Cool Thanx Rob Verduijn
2016-01-25 12:59 GMT+01:00 Alexander Bokovoy <[email protected]>: > On Mon, 25 Jan 2016, Rob Verduijn wrote: >> >> Since the first option has less impact, that one sounds the most >> interesting. >> However, does this also remain functional when the first ipa server is >> taken offline ? > > Yes. What this option enables is to allow IPA master to become 'trust > agent' which means SSSD on that master will be able to use cross-forest > trust credentials to talk to AD for user/group information and > authentication purposes. It does not allow that master to *manage* the > trust itself. > >> >> Rob Verduijn >> >> 2016-01-25 12:41 GMT+01:00 Alexander Bokovoy <[email protected]>: >>> >>> On Mon, 25 Jan 2016, Rob Verduijn wrote: >>>> >>>> >>>> Hi all, >>>> >>>> When you have an ipa 4.2 server with an one way trust to the ad. >>>> What steps are needed to install a second ipa master that also has a >>>> one way trust to the ad ? >>> >>> >>> Depends on what you want to achieve. >>> >>> If you want second IPA master to be able to resolve AD users, just >>> install the master and run 'ipa-adtrust-install --add-agents' on the >>> *first* master. This will prompt you to be asked on adding the second >>> master to the list of hosts allowed to use cross-forest trust >>> credentials. >>> >>> If you want to use the second IPA master to *manage* trust, you'd need >>> to run 'ipa-adtrust-install' on the it. No need to specify >>> '--add-agents' because the master where 'ipa-adtrust-install' is being >>> run will be automatically added to the list. >>> -- >>> / Alexander Bokovoy >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > > -- > / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
