Hi,
On Thu, Jun 23, 2022 at 8:26 PM Ranbir via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On Thu, 2022-06-23 at 13:07 -0400, Ranbir via FreeIPA-users wrote:
Is it possible to remove the trust controller role from masters? I ran the trust agent setup on two masters that I just wanted to handle the trust agent role and now they're showing up as trust controllers, too. I don't know why that happened since I've done this before.
There is no tool to remove only the trust controller role. I'm afraid you need to go through the uninstallation of the server and re-install the server with only the roles you wish to configure on it. This ticket 3993 *Provide a way to uninstall trust-ad package* [1] tracked the need for an uninstaller but was closed as wontfix.
I ended up running the uninstall and install again. I then ran, "ipa-adtrust-install --add-agent" on the new master and it got setup as an agent and controller again. :/ I double checked the docs, which say to do exactly what I did.
To set up nodeB as a trust agent when nodeA is already a trust controller, ipa-adtrust-install --add-agents has to be executed *on nodeA*. The documentation [2] mentions the following: ----- 8< ----- On an existing trust controller, run the ipa-adtrust-install --add-agents command ----- 8< -----
I'm pretty sure that the behavior was already the same in RHEL7.
HTH, flo
[1] https://pagure.io/freeipa/issue/3993 [2] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
I did the uninstall/install cycle again and went back to running the "ipa-adtrust-install --add-agent" on the trust controller. After that was done, I restarted the ipa services on the agent that was just added. When I now look at the new master's server config, it correctly shows its server roles to include the AD Trust Agent role and not the controller role. That's exactly what I was looking for.
It seems the docs are incorrect or the ipa-adtrust-install command has changed with the freeipa releases in RHEL 8+. In RHEL 7 (and its downstream derivatives), running "ipa-adtrust-install --add-agent" only added the AD Trust Agent role to the server the command was run on.
-- Ranbir _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure