Hello - 

I went through this thread:

but I have some more questions.

I have another situation where I need a one way AD trust.  We have an IPA 
domain with a bunch of Linux servers and an AD domain for the corporate 
network.  Typical scenario.  We want IPA to trust AD but do not want AD to 
trust IPA.  Access is availalbe to administrator/root accounts in both the AD 
and IPA domains.

The IPA server is RHEL 7 running the IPA bundled with RHEL - I think that's IPA 
3.3.5 right now?  

Reading through the thread above, when we set up cross forest trusts with this 
version, the IPA side does not yet have the equivalent of a Windows Global 
Catalog.  So even though it says it's a 2-way trust, it's really not because 
IPA has no way to store the global catalog copies of what it needs for Windows 
to trust IPA.  So with the version right now as it exists today, de-facto, IPA 
trusts AD, but AD has no way to trust IPA yet because IPA doesn't have all the 
pieces in place.  

So far so good.  Here is the challenge.

The AD group at this site is concerned that with some future version of IPA, 
since Windows already "thinks" it trusts IPA, that IPA will get the correct 
components and that suddenly IPA users will be able to authenticate in the AD 
domain.  Ideally, they would like to set up an official one way trust today so 
that future possibility never happens.  If that isn't possible, what other 
steps could they take to guard against that future possibility?  

Quoting from the earlier thread:

> global catalog support is being worked on. As soon as it is implemented we 
> will add more 
> granularity to the way the trusts are established and thus allow formal one 
> way trusts

Is there a time frame for this?  I know it's tough to give completion dates and 
that's not what I'm asking for - just a feel for how active the development is 
around global catalog support.  Is this something this site should expect in 
the next few months or is it 5+ years away or somewhere in the middle?  Is 
there a projected version number where the support will land?  

Given what we have in place today, what is the best way to handle the situation 
where a site wants a one way trust but must set up a 2-way trust now with only 
one side of the trust functional?  I suppose it is always possible in the 
future when all the pieces are in place to just destroy the 2 way trust and 
re-create a one way trust, but by that time, there will probably be lots of 
mapping between AD SIDs and Linux UID/GID pairs and destroying and recreating 
the trust could make a royal mess out of those.  Would it be possible to modify 
an existing 2-way trust to only be a one-way trust when the time comes?


- Greg

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to