Hi Alexander,
But is it ok to not being controller trust or trust agent? It’s a good idea to be a trust
agent at least? How can I check both?
I can fetch from IPA the data regarding the trust, on the replica server normally.
[root@ipa2 ~]# ipa trust-show
Realm name:
ad.example.com
Realm name:
ad.example.com
Domain NetBIOS name: EXAMPLE
Domain Security Identifier: S-1-5-21-3644117338-1171143469-618167831
Trust direction: Trusting forest
Trust type: Active Directory domain
UPN suffixes:
example.com,
invalid.com
[root@ipa2 ~]# ipa trustdomain-find
Realm name:
ad.example.com
Domain name:
ad.example.com
Domain NetBIOS name: EXAMPLE
Domain Security Identifier: S-1-5-21-3644117338-1171143469-618167831
Domain enabled: True
Thank you.
On 3 Jul 2020, at 04:20, Alexander Bokovoy
<abokovoy(a)redhat.com> wrote:
On pe, 03 heinä 2020, Vinícius Ferrão via FreeIPA-users wrote:
> Hello, I
have two FreeIPA servers with AD trust enabled. Usually I do everything on the IPA #1
server, but I just observed that SIDs aren’t resolved on the replica, is it normal?
I’m attaching a picture of the issue
to illustrate it. If this is not right, someone can help with
debugging steps? I observed that I can’t do getent passwd ferrao on the
replica either. Only on master:
[root@ipa1 ~]# getent passwd ferrao
[1]ferrao@ad.example.com:*:1499401105:1499401105:Vinícius
Ferrão:/home/ferrao: [root@ipa2
~]# getent passwd ferrao
Looks like the second server is neither trust controller nor trust
agent.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland