On ma, 16 tammi 2023, Ronald Wimmer via FreeIPA-users wrote:
On 16.01.23 15:48, Alexander Bokovoy via FreeIPA-users wrote:
>On ma, 16 tammi 2023, Ronald Wimmer via FreeIPA-users wrote:
>>I have a setup where we have four IPA servers. Two of them are
>>able to talk to the AD Domain Controllers directly. I set them up
>>as AD Trust controllers.
>>
>>The other two IPA servers can only talk to these IPA servers and
>>not to the AD DCs directly. Thats why I wanted them to have the
>>Trust Agent Role only.
>
>Trust Agent also should be able to talk to AD DCs. If those servers
>cannot talk to AD DCs, they cannot be trust agents.
So it seems that I have misunderstood how trust agents can be used. I
thought AD communication is only done on trust controllers whereas
trust agents are some kind of proxies.
They aren't proxies but since they don't run DC services expected by
Active Directory domain controllers, they cannot be contacted by AD DCs
to perform normal LSA RPC calls. So they are agents in this sense: they
cannot participate in DC to DC communication with Active Directory DCs.
Identity resolution on agents is performed by SSSD which talks to LDAP
services of AD DCs, not the other direction.
>>I used "ipa-adtrust-install --add-agents" on these
servers. After
>>configuring the roles and finishing the setup I did a "ipa
>>server-role-find" to check if the roles where set correctly. I
>>found out that all four IPA servers do have the Trust Controller
>>role. And here comes my question... why? Why have the two servers
>>been added as trust controllers and not as agents only?
>
>You should have ran 'ipa-adtrust-install --add-agents' on existing trust
>controllers, not on agents-to-be. This is what documentation says you to
>do.
Running 'ipa-adtrust-install --add-agents' seems to have no effect.
When I run that command on an ipa server it still has the agent AND
the controller rolle afterwards.
Since you have already turned your other IPA servers into trust
controllers, running ipa-adtrust-install --add-agents on a different IPA
server and expecting to turn those to trust agents is not possible.
Trust controller is already a trust agent.
You cannot remove trust controller role from existing IPA server other
than completely removing IPA server itself. This is the same as with
other IPA roles which cannot be uninstalled.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland