Hi Alexander,
But is it ok to not being controller trust or trust agent? It’s a good idea to be a trust agent at least? How can I check both?
I can fetch from IPA the data regarding the trust, on the replica server normally. [root@ipa2 ~]# ipa trust-show Realm name: ad.example.com Realm name: ad.example.com Domain NetBIOS name: EXAMPLE Domain Security Identifier: S-1-5-21-3644117338-1171143469-618167831 Trust direction: Trusting forest Trust type: Active Directory domain UPN suffixes: example.com, invalid.com [root@ipa2 ~]# ipa trustdomain-find Realm name: ad.example.com Domain name: ad.example.com Domain NetBIOS name: EXAMPLE Domain Security Identifier: S-1-5-21-3644117338-1171143469-618167831 Domain enabled: True
Thank you.
On 3 Jul 2020, at 04:20, Alexander Bokovoy abokovoy@redhat.com wrote:
On pe, 03 heinä 2020, Vinícius Ferrão via FreeIPA-users wrote:
Hello, I have two FreeIPA servers with AD trust enabled. Usually I do everything on the IPA #1 server, but I just observed that SIDs aren’t resolved on the replica, is it normal? I’m attaching a picture of the issue to illustrate it. If this is not right, someone can help with debugging steps? I observed that I can’t do getent passwd ferrao on the replica either. Only on master: [root@ipa1 ~]# getent passwd ferrao [1]ferrao@ad.example.com:*:1499401105:1499401105:Vinícius Ferrão:/home/ferrao: [root@ipa2 ~]# getent passwd ferrao
Looks like the second server is neither trust controller nor trust agent.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland