On 14.06.21 13:37, Alexander Bokovoy wrote:
On ma, 14 kesä 2021, Ronald Wimmer via FreeIPA-users wrote:
On 12.06.21 13:08, Florence Renaud via FreeIPA-users wrote:
Hi,
please refer to External Trusts to Active Directory [1] from WIndows
Integration guide, it nicely explains the difference between external
trust and forest trust.
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/active-directory-trust#ext-trust-to-ad
<https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/active-directory-trust#ext-trust-to-ad>
Sorry for my unspecific initial question. I did read the
documentation. As I understood it the external trust somehow isolates
the view on that particular domain.
If DomA_Trust is a normal one and DomB_Trust an external one I cannot
use DomB users in a DomA group for example, right? If DomB trust was
not external I could do that?
I think you need to start with Active Directory design and
documentation. In particular, group types in AD define who can be
included into them and how they can be consumed:
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups
Type of trust between domains influences the use of groups but group
scopes are ultimate ones here.
When applying that to a trust between IPA and AD, remember that we only
have two trust types:
- forest trust: IPA domain is in a separate forest than any AD domain
- external trust: only immediately trusted AD domain users and groups
can be seen and used for authentication across the trust, there is no
transitivity into any other trust that this AD domain may have
anywhere else
In addition to that, while forest trust in itself is transitive to
domains in the trusting forest, there is no transitivity across all
trusting forests. If forest A trusts forest B and forest B trusts forest
C, there is no trust from forest A to any domain in forest C.
The same applies to groups from those forests as well, complicated by
the group scopes.
In our case IPA hast a trust to the forest root of domain A which itself
has a trust to domain B. IPA has an external trust to domain B. With the
AD management tool we are using I can put users of domain B into a group
of domain A.
When I try to use that particular group (POSIX group that has the AD
group as its member) in a HBAC scenario I do get a permission denied error.
External trust to domain B was setup years ago when we were still
experimenting with IPA. So my first question is if the separate trust to
domain B is needed at all? (because there is a trust from domain A to
domain B on the AD side.) If yes I probably would not want domain B
trust to be an external one in my scenario, would I?
Cheers,
Ronald
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
