On ke, 27 joulu 2017, Николай Савельев via FreeIPA-users wrote:
Hello.
I'm setting up AD trust by this article
https://www.freeipa.org/page/Active_Directory_trust_setup
I don't undestend one moment.
I must run
ipa-adtrust-install --netbios-name=ipa_netbios -a mypassword1
and
ipa trust-add --type=ad ad_domain --admin Administrator --password
on every ipa server or not?
These are two different utilities that have different
purpose and
different actions. Think of 'ipa-adtrust-install' as a language lesson
class. Think of 'ipa trust-add' as a use of the language knowledge. You
don't take language lesson classes every time you need to talk. However,
if you don't know the language, you'd need to learn it before using.
This is what 'ipa-adtrust-install' does for a specific IPA master, thus
it would need to be run on each IPA master you want to designate as a
trust controller. Read Windows Integration Guide about 'Trust
Controllers and Trust Agents':
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
Operations performed by 'ipa trust-add' are done in the replicated LDAP
subtree where they would be seen by all IPA masters. So it is done at
the time when you establish trust (e.g. talk in a language you have
learned in past) but it is not done on every IPA master because results
of that operation would be visible to all IPA masters.
--
/ Alexander Bokovoy