Hello, I have 2 AD domains on windows 2016 with a forest trust, two-way, and "Selective authentication": mydomain.com <--trust--> other.company.org
Now I have built an IDM instance on RHEL 7.5 and IPA version 4.5.4 on the subdomain "ipa.mydomain.com". I need to use users from the 2 domains above, to I have created a trust transitive and one way: ipa.mydomain.com --trust--> mydomain.com But I can not do the trust between ipa.mydomain.com <-- other.company.org because on AD side there is already a trust between other.company.org and the root of ipa (mydomain.com). As the trust is transitive, in theory users from other.company.org should be allowed on ipa subdomain because: ipa.mydomain.com --trust--> mydomain.com <--trust--> other.company.org I can get a kerberos TGT with: "kinit [email protected]" But I can not do "id [email protected]" neither I can add it to an external group, it complains: member group: [email protected]: invalid 'trusted domain object': domain is not trusted" Should I change something on the sssd or kerberos configuration for make the users trusted by my trust work? Is the "Selective authentication" configured at AD level the problem? thanks. Thanks & Regards. ______________________________
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
