Hello and thanks for your time,
My first approach was to create 2 trust: ipa.mydomain.com --trust--> mydomain.com (already DONE) ipa.mydomain.com --trust--> other.company.org (not possible) When I try to do the second one, I have the error: # ipa trust-add --type=ad other.company.org --range-type=ipa-ad-trust --all --external=true Active Directory domain administrator: ad_ADMIN Active Directory domain administrator's password: ipa: ERROR: CIFS server communication error: code "-1073741771", message "The object name already exists." (both may be "None") checking on the http error log with samba debug =100, we have: result : NT_STATUS_OBJECT_NAME_COLLISION On AD side we have: "a trust relationship with the domain you specified already exist" [cid:[email protected]] That is because we already have a transitive trust between other.company.org and mydomain.com, so *.mydomain.com (in our case ipa.mydomain.com) already has a trust with other.company.org on AD side. Then, the only way I see is using the transitivity for making users from other.company.org, login on ipa.mydomain.com services. Is that possible? That's the reason because I'm thinking that "Selective authentication" can be de problem. Regards. On ke, 30 tammi 2019, SOLER SANGUESA Miguel via FreeIPA-users wrote: >Hello, >I have 2 AD domains on windows 2016 with a forest trust, two-way, and >"Selective authentication": >mydomain.com <--trust--> other.company.org > >Now I have built an IDM instance on RHEL 7.5 and IPA version 4.5.4 on >the subdomain "ipa.mydomain.com". I need to use users from the 2 >domains above, to I have created a trust transitive and one way: >ipa.mydomain.com --trust--> mydomain.com >But I can not do the trust between ipa.mydomain.com <-- >other.company.org because on AD side there is already a trust between >other.company.org and the root of ipa (mydomain.com). As the trust is >transitive, in theory users from other.company.org should be allowed on >ipa subdomain because: > ipa.mydomain.com --trust--> mydomain.com <--trust--> other.company.org This is working as designed. >I can get a kerberos TGT with: "kinit >[email protected]<mailto:[email protected]>" >But I can not do "id [email protected]<mailto:[email protected]>" >neither I can add it to >an external group, it complains: member group: >[email protected]<mailto:[email protected]>: >invalid 'trusted domain object': domain is not trusted" > >Should I change something on the sssd or kerberos configuration for >make the users trusted by my trust work? Is the "Selective >authentication" configured at AD level the problem? You have to configure separate forest trusts to both mydomain.com and other.company.org from IPA side. There is no way around it. Selective authentication only affects forest trust link between the two forests. This is a fundamental design decision in Active Directory architecture, nothing specific to FreeIPA. See section 'Forest trusts' in the following document: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773178(v=ws.10) ------ A forest trust can be created only between a forest root domain in one Windows Server 2003 forest and a forest root domain in another Windows Server 2003 forest. Forest trusts can be created between two forests only and cannot be implicitly extended to a third forest. This means that if a forest trust is created between Forest 1 and Forest 2, and another forest trust is created between Forest 2 and Forest 3, Forest 1 does not have an implicit trust with Forest 3. ------ -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
