Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1252414
Description of problem: ======================= "ipa-adtrust-install --add-agents" command fails to identify the available replica's (installed replica's) to be added to the master. ipa version: ============= ipa-server-4.2.0-3.el7.x86_64 sssd-1.13.0-11.el7.x86_64 Additional info: ================ Discussed with Ab about this behavior via email. Please find below his response and possible fix to address this issue. Ab's response (root cause analysis): =================================== AD Trust agents feature requires RHEL7.2 masters for the agents' side. We cannot enable older masters as they wouldn't have proper SSSD and proper IPA to work in such mode. To do filtration of the older/newer masters, we rely on the following filter: "(&(objectclass=ipaSupportedDomainLevelConfig)(!(ipaMaxDomainLevel=0)))" e.g. these should be masters which records have object class for topology plugin and configured to serve topology plugin. If only objectclass is there, it might simply be a replica that got configuration but no actual code from FreeIPA 4.2. What has happened with IPA in RHEL7.2 is that we decided to not enable topology plugin until its functionality will be full. As result, the filter above is not giving any output because all replicas now have ipaMaxDomainLevel equal to 0: # replica1.btestrelm.test, masters, ipa, etc, btestrelm.test dn: cn=replica1.btestrelm.test,cn=masters,cn=ipa,cn=etc,dc=btestrelm,dc=test objectClass: top objectClass: nsContainer objectClass: ipaReplTopoManagedServer objectClass: ipaConfigObject objectClass: ipaSupportedDomainLevelConfig cn: replica1.btestrelm.test ipaReplTopoManagedSuffix: dc=btestrelm,dc=test ipaMinDomainLevel: 0 ipaMaxDomainLevel: 0 We need to find out any other way to differentiate between new and old replicas and change the filter accordingly. Ab's Proposed Idea to fix the issue: ==================================== We need to get list of those IPA replicas which run IPA 4.2, unrelated to whether they were configured with ipa-adtrust-install or not. We need to know that master was upgraded to 4.2, reliably. That said, we add ipaMinDomainLevel/ipaMaxDomainLevel in 72-domainlevels.update which means you have to update your replica to actually receive these values in your replica's entry. We could simply change the filter to make sure that both attributes exist and don't care about the value. I tried to change the filter in ipa-adtrust-install to filter="(&(objectclass=ipaSupportedDomainLevelConfig)(ipaMaxDomainLevel=*)(ipaM inDomainLevel=*))", and it detected there are three replicas to add agents on.
master:
ipa-4-2:
Metadata Update from @pvoborni: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.2.1
Login to comment on this ticket.