Red Hat Summit第8章 Verifying your IdM and AD trust configuration using IdM Healthcheck
Learn more about identifying issues with a trust between Identity Management (IdM) and Active Directory (AD) by using the Healthcheck tool.
8.1. IdM and AD trust Healthcheck tests
The Healthcheck tool includes several tests for testing the status of the trust between Identity Management (IdM) and Active Directory (AD).
To see all trust tests, run ipa-healthcheck with the --list-sources option:
# ipa-healthcheck --list-sources
You can find all trust-related tests under the ipahealthcheck.ipa.trust source:
- IPATrustAgentCheck
-
This test checks the SSSD configuration if the current host is configured as a trust agent. For each domain in
/etc/sssd/sssd.confwhereid_provider=ipaensure thatipa_server_modeisTrue. - IPATrustDomainsCheck
-
This test checks if the trust domains match SSSD domains by comparing the list of domains in
sssctl domain-listwith the list of domains fromipa trust-findexcluding the IdM domain. - IPATrustCatalogCheck
This test resolves an AD user,
Administrator@REALM. This populates the AD Global catalog and AD Domain Controller values insssctl domain-statusoutput.For each trust domain look up the user with the ID of the SID + 500, that is the administrator ID, and then check the output of
sssctl domain-status <domain> --active-serverto ensure that the domain is active.- IPAsidgenpluginCheck
-
This test verifies that the
sidgenplugin is enabled in the IdM 389-ds instance. The test also verifies that theIPA SIDGENandipa-sidgen-taskplugins incn=plugins,cn=configinclude thensslapd-pluginEnabledoption. - IPATrustAgentMemberCheck
-
This test verifies that the current host is a member of
cn=adtrust agents,cn=sysaccounts,cn=etc,SUFFIX. - IPATrustControllerPrincipalCheck
-
This test verifies that the current host is a member of
cn=adtrust agents,cn=sysaccounts,cn=etc,SUFFIX. - IPATrustControllerServiceCheck
- This test verifies that the current host starts the ADTRUST service in ipactl.
- IPATrustControllerConfCheck
-
This test verifies that
ldapiis enabled for the passdb backend in the output ofnet conflist. - IPATrustControllerGroupSIDCheck
-
This test verifies that the
adminsgroup’s SID ends with 512, which is the Domain Admins' RID. - IPATrustPackageCheck
-
This test verifies that the
trust-adpackage is installed if the trust controller and AD trust are not enabled.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}