[Freeipa-users] IPA 4.4 and Trust Agents/Controllers
Petr Spacek
pspacek at redhat.com
Wed Nov 16 15:53:41 UTC 2016
On 16.11.2016 16:40, Baird, Josh wrote:
> Hi,
>
> I'm currently testing an IPA 4.3 (RHEL 7.2) to IPA 4.4 (RHEL 7.3) upgrade and had a few questions about the concept of trust agents/controllers.
>
> Prior to IPA 4.4, were all IPA masters (that 'ipa-adtrust-install' was ran on) considered 'trust controllers'? In my lab, the upgrade automatically provisioned my IPA masters as controllers (not agents). Is this the default behavior?
I would recommend to read
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/creating-trusts.html#trust-controller-agent
> The official recommendation appears to be to minimize the number of trust controllers. Given an IPA deployment with two masters in each location, is the recommendation to only have 1 of these configured as a 'trust controller' and the other as a 'trust agent'?
>
> What happens if all 'trust controllers' become unavailable, but 'trust agents' remain available? Will the trust between IPA and AD be broken?
... Trust controllers can be used for trust management operations, such as
adding trust agreements and enabling or disabling separate domains from a
trusted forest to access IdM resources. Additionally, AD domain controllers
contact trust controllers when validating the trust.
If I'm not mistaken, temporary unavailability of trust controller should not
break the trust as it is used only for trust management operations.
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list