[Freeipa-users] multimaster ad one way trust setup
Rob Verduijn
rob.verduijn at gmail.com
Mon Jan 25 11:47:36 UTC 2016
Since the first option has less impact, that one sounds the most interesting.
However, does this also remain functional when the first ipa server is
taken offline ?
Rob Verduijn
2016-01-25 12:41 GMT+01:00 Alexander Bokovoy <abokovoy at redhat.com>:
> On Mon, 25 Jan 2016, Rob Verduijn wrote:
>>
>> Hi all,
>>
>> When you have an ipa 4.2 server with an one way trust to the ad.
>> What steps are needed to install a second ipa master that also has a
>> one way trust to the ad ?
>
> Depends on what you want to achieve.
>
> If you want second IPA master to be able to resolve AD users, just
> install the master and run 'ipa-adtrust-install --add-agents' on the
> *first* master. This will prompt you to be asked on adding the second
> master to the list of hosts allowed to use cross-forest trust
> credentials.
>
> If you want to use the second IPA master to *manage* trust, you'd need
> to run 'ipa-adtrust-install' on the it. No need to specify
> '--add-agents' because the master where 'ipa-adtrust-install' is being
> run will be automatically added to the list.
> --
> / Alexander Bokovoy
More information about the Freeipa-users
mailing list