On 11/21/18 9:26 PM, Ronald Wimmer via FreeIPA-users wrote:
On 21.11.18 17:40, Rob Crittenden via FreeIPA-users wrote:
> [..]
> Yes, masters are all more or less equal, the difference being whether
> they run optional services and there are a few roles that only one
> master has (CRL manager, renewal manager).
I still do not have a clear picture. Is it true that any scenario starts
with one master and all others are replicas?
Yes, you start by installing the first
master with ipa-server-install,
and then create replicas with ipa-replica-install.
Depending on the options you provide, you can configure (or not)
additional services, such as CA, DNS, KRA etc...
A given service can be present on 0 / 1 / n servers (for instance KRA is
optional). For the configured services, we recommend at least 2 servers
to provide redundancy.
The first instance of a service is not always configured on the first
master. For example, you can setup the 1st master without KRA, setup a
replica without KRA and later on decide to run ipa-kra-install on the
replica. In this case the KRA service is running on the replica only
(and we would advise to run ipa-kra-install on another node to provide
redundancy).
When 2 servers provide the same set of services, they are equivalent and
there is no distinction whether it was the first master or not. As Rob
said, the only exception is CRL manager and renewal manager as only one
node can hold this function at a given time. But this function can be
migrated to another node (see [1] for the procedure).
>> What about AD trust? Does it have to be set up for each of the new
>> servers?
https://www.freeipa.org/page/Active_Directory_trust_setup does
>> say so: "When planning access of AD users to IPA clients, make sure to
>> run ipa-adtrust-install on every IPA master these IPA clients will be
>> connecting to."
>
> Then I guess it does.
Can anyone confirm this?
There are more explanations in this doc: [2]. A FreeIPA
server can be
trust controller, trust agent or standard server. The server needs to be
either a trust controller or a trust agent to resolve AD users and groups.
Hope this clarifies,
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
[2]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
Cheers,
Ron
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...