[Freeipa-users] Effect of reversing trust relationship

[Alexander Bokovoy]

On to, 05 tammi 2017, William Muriithi wrote:
>Hello,
>
>Curious, two weeks ago, we established a two way trust between AD and
>FreeIPA. This has been working fine till yesterday when AD started
>having DNS issues.  I am 99% certain trust had nothing to do with DNS
>issue, but want to reverse the trust and see if we could fair better
>
>My question is, if I run "ipa trustdomain-del", what does it do behind the back?
>
>- Will there be a change in the AD systems or just remove association
>on IPA side without reversing changes on the AD side?
It does remove the trust object associated with the child domain in
question on IPA side and removes SID of that domain from the SID
blacklist of the trust. Nothing changes on the AD side.

>- Whats the implication on the IPA client?  Any possibility of an outage?
IPA clients will stop seeing AD users from the child domain, eventually,
once SSSD refreshes its cache on IPA master that client is connected to.

>- Whats the difference of "ipa trustdomain-del" and restoring from
>"ipa-backup" and what would be more recommended if one has both
>options?
I'm not sure if ipa-backup actually backs up Samba databases, it is
probably not doing that. When you restored a master with ipa-backup,
you'd probably better to re-run ipa-adtrust-install on the master to
repair Samba configuration.

This would not change the fact that if you applied 'ipa trustdomain-del'
prior to taking a backup, information about that child domain will not
be restored. You'd need to run 'ipa trust-fetch-domains' to actually
refresh the list of child domains from the trust.

Also, you need to make sure that whatever backup version was restored,
it should have the same trust object password on both IPA and AD sides.
If trust was re-established since the time the backup was taken, it is a
sure way to get everything broken.

-- 
/ Alexander Bokovoy