I went through this thread:
but I have some more questions.
I have another situation where I need a one way AD trust. We have an IPA
domain with a bunch of Linux servers and an AD domain for the corporate
network. Typical scenario. We want IPA to trust AD but do not want AD to
trust IPA. Access is availalbe to administrator/root accounts in both the AD
and IPA domains.
The IPA server is RHEL 7 running the IPA bundled with RHEL - I think that's IPA
3.3.5 right now?
Reading through the thread above, when we set up cross forest trusts with this
version, the IPA side does not yet have the equivalent of a Windows Global
Catalog. So even though it says it's a 2-way trust, it's really not because
IPA has no way to store the global catalog copies of what it needs for Windows
to trust IPA. So with the version right now as it exists today, de-facto, IPA
trusts AD, but AD has no way to trust IPA yet because IPA doesn't have all the
pieces in place.
So far so good. Here is the challenge.
The AD group at this site is concerned that with some future version of IPA,
since Windows already "thinks" it trusts IPA, that IPA will get the correct
components and that suddenly IPA users will be able to authenticate in the AD
domain. Ideally, they would like to set up an official one way trust today so
that future possibility never happens. If that isn't possible, what other
steps could they take to guard against that future possibility?
Quoting from the earlier thread:
> global catalog support is being worked on. As soon as it is implemented we
> will add more
> granularity to the way the trusts are established and thus allow formal one
> way trusts
Is there a time frame for this? I know it's tough to give completion dates and
that's not what I'm asking for - just a feel for how active the development is
around global catalog support. Is this something this site should expect in
the next few months or is it 5+ years away or somewhere in the middle? Is
there a projected version number where the support will land?
Given what we have in place today, what is the best way to handle the situation
where a site wants a one way trust but must set up a 2-way trust now with only
one side of the trust functional? I suppose it is always possible in the
future when all the pieces are in place to just destroy the 2 way trust and
re-create a one way trust, but by that time, there will probably be lots of
mapping between AD SIDs and Linux UID/GID pairs and destroying and recreating
the trust could make a royal mess out of those. Would it be possible to modify
an existing 2-way trust to only be a one-way trust when the time comes?
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project