On 16.01.23 20:16, Alexander Bokovoy via FreeIPA-users wrote:
On ma, 16 tammi 2023, Ronald Wimmer via FreeIPA-users wrote:
On 16.01.23 15:48, Alexander Bokovoy via FreeIPA-users wrote:
On ma, 16 tammi 2023, Ronald Wimmer via FreeIPA-users wrote:
I have a setup where we have four IPA servers. Two of them are able
to talk to the AD Domain Controllers directly. I set them up as AD
Trust controllers.
The other two IPA servers can only talk to these IPA servers and
not to the AD DCs directly. Thats why I wanted them to have the
Trust Agent Role only.
Trust Agent also should be able to talk to AD DCs. If those servers
cannot talk to AD DCs, they cannot be trust agents.
So it seems that I have misunderstood how trust agents can be used. I
thought AD communication is only done on trust controllers whereas
trust agents are some kind of proxies.
They aren't proxies but since they don't run DC services expected by
Active Directory domain controllers, they cannot be contacted by AD DCs
to perform normal LSA RPC calls. So they are agents in this sense: they
cannot participate in DC to DC communication with Active Directory DCs.
Identity resolution on agents is performed by SSSD which talks to LDAP
services of AD DCs, not the other direction.
Thanks for clarifying that. But what's the benefit of using trust agents
then?
What I tried to accomplish was putting two IPA servers in the same
firewall zone as the windows AD DCs. Another two IPA servers reside in
the same zone where potential IPA clients are. Clients should have
communicated only with the IPA servers within the same zone. (Of course,
IPA servers could have communicated amongst each other) - Am I right
that there is no possibility of realizing such a scenario? (because
clients always need to be able to talk to the AD DCs?)
Cheers,
Ronald
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
