Hi Everyone,
Is it possible to remove the trust controller role from masters? I ran the trust agent setup on two masters that I just wanted to handle the trust agent role and now they're showing up as trust controllers, too. I don't know why that happened since I've done this before.
I could run the server uninstall on those two masters and enroll them again. But, I'd like to avoid that if I can.
Thanks in advance.
On Thu, 2022-06-23 at 13:07 -0400, Ranbir via FreeIPA-users wrote:
Is it possible to remove the trust controller role from masters? I ran the trust agent setup on two masters that I just wanted to handle the trust agent role and now they're showing up as trust controllers, too. I don't know why that happened since I've done this before.
I ended up running the uninstall and install again. I then ran, "ipa-adtrust-install --add-agent" on the new master and it got setup as an agent and controller again. :/ I double checked the docs, which say to do exactly what I did.
I did the uninstall/install cycle again and went back to running the "ipa-adtrust-install --add-agent" on the trust controller. After that was done, I restarted the ipa services on the agent that was just added. When I now look at the new master's server config, it correctly shows its server roles to include the AD Trust Agent role and not the controller role. That's exactly what I was looking for.
It seems the docs are incorrect or the ipa-adtrust-install command has changed with the freeipa releases in RHEL 8+. In RHEL 7 (and its downstream derivatives), running "ipa-adtrust-install --add-agent" only added the AD Trust Agent role to the server the command was run on.
Hi,
On Thu, Jun 23, 2022 at 8:26 PM Ranbir via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On Thu, 2022-06-23 at 13:07 -0400, Ranbir via FreeIPA-users wrote:
Is it possible to remove the trust controller role from masters? I ran the trust agent setup on two masters that I just wanted to handle the trust agent role and now they're showing up as trust controllers, too. I don't know why that happened since I've done this before.
There is no tool to remove only the trust controller role. I'm afraid you need to go through the uninstallation of the server and re-install the server with only the roles you wish to configure on it. This ticket 3993 *Provide a way to uninstall trust-ad package* [1] tracked the need for an uninstaller but was closed as wontfix.
I ended up running the uninstall and install again. I then ran, "ipa-adtrust-install --add-agent" on the new master and it got setup as an agent and controller again. :/ I double checked the docs, which say to do exactly what I did.
To set up nodeB as a trust agent when nodeA is already a trust controller, ipa-adtrust-install --add-agents has to be executed *on nodeA*. The documentation [2] mentions the following: ----- 8< ----- On an existing trust controller, run the ipa-adtrust-install --add-agents command ----- 8< -----
I'm pretty sure that the behavior was already the same in RHEL7.
HTH, flo
[1] https://pagure.io/freeipa/issue/3993 [2] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
I did the uninstall/install cycle again and went back to running the "ipa-adtrust-install --add-agent" on the trust controller. After that was done, I restarted the ipa services on the agent that was just added. When I now look at the new master's server config, it correctly shows its server roles to include the AD Trust Agent role and not the controller role. That's exactly what I was looking for.
It seems the docs are incorrect or the ipa-adtrust-install command has changed with the freeipa releases in RHEL 8+. In RHEL 7 (and its downstream derivatives), running "ipa-adtrust-install --add-agent" only added the AD Trust Agent role to the server the command was run on.
-- Ranbir _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On Fri, 2022-06-24 at 10:30 +0200, Florence Blanc-Renaud via FreeIPA- users wrote:
There is no tool to remove only the trust controller role. I'm afraid you need to go through the uninstallation of the server and re- install the server with only the roles you wish to configure on it. This ticket 3993 Provide a way to uninstall trust-ad package [1] tracked the need for an uninstaller but was closed as wontfix.
Boourns, but it's not a biggie doing the uninstall/install cycle.
I'm pretty sure that the behavior was already the same in RHEL7.
I'm looking at my notes from my RHEL 7 deploys and they clearly say I ran the command on the agents themselves. Maybe my docs are wrong. Oh no! If I'm bored one day, I might do another one just to see what happens.
HTH, flo
[1] https://pagure.io/freeipa/issue/3993 [2] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
Well damn, that's not what I thought I read. Then I will save face by admitting I didn't read the doc as carefully as I should have after I fixed my issue.
Thank you for correcting me.
freeipa-users@lists.fedorahosted.org