Hi, our progress of IPA-IPA trust is tightly coupled with implementation of the Global Catalog service to allow a practical use of the other leg in trust to Active Directory. As I said, the focus currently is elsewhere; you can see a state by 2021 here: https://talks.vda.li/talks/2021/2021-02-global-catalog.pdf, the code it references is working to a certain degree but incomplete. It also allowed finding some missing functionality in SSSD when IPA domain controllers are used instead of AD DCs in this trust. That branch does not contain one important commit where I experimented with IPA-IPA trust creation. Sadly, the commit (in https://github.com/freeipa/freeipa/compare/master...abbra:freeipa:wip-ipa-ipa-trust) is not kept up to date, it is now a year behind current IPA development.
If you'd find any resources to help with debugging these configurations in future, let me know. On Wed, Feb 22, 2023 at 12:18 AM Jostein Fossheim via FreeIPA-users <[email protected]> wrote: > > Thank you for the clarification regarding PAD. I read through the > IEFT-draft, and it's a petty that it never was implemented. But I have > always though that SIDs does make more sense, from a design point of view. > > I read through the section from sssd.conf-manpage, and that was enlightening > regarding how PACs are handled. > > I am aware that the users have to be exactly the same, for our planned setup, > that is no problem, since the LAB-realm that is trusting our main-realm, and > is primarily a test-bench and a technical playground. Its no more complicated > than running a barebone MIT-realm, on top of a FLAT passwd-/group-file or a > simple LDAP-backend. > > I hope we will see a trust-relationship between IPA-realms implemented in a > not too distant future. If we had more resources, we would have have loved to > sponsor or contribute to the development. > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
