This is not an issue, since the packages are already there. It's fine :)
Ok! I’ll follow the path you recommend with two trust agents and one trust controller.
But what I don’t get is that I think something in broken in the replica. You see, the packages are already there, ipa-server-trust-ad-4.8.4 are installed on both servers and on ipa2 this problem happens.
# ipa-adtrust-install --add-agents
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.
This includes:
* Configure Samba
* Add trust related objects to IPA LDAP server
To accept the default shown in brackets, press the Enter key.
Configuring cross-realm trusts for IPA server requires password for user 'admin'.
This user is a regular system account used for IPA server administration.
admin password:
IPA generated smb.conf detected.
Overwrite smb.conf? [no]: yes
Do you want to enable support for trusted domains in Schema Compatibility plugin?
This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.
Enable trusted domains support in slapi-nis? [no]:
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring CIFS
[1/23]: validate server hostname
[2/23]: stopping smbd
[3/23]: creating samba domain object
Samba domain object already exists
[4/23]: retrieve local idmap range
[5/23]: creating samba config registry
[6/23]: writing samba config file
[7/23]: adding cifs Kerberos principal
[8/23]: adding cifs and host Kerberos principals to the adtrust agents group
[9/23]: check for cifs services defined on other replicas
[10/23]: adding cifs principal to S4U2Proxy targets
cifs principal already targeted, nothing to do.
[11/23]: adding admin(group) SIDs
Admin SID already set, nothing to do
Admin group SID already set, nothing to do
[12/23]: adding RID bases
RID bases already set, nothing to do
[13/23]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
[14/23]: activating CLDAP plugin
CLDAP plugin already configured, nothing to do
[15/23]: activating sidgen task
Sidgen task plugin already configured, nothing to do
[16/23]: map BUILTIN\Guests to nobody group
[17/23]: configuring smbd to start on boot
[18/23]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
[19/23]: adding fallback group
Fallback group already set, nothing to do
[20/23]: adding Default Trust View
Default Trust View already exists.
[21/23]: setting SELinux booleans
[22/23]: starting CIFS services
[23/23]: restarting smbd
Done configuring CIFS.
=============================================================================
Setup complete
You must make sure these network ports are open:
TCP Ports:
* 135: epmap
* 138: netbios-dgm
* 139: netbios-ssn
* 445: microsoft-ds
* 1024..1300: epmap listener range
* 3268: msft-gc
UDP Ports:
* 138: netbios-dgm
* 139: netbios-ssn
* 389: (C)LDAP
* 445: microsoft-ds
See the ipa-adtrust-install(1) man page for more details
=============================================================================
I’ve run the command on both servers, and the output was exactly the same.
I even rebooted IPA2 “just in case”.
Thank you again.