#2189 [RFE] Enhance ipa-adtrust-install for domains with multiple IPA server
Closed: Fixed None Opened 12 years ago by sbose.

Currently ipa-adtrust-install configures a single IPA server to handle trusts to Active Directory domains (offer everything needed so that an AD DC can talk to the IPA server). In a domain with more than one IPA server it makes sense that more than one IPA server can handle the trusts.

It has to be decided if:
- everything that is done by ipa-adtrust-install will be done by ipa-server-install and all IPA servers will always have everything installed and configured to handle trust (mainly smbd, winbind and related configuration)
- ipa-adtrust-install has be be run explicitly on every IPA server which should handle trusts to AD
- ipa-adtrust-install has to be run once and after that every new replica server will get the needed components installed
- some other method

Depending on which option we choose ipa-adtrust-install and maybe other tools have to be enhanced.


(In #1875) External auth in ipasam can only be implemented when #2189 is done.

As per https://www.redhat.com/archives/freeipa-devel/2011-December/msg00248.html, we need to switch to external auth and drop simpleSecurityObject object class so that there is no userPassword anymore and it does not prevent multiple servers from working.

This ticket should block FreeIPAv3 release.

The blocking should be the other way around.

Waiting for MIT Kerberos support in samba.

Changing 3.2 priority

We need to figure out what is the exact approach here. That should be reflected in the proposed design.

Move all uncompleted tickets to next month bucket.

ipa-adtrust-install's way to expose DC-related SRV records was fixed:

master: cf8c532[[BR]]
ipa-3-1: bceccbd

Moving unfinished March tickets to April milestone.

Since actual code is committed, close the ticket.

Rename "trusts" component to "Trusts" to achieve correct sorting.

Metadata Update from @sbose:
- Issue assigned to abbra
- Issue set to the milestone: FreeIPA 3.2 - 2013/04 (Beta)

7 years ago

Login to comment on this ticket.

Metadata