them to the list of IPA masters allowed to access
>information about trusts.
>If you choose to do so, you also need to restart LDAP service on those
>masters.
>Refer to ipa-adtrust-install(1) man page for details.
>IPA master [ipa-replica.company.com]? [no]:
>which, when I said no, exited without making any changes
that I could see.
When you run ipa-adtrust-install --add-agents on existing trust
controller, it asks you whether you want to convert *another* IPA master
to a trust agent.
This is what you should do if you only want to have that *another* IPA
master as a trust agent. So you needed to answer 'yes' there.
>When I ran same on the replica, I got the same question, but this time
>answered yes. I can now id users successfully - but fwiw, when I run
This converted the replica to trust controller, not trust agent.
>So it has become a trust controller as well.
Yes, because you asked it to do so by running ipa-adtrust-install on it.
>Is that because it's also a CA server?
No. It is because you asked it to become a trust controller by runnning
ipa-adtrust-install on the host.
If you want to make a replica a trust agent, run ipa-adtrust-install
--add-agents on _existing_ trust controller
Ok. Thank you.
Is it an issue to have two trust controllers?
If it is, is there an easy way to remove trust controller status?
Cheers
L.