On 2022-02-22 17:47, Rob Crittenden via FreeIPA-users wrote:
Sigbjorn Lie via FreeIPA-users wrote:
Hi list,
After our upgrade from EL7 to EL8, the ipa-backup script is stating a
warning:
"Warning: Local roles CA, DNS, DNSKeySync do not match globally used
roles ADTRUST, CA, DNS, DNSKeySync. A backup done on this host would
not
be complete enough to restore a fully functional, identical cluster.
Proceeding as role check was explicitly disabled."
We are performing backup on an IPA server configured as a Hidden
Master.
Because this is a hidden master it has not been configured to be an
ADTRUST Controller, only an ADTRUST Agent.
We are currently using the "--disable-role-check" option to force the
backup.
Is this warning accurate, or is this a bug?
If it is accurate, what data is specific to an ADTRUST Controller that
would be missing from the backup?
AD Trust isn't my strong point but IIRC the controller runs some
additional services, Samba for sure and I think some others like CLDAP.
So in case of catastrophe and all your servers were lost and you only
had a backup from this one, restoring it would not fully restore the
trust.
I don't think that would be a big problem though because I think you
could disconnect and re-establish the trust and be good to go.
rob
_______________________________________________
Ok, then I will add the ADTRUST Controller role to his hiden master to
allow the backups to perform successfully without any warning.
Thank you.
Regards,
Siggi
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
