On pe, 03 heinä 2020, Vinícius Ferrão wrote:
Hi Alexander,
But is it ok to not being controller trust or trust agent? It’s a good idea to be a trust agent at least? How can I check both?
'trust agent' is IPA server which resolves AD users and groups. So if you want your IPA clients to resolve AD users and groups, it needs to talk to a master/replica with "Trust Agent' server role.
However, resolution of SIDs in web UI and IPA CLI requires that a master/replica you talk to has 'freeipa-server-trust-ad' package installed because that one pulls in actual required packages that allow us to resolve SIDs from Python. That has an overhead of installing all Samba components, inclulding server side.
If you don't want that, you might want to install only
python3-libsss_nss_idmap python3-samba python3-sss
addition to python3-ipaserver and make the host 'Trust agent'. I haven't checked that this recipe indeed works, only validated the dependencies.
'trust controller' is what makes possible to establish trust to AD forest. You don't need more than one of those, typically.
I can fetch from IPA the data regarding the trust, on the replica server normally. [root@ipa2 ~]# ipa trust-show Realm name: ad.example.com Realm name: ad.example.com Domain NetBIOS name: EXAMPLE Domain Security Identifier: S-1-5-21-3644117338-1171143469-618167831 Trust direction: Trusting forest Trust type: Active Directory domain UPN suffixes: example.com, invalid.com [root@ipa2 ~]# ipa trustdomain-find Realm name: ad.example.com Domain name: ad.example.com Domain NetBIOS name: EXAMPLE Domain Security Identifier: S-1-5-21-3644117338-1171143469-618167831 Domain enabled: True
Thank you.
On 3 Jul 2020, at 04:20, Alexander Bokovoy abokovoy@redhat.com wrote:
On pe, 03 heinä 2020, Vinícius Ferrão via FreeIPA-users wrote:
Hello, I have two FreeIPA servers with AD trust enabled. Usually I do everything on the IPA #1 server, but I just observed that SIDs aren’t resolved on the replica, is it normal? I’m attaching a picture of the issue to illustrate it. If this is not right, someone can help with debugging steps? I observed that I can’t do getent passwd ferrao on the replica either. Only on master: [root@ipa1 ~]# getent passwd ferrao [1]ferrao@ad.example.com:*:1499401105:1499401105:Vinícius Ferrão:/home/ferrao: [root@ipa2 ~]# getent passwd ferrao
Looks like the second server is neither trust controller nor trust agent.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland