Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1373634

Summary: [Doc] note added for "Trust Controllers and Trust Agents"
Product: Red Hat Enterprise Linux 7 Reporter: Eugene Keck <ekeck>
Component: doc-Linux_Domain_Identity_Management_GuideAssignee: Aneta Šteflová Petrová <apetrova>
Status: CLOSED CURRENTRELEASE QA Contact: Namita Soman <nsoman>
Severity: low Docs Contact:
Priority: high    
Version: 7.3CC: ekeck, nick.maludy, rhel-docs
Target Milestone: rcKeywords: Documentation
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 08:39:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Eugene Keck 2016-09-06 19:43:26 UTC 
Document URL: 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-replica.html

Section Number and Name: 
Chapter 3. Setting up IdM Replicas

Describe the issue: 
There should be a note added that if you have a trust already setup to reference "Creating Cross-forest Trusts with Active Directory and Identity Management"

Suggestions for improvement: 

NOTE:
If you have a trust setup with Active Directory please reference "Trust Controllers and Trust Agents" for options on setting up Trust Agents.

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/creating-trusts.html

Additional information:
Comment 2 Aneta Šteflová Petrová 2016-09-07 10:02:49 UTC 
Thank you for the report, I'll investigate this.

It seems the best place for the note is the section about deployment considerations or the prerequisites section.
Comment 3 Nick Maludy 2016-09-07 14:19:09 UTC 
Aneta,

The problem i've run into, and the support case behind this bug report, stems from the following use case:

User is setting up a replica IdM server. The main IdM server has a trust established with an AD server. If the replica is not added as a "trust agent", the attempting to auth AD users against the replica will fail. 

This gets even worse when the DNS records are set to round-robin between the master and replica IdM servers. Then 50% of the time the AD auth fails unexpectedly.

It would be great if the documentation for creating a replica would contain commands for establishing a trust OR contain some language that directs over to the trust documentation and what needs to be done for replicas of trusted servers.

Poorly worded example:
"If the IdM server you are replicating has a trust established, then go :here: and ensure that the trust agent is configured and X, Y and Z are performed on the replica so that authentication of trusted users succeeds on the replica."

-Nick
Comment 4 Aneta Šteflová Petrová 2016-09-08 06:32:20 UTC 
Thank you for the additional details, Nick, this helps a lot. We'll look into it.
Comment 5 Aneta Šteflová Petrová 2016-09-13 07:54:24 UTC 
I updated the guide and sent it for internal review.
Comment 6 Aneta Šteflová Petrová 2016-09-13 10:30:43 UTC 
I added the following new content:
* an IMPORTANT admonition to "4.5. Creating the Replica: Introduction" (the section is available in the 7.3 Beta guide[1])
* a new troubleshooting topic: "A.2.1. Authenticating AD Users Against a New Replica Fails"

[1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-replica.html
Comment 7 Aneta Šteflová Petrová 2016-09-13 10:31:46 UTC 
To clarify comment#6: the update from this BZ is not yet available in the Beta docs.
Comment 10 Aneta Šteflová Petrová 2016-09-21 07:04:59 UTC 
The update has been verified. The changes will make it to the Customer Portal with the next planned update.
Comment 13 Aneta Šteflová Petrová 2016-11-04 08:39:52 UTC 
The updated content is now available on the Customer Portal.