On ma, 10 heinä 2017, None via FreeIPA-users wrote:
Hi everyone,

first post, hope the question is not too dumb and this is the right list.

I’m trying to use IPA in the way the RHEL Windows Integration Guide
describes it in the one-way-trust setup (indirect integration, using AD
for auth, IPA for policies).  However, I’m hitting a wall since at one
point you have to provide AD Admin credentials (setting up the
agreement) which I don’t have/won’t have.
To establish cross-forest trust, you have to be a member of Domain
Admins group of a forest root domain in AD or a member of an Enterprise
Admins group in the forest. There is no other way.

Question: Are there other ways to get the (almost) same result w/o
having admin access to AD?

* Some 2 years back Dmitri Dal made a comment here which seems to point into 
that direction
               https://pagure.io/freeipa/issue/4546
   but I wasn’t able to find anything in the official documentation or 
elsewhere and that issue has been closed as fixed.
No, Dmitri was wrong in his first comment. What the ticket #4546
describes is a real one-way cross-forest trust like AD expects it.


As of now I only see recreating all the users/groups from AD in IPA w/o
any connectivity in between as one option, which would be ok but not
very elegant and users have to deal with another password.

Is it possible to use SSSD with AD as auth/idprovider and IPA for
policies (something like shown in the modern integration option image
here but with policies fetched from IPA:
http://rhelblog.redhat.com/2015/02/04/overview-of-direct-integration-options/)?
If you have no credentials to establish cross-forest trust, you are not
dealing with the cross-forest trust and thus everything about trust from
RHEL Windows Integration Guide does not apply there. Yes, you can take
on a journey to hack up something based on direct integration but this
is not going to be supported in FreeIPA.

--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to