[Freeipa-users] really dumb question - is an IPA replica automatically a client as well?
Alexander Bokovoy
abokovoy at redhat.com
Thu Dec 22 14:42:59 UTC 2016
On to, 22 joulu 2016, Chris Dagdigian wrote:
>
>Working on a messy multi-AD / multi-child-domain environment ...
>
>Just deployed my 1st replica server after the v4.4 upgrade
>
>The IPA replica seems fine and "ipactl status" reports no issues. The
>webUI clearly shows all of the values/config that came over from the
>master
>
>However the replica server does not resolve or enumerate any users in
>any of the trusted AD domains despite sssd.conf and krb5.com being
>similar to the IPA master. No obvious errors or blocked traffic
>although I have not yet enabled debug=10 logging yet.
>
>Before I begin the standard krb5 and sssd troubleshooting I wanted to
>ask the dumb question first -- does an IPA replica automatically get
>enrolled as a managed client? Should I expect it to recognize the
>remote AD user IDs by default?
It is a managed client for itself. I.e. it only talks to itself.
And the replica is not automatically resolving users and groups from the
trusted AD domains. To do so, it needs to be at least a trust agent.
See
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html#trust-controller-agent
for details.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list