Hi, On Fri, Dec 1, 2023 at 4:22 PM slek kus via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
> Hi, have some questions regarding implementing FreeIPA. To start, I am new > to FreeIPA, read up on its featuires > and started using it in a test setup. The goal is to have sshkey > authentication of active directory users on Linux clients. > > * Created an IPA domain (linux.test.local) with one server and set a > one-way trust with win.test.local > * Created the external and internal groups and mapped it. > * Added ad user overrides in the default trust view and set their ssh keys. > > So far so good, all OK. > > The questions: > - Is there a way/method to have overrides created automatically for newly > added to the group at AD side? > Unfortunately we don't have such a mechanism. > This so that the new user can add the ssh key via selfservice. Would it be > possible via API? > If you are interested in a python API, you can refer to https://freeipa.readthedocs.io/en/latest/api/guides.html > - Adding/changing id overrides do no apply directly. I need to issue a > `sssctl cache-expire -u`on all clients and ipa server > Is there a way this can be enforced/worked around? Any ideas? > > - Tested replication, but could not get this replica server to resolve ad > users. Read that I need to install the agent role to this replica server. > Not sure how to do this, I install the replica with ìpa-replica-install > --setup-dns --forwarder <ip> --setup-ca`. Adding --add-agents doesn't seem > tp work. > What is the order to set up for a fully functioning replica server? > Deployment would be main and a secondary ipa server for redundancy. > > In order to make a replica a trust agent, you need to run *ipa-adtrust-install** --add-agents* command on the trust controller (where you already ran ipa-adtrust-install but without the --add-agents option). HTH, flo Testing is don with version 4.10.2 > > KR, slekkus. > -- > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
