CentOS 7.5 ipa --version VERSION: 4.5.4, API_VERSION: 2.228
When on my replica, and I use
ipa idoverrideuser-find 'Default Trust View' <user> I get the expected results:
-------------------------- 1 User ID override matched -------------------------- Anchor to override: :SID:S-1-5-21-55386287-1424373824-1154838474-51686 User login: <user> UID: 1503 GECOS: User Name GID: 1503 Home directory: /home/uname Login shell: /bin/bash ---------------------------- Number of entries returned 1 ----------------------------
But when I do
id <user>
I get
id: uname: no such user
What have I done wrong?
I've also seen the error listed on this thread - could it be that my replica is not a trust agent?
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Having read
https://bugzilla.redhat.com/show_bug.cgi?id=1206613 and https://pagure.io/freeipa/issue/7410
I see that I can test this
[root@ipa-replica ~]# ipa server-show Server name: ipa-master.company.com Server name: ipa-master.company.com Managed suffixes: domain, ca Min domain level: 0 Max domain level: 1 Enabled server roles: CA server, NTP server, AD trust agent, AD trust controller [root@ipa-replica ~]# ipa server-show Server name: ipa-replica.company.com Server name: ipa-replica.company.com Managed suffixes: domain, ca Min domain level: 0 Max domain level: 1 Enabled server roles: CA server, NTP server
It's not a trust agent or controller. I presume it should be? Yes, having now read to the end of ticket 7410 I see that I should have set the replica up with --setup-adtrust
https://github.com/freeipa/freeipa/pull/1825
And from here https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
it looks like I need to run
ipa-adtrust-install --add-agents
on the master and follow the prompts?
L.
On pe, 15 kesä 2018, Lachlan Musicman via FreeIPA-users wrote:
CentOS 7.5 ipa --version VERSION: 4.5.4, API_VERSION: 2.228
When on my replica, and I use
ipa idoverrideuser-find 'Default Trust View' <user> I get the expected results:
1 User ID override matched
Anchor to override: :SID:S-1-5-21-55386287-1424373824-1154838474-51686 User login: <user> UID: 1503 GECOS: User Name GID: 1503 Home directory: /home/uname Login shell: /bin/bash
Number of entries returned 1
But when I do
id <user>
I get
id: uname: no such user
What have I done wrong?
I've also seen the error listed on this thread - could it be that my replica is not a trust agent?
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Having read
https://bugzilla.redhat.com/show_bug.cgi?id=1206613 and https://pagure.io/freeipa/issue/7410
I see that I can test this
[root@ipa-replica ~]# ipa server-show Server name: ipa-master.company.com Server name: ipa-master.company.com Managed suffixes: domain, ca Min domain level: 0 Max domain level: 1 Enabled server roles: CA server, NTP server, AD trust agent, AD trust controller [root@ipa-replica ~]# ipa server-show Server name: ipa-replica.company.com Server name: ipa-replica.company.com Managed suffixes: domain, ca Min domain level: 0 Max domain level: 1 Enabled server roles: CA server, NTP server
It's not a trust agent or controller. I presume it should be? Yes, having now read to the end of ticket 7410 I see that I should have set the replica up with --setup-adtrust
No, you don't need that. You need it to be a trust agent, not a trust controller.
https://github.com/freeipa/freeipa/pull/1825
And from here https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
it looks like I need to run
ipa-adtrust-install --add-agents
on the master and follow the prompts?
Exactly.
On 15 June 2018 at 16:03, Alexander Bokovoy abokovoy@redhat.com wrote:
On pe, 15 kesä 2018, Lachlan Musicman via FreeIPA-users wrote:
https://github.com/freeipa/freeipa/pull/1825
And from here https://lists.fedorahosted.org/archives/list/freeipa-users@ lists.fedorahosted.org/thread/RLWBXYP6PPHGXMJZZNEAO6TF7BCB6EDS/
it looks like I need to run
ipa-adtrust-install --add-agents
on the master and follow the prompts?
Exactly.
Alex, thanks for the confirmation.
FWIW, running ipa-adtrust-install --add-agents on the current ipa master asked me:
WARNING: 1 IPA masters are not yet able to serve information about users from trusted forests. Installer can add them to the list of IPA masters allowed to access information about trusts. If you choose to do so, you also need to restart LDAP service on those masters. Refer to ipa-adtrust-install(1) man page for details.
IPA master [ipa-replica.company.com]? [no]:
which, when I said no, exited without making any changes that I could see.
When I ran same on the replica, I got the same question, but this time answered yes. I can now id users successfully - but fwiw, when I run
Server name: ipa-replica.company.com Server name: ipa-replica.company.com Managed suffixes: domain, ca Min domain level: 0 Max domain level: 1 Enabled server roles: CA server, NTP server, AD trust agent, AD trust controller
So it has become a trust controller as well.
Is that because it's also a CA server?
cheers L.
On ma, 18 kesä 2018, Lachlan Musicman wrote:
On 15 June 2018 at 16:03, Alexander Bokovoy abokovoy@redhat.com wrote:
On pe, 15 kesä 2018, Lachlan Musicman via FreeIPA-users wrote:
https://github.com/freeipa/freeipa/pull/1825
And from here https://lists.fedorahosted.org/archives/list/freeipa-users@ lists.fedorahosted.org/thread/RLWBXYP6PPHGXMJZZNEAO6TF7BCB6EDS/
it looks like I need to run
ipa-adtrust-install --add-agents
on the master and follow the prompts?
Exactly.
Alex, thanks for the confirmation.
FWIW, running ipa-adtrust-install --add-agents on the current ipa master asked me:
WARNING: 1 IPA masters are not yet able to serve information about users from trusted forests. Installer can add them to the list of IPA masters allowed to access information about trusts. If you choose to do so, you also need to restart LDAP service on those masters. Refer to ipa-adtrust-install(1) man page for details.
IPA master [ipa-replica.company.com]? [no]:
which, when I said no, exited without making any changes that I could see.
When you run ipa-adtrust-install --add-agents on existing trust controller, it asks you whether you want to convert *another* IPA master to a trust agent.
This is what you should do if you only want to have that *another* IPA master as a trust agent. So you needed to answer 'yes' there.
When I ran same on the replica, I got the same question, but this time answered yes. I can now id users successfully - but fwiw, when I run
This converted the replica to trust controller, not trust agent.
So it has become a trust controller as well.
Yes, because you asked it to do so by running ipa-adtrust-install on it.
Is that because it's also a CA server?
No. It is because you asked it to become a trust controller by runnning ipa-adtrust-install on the host.
If you want to make a replica a trust agent, run ipa-adtrust-install --add-agents on _existing_ trust controller.
On Mon., 18 Jun. 2018, 16:15 Alexander Bokovoy, abokovoy@redhat.com wrote:
On ma, 18 kesä 2018, Lachlan Musicman wrote:
On 15 June 2018 at 16:03, Alexander Bokovoy abokovoy@redhat.com wrote:
On pe, 15 kesä 2018, Lachlan Musicman via FreeIPA-users wrote:
https://github.com/freeipa/freeipa/pull/1825
And from here https://lists.fedorahosted.org/archives/list/freeipa-users@ lists.fedorahosted.org/thread/RLWBXYP6PPHGXMJZZNEAO6TF7BCB6EDS/
it looks like I need to run
ipa-adtrust-install --add-agents
on the master and follow the prompts?
Exactly.
Alex, thanks for the confirmation.
FWIW, running ipa-adtrust-install --add-agents on the current ipa master asked me:
WARNING: 1 IPA masters are not yet able to serve information about users from trusted forests. Installer can add them to the list of IPA masters allowed to access information about trusts. If you choose to do so, you also need to restart LDAP service on those masters. Refer to ipa-adtrust-install(1) man page for details.
IPA master [ipa-replica.company.com]? [no]:
which, when I said no, exited without making any changes that I could see.
When you run ipa-adtrust-install --add-agents on existing trust controller, it asks you whether you want to convert *another* IPA master to a trust agent.
This is what you should do if you only want to have that *another* IPA master as a trust agent. So you needed to answer 'yes' there.
When I ran same on the replica, I got the same question, but this time answered yes. I can now id users successfully - but fwiw, when I run
This converted the replica to trust controller, not trust agent.
So it has become a trust controller as well.
Yes, because you asked it to do so by running ipa-adtrust-install on it.
Is that because it's also a CA server?
No. It is because you asked it to become a trust controller by runnning ipa-adtrust-install on the host.
If you want to make a replica a trust agent, run ipa-adtrust-install --add-agents on _existing_ trust controller
Ok. Thank you.
Is it an issue to have two trust controllers?
If it is, is there an easy way to remove trust controller status?
Cheers L.
On ma, 18 kesä 2018, Lachlan Musicman wrote:
On Mon., 18 Jun. 2018, 16:15 Alexander Bokovoy, abokovoy@redhat.com wrote:
On ma, 18 kesä 2018, Lachlan Musicman wrote:
On 15 June 2018 at 16:03, Alexander Bokovoy abokovoy@redhat.com wrote:
On pe, 15 kesä 2018, Lachlan Musicman via FreeIPA-users wrote:
https://github.com/freeipa/freeipa/pull/1825
And from here https://lists.fedorahosted.org/archives/list/freeipa-users@ lists.fedorahosted.org/thread/RLWBXYP6PPHGXMJZZNEAO6TF7BCB6EDS/
it looks like I need to run
ipa-adtrust-install --add-agents
on the master and follow the prompts?
Exactly.
Alex, thanks for the confirmation.
FWIW, running ipa-adtrust-install --add-agents on the current ipa master asked me:
WARNING: 1 IPA masters are not yet able to serve information about users from trusted forests. Installer can add them to the list of IPA masters allowed to access information about trusts. If you choose to do so, you also need to restart LDAP service on those masters. Refer to ipa-adtrust-install(1) man page for details.
IPA master [ipa-replica.company.com]? [no]:
which, when I said no, exited without making any changes that I could see.
When you run ipa-adtrust-install --add-agents on existing trust controller, it asks you whether you want to convert *another* IPA master to a trust agent.
This is what you should do if you only want to have that *another* IPA master as a trust agent. So you needed to answer 'yes' there.
When I ran same on the replica, I got the same question, but this time answered yes. I can now id users successfully - but fwiw, when I run
This converted the replica to trust controller, not trust agent.
So it has become a trust controller as well.
Yes, because you asked it to do so by running ipa-adtrust-install on it.
Is that because it's also a CA server?
No. It is because you asked it to become a trust controller by runnning ipa-adtrust-install on the host.
If you want to make a replica a trust agent, run ipa-adtrust-install --add-agents on _existing_ trust controller
Ok. Thank you.
Is it an issue to have two trust controllers?
No, it is not an issue. However, it depends on what you are planning to deploy. Some people would like to reduce an attack surface for most cases and using trust agent instead of trust controller makes that master arguably more secure.
You only need one trust controller to establish and validate trust in a place where AD DCs can reach it.
If it is, is there an easy way to remove trust controller status?
There is no way to demote the controller status.
freeipa-users@lists.fedorahosted.org