[Freeipa-users] multimaster ad one way trust setup
Alexander Bokovoy
abokovoy at redhat.com
Mon Jan 25 11:59:39 UTC 2016
On Mon, 25 Jan 2016, Rob Verduijn wrote:
>Since the first option has less impact, that one sounds the most interesting.
>However, does this also remain functional when the first ipa server is
>taken offline ?
Yes. What this option enables is to allow IPA master to become 'trust
agent' which means SSSD on that master will be able to use cross-forest
trust credentials to talk to AD for user/group information and
authentication purposes. It does not allow that master to *manage* the
trust itself.
>
>Rob Verduijn
>
>2016-01-25 12:41 GMT+01:00 Alexander Bokovoy <abokovoy at redhat.com>:
>> On Mon, 25 Jan 2016, Rob Verduijn wrote:
>>>
>>> Hi all,
>>>
>>> When you have an ipa 4.2 server with an one way trust to the ad.
>>> What steps are needed to install a second ipa master that also has a
>>> one way trust to the ad ?
>>
>> Depends on what you want to achieve.
>>
>> If you want second IPA master to be able to resolve AD users, just
>> install the master and run 'ipa-adtrust-install --add-agents' on the
>> *first* master. This will prompt you to be asked on adding the second
>> master to the list of hosts allowed to use cross-forest trust
>> credentials.
>>
>> If you want to use the second IPA master to *manage* trust, you'd need
>> to run 'ipa-adtrust-install' on the it. No need to specify
>> '--add-agents' because the master where 'ipa-adtrust-install' is being
>> run will be automatically added to the list.
>> --
>> / Alexander Bokovoy
>
>--
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list