Bug 1373634

Summary: [Doc] note added for "Trust Controllers and Trust Agents"
Product: Red Hat Enterprise Linux 7 Reporter: Eugene Keck <ekeck>
Component: doc-Linux_Domain_Identity_Management_GuideAssignee: Aneta Šteflová Petrová <apetrova>
Status: CLOSED CURRENTRELEASE QA Contact: Namita Soman <nsoman>
Severity: low Docs Contact:
Priority: high    
Version: 7.3CC: ekeck, nick.maludy, rhel-docs
Target Milestone: rcKeywords: Documentation
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 08:39:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Eugene Keck 2016-09-06 19:43:26 UTC 
Document URL: 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-replica.html

Section Number and Name: 
Chapter 3. Setting up IdM Replicas

Describe the issue: 
There should be a note added that if you have a trust already setup to reference "Creating Cross-forest Trusts with Active Directory and Identity Management"

Suggestions for improvement: 

NOTE:
If you have a trust setup with Active Directory please reference "Trust Controllers and Trust Agents" for options on setting up Trust Agents.

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/creating-trusts.html

Additional information:
Comment 2 Aneta Šteflová Petrová 2016-09-07 10:02:49 UTC 
Thank you for the report, I'll investigate this.

It seems the best place for the note is the section about deployment considerations or the prerequisites section.
Comment 3 Nick Maludy 2016-09-07 14:19:09 UTC 
Aneta,

The problem i've run into, and the support case behind this bug report, stems from the following use case:

User is setting up a replica IdM server. The main IdM server has a trust established with an AD server. If the replica is not added as a "trust agent", the attempting to auth AD users against the replica will fail. 

This gets even worse when the DNS records are set to round-robin between the master and replica IdM servers. Then 50% of the time the AD auth fails unexpectedly.

It would be great if the documentation for creating a replica would contain commands for establishing a trust OR contain some language that directs over to the trust documentation and what needs to be done for replicas of trusted servers.

Poorly worded example:
"If the IdM server you are replicating has a trust established, then go :here: and ensure that the trust agent is configured and X, Y and Z are performed on the replica so that authentication of trusted users succeeds on the replica."

-Nick
Comment 4 Aneta Šteflová Petrová 2016-09-08 06:32:20 UTC 
Thank you for the additional details, Nick, this helps a lot. We'll look into it.
Comment 5 Aneta Šteflová Petrová 2016-09-13 07:54:24 UTC 
I updated the guide and sent it for internal review.
Comment 6 Aneta Šteflová Petrová 2016-09-13 10:30:43 UTC 
I added the following new content:
* an IMPORTANT admonition to "4.5. Creating the Replica: Introduction" (the section is available in the 7.3 Beta guide[1])
* a new troubleshooting topic: "A.2.1. Authenticating AD Users Against a New Replica Fails"

[1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-replica.html
Comment 7 Aneta Šteflová Petrová 2016-09-13 10:31:46 UTC 
To clarify comment#6: the update from this BZ is not yet available in the Beta docs.
Comment 10 Aneta Šteflová Petrová 2016-09-21 07:04:59 UTC 
The update has been verified. The changes will make it to the Customer Portal with the next planned update.
Comment 13 Aneta Šteflová Petrová 2016-11-04 08:39:52 UTC 
The updated content is now available on the Customer Portal.