[Freeipa-users] IPA-adtrust and addition of replicas

Tue Feb 3 02:58:09 UTC 2015

> >Wow! From all this it really sounds like adding a replica in to an IPA
> >domain where adtrust has been run could have a few edge cases. For
> >example, what would happen if I create a new account on a replica
> >without adtrust? Would sidgen run on the adtrust machine when it get's
> >the record replicated to it?
> I think it might work. sidgen is a post operation and replication
> protocol uses normal ldap_*_ext() API to send new objects.
> 

Maybe something to test?

> >> What I realized now is that with FreeIPA 3.3+ we moved ID resolution
> >> fully to SSSD and we technically don't need to run full 'domain
> >> controller' stack (e.g. Samba) on a master that only wants to resolve
> >> IDs rather than participating in a balancing of the domain controller
> >> duties.
> >
> >What are the domain controller duties separate from the ID resolution
> >tasks? What components carry out the id resolution?
> In discussing with Simo yesterday, we came to conclusion that we would
> call a 'full' master that provides features for trust as a 'trust
> controller'. Let's call the other configuration a 'trust agent'.
> 
> A trust controller is a FreeIPA master which hosts:
>  - LDAP server with sigden, extdom, and cldap plugins
>  - KDC with IPA driver
>  - Samba configured with ipasam PASSDB module
>  - SSSD with ipa_server_mode=True
>  - Global Catalog instance (a separate LDAP instance with an
>    AD-compatible schema)
> 
> A trust agent is a FreeIPA master which hosts
>  - LDAP server with sigden and extdom
>  - KDC with IPA driver
>  - SSSD with ipa_server_mode=True
> 
> As you can see, trus agent is a master that relies on SSSD to do
> resolution of IDs. Trust controller is used for managing trust: add
> trust agreements, enable/disable separate domains from a trusted forest
> to access FreeIPA resources, etc. Trust controller is also what Active
> Directory's domain controllers contact when validating the trust by
> means of SMB protocol using LSA calls which implies running a Samba server.

This seems like a clean and logical separation.

> >
> >This should be configured on replicas added to the network if adtrust
> >has been run already. Perhaps this is something to consider also?
> >Consistency through out the domain is a good thing.
> Exactly. Good suggestion. One thing we need to solve here is that
> enabling sidgen and other components will require installing Samba
> libraries. This is something to consider -- do we want these libraries
> (not daemons) installed on every master?

Well, ipa-adtrust is a seperate package already isn't it? If you were in
the position to be setting up an adtrust on freeipa, you would document
that it should be installed on all hosts anyway, so then the adtrust
package would pull in the adtrust libs.

Once the adtrust is installed, be it trust controller or agent, perhaps
this should be added into the domain services tree under cn=etc. That
way, after the adtrust is run, you can see a list of hosts that do not
yet have it installed, so that the trust agent can be configured on all
other replicas. Additionally, adding a new replica could be hinted that
if this exists to configure itself as a trust agent automatically as
part of ipa-replica-install. 

Does that sound like a reasonable suggestion?