[Freeipa-users] IPA 4.4 and Trust Agents/Controllers
Baird, Josh
jbaird at follett.com
Wed Nov 16 15:40:18 UTC 2016
Hi,
I'm currently testing an IPA 4.3 (RHEL 7.2) to IPA 4.4 (RHEL 7.3) upgrade and had a few questions about the concept of trust agents/controllers.
Prior to IPA 4.4, were all IPA masters (that 'ipa-adtrust-install' was ran on) considered 'trust controllers'? In my lab, the upgrade automatically provisioned my IPA masters as controllers (not agents). Is this the default behavior?
The official recommendation appears to be to minimize the number of trust controllers. Given an IPA deployment with two masters in each location, is the recommendation to only have 1 of these configured as a 'trust controller' and the other as a 'trust agent'?
What happens if all 'trust controllers' become unavailable, but 'trust agents' remain available? Will the trust between IPA and AD be broken?
Thanks,
Josh
More information about the Freeipa-users
mailing list