[Freeipa-users] IPA-adtrust and addition of replicas
Alexander Bokovoy
abokovoy at redhat.com
Tue Feb 3 05:48:28 UTC 2015
On Tue, 03 Feb 2015, William wrote:
>
>> >Wow! From all this it really sounds like adding a replica in to an IPA
>> >domain where adtrust has been run could have a few edge cases. For
>> >example, what would happen if I create a new account on a replica
>> >without adtrust? Would sidgen run on the adtrust machine when it get's
>> >the record replicated to it?
>> I think it might work. sidgen is a post operation and replication
>> protocol uses normal ldap_*_ext() API to send new objects.
>>
>
>Maybe something to test?
You can create a user on the replica without ipa-adtrust-install and
watch after replication on whether ipaNTSecurityIdentifier appeared in
the user's object in LDAP.
>> >This should be configured on replicas added to the network if adtrust
>> >has been run already. Perhaps this is something to consider also?
>> >Consistency through out the domain is a good thing.
>> Exactly. Good suggestion. One thing we need to solve here is that
>> enabling sidgen and other components will require installing Samba
>> libraries. This is something to consider -- do we want these libraries
>> (not daemons) installed on every master?
>
>Well, ipa-adtrust is a seperate package already isn't it? If you were in
>the position to be setting up an adtrust on freeipa, you would document
>that it should be installed on all hosts anyway, so then the adtrust
>package would pull in the adtrust libs.
>
>Once the adtrust is installed, be it trust controller or agent, perhaps
>this should be added into the domain services tree under cn=etc. That
>way, after the adtrust is run, you can see a list of hosts that do not
>yet have it installed, so that the trust agent can be configured on all
>other replicas. Additionally, adding a new replica could be hinted that
>if this exists to configure itself as a trust agent automatically as
>part of ipa-replica-install.
>
>Does that sound like a reasonable suggestion?
Yes, this is what ipa-adtrust-install implements right now. My issue
with this approach is the fact that we don't want to run
smbd/winbindd/etc for trust agent case. Yet, ipa-adtrust-install forces
packages to be installed and services to be active.
We can start with disabling ADTRUST and EXTID services on trust agents
(these are smb and winbind in ipactl speak) and, maybe, rename them to
something less confusing. Then we can decide whether not installing
samba server packages would really be needed.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list