[Freeipa-users] Re: Transitive trust with AD domain that has already a trust with a 3rd domain.

[Alexander Bokovoy via FreeIPA-users]

On to, 31 tammi 2019, SOLER SANGUESA Miguel wrote:

Hello and thanks for your time,



My first approach was to create 2 trust:

ipa.mydomain.com --trust--> mydomain.com         (already DONE)

ipa.mydomain.com --trust--> other.company.org  (not possible)



When I try to do the second one, I have the error:

# ipa trust-add --type=ad other.company.org  --range-type=ipa-ad-trust --all 
--external=true

Active Directory domain administrator: ad_ADMIN

Active Directory domain administrator's password:

ipa: ERROR: CIFS server communication error: code "-1073741771", message "The object name 
already exists." (both may be "None")



checking on the http error log with samba debug =100,  we have:
result                   : NT_STATUS_OBJECT_NAME_COLLISION




On AD side we have:
"a trust relationship with the domain you specified already exist"

[cid:image001.jpg@01D4B960.B4CA41E0]



That is because we already have a transitive trust between
other.company.org  and mydomain.com, so *.mydomain.com (in our case
ipa.mydomain.com) already has a trust with other.company.org on AD
side.

Correct, the issue here is not ipa.mydomain.com but that the trust
between mydomain.com and other.company.org does not have an exclusion
entry for ipa.mydomain.com. You should be able to add one on
other.company.org side for a trust to mydomain.com.

Then, the only way I see is using the transitivity for making users
from other.company.org, login on ipa.mydomain.com services. Is that
possible?

It is possible, if you arrange it properly.

That's the reason because I'm thinking that "Selective authentication"
can be de problem.

Nope.

Add an exclusion entry on mydomain.com trust at other.company.org that
tells that 'ipa.mydomain.com' is excluded from that trust.

Then add a trust between ipa.mydomain.com and other.company.org. You
don't need to use --external trust flag (better not to).


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org