On Fri, 10 Oct 2014, Genadi Postrilko wrote:
Thank you for providing the reference.
I understood that when creating a forest trust between two AD forests,
the trust is transitive to all domains in both forests (by default).
And it has to be established between the two forest root domain.

External trust (between AD forests or domains), is non transitive.
Trust can be established between (child) domains in different forests,
without the need to create trust between child domains and the forest
root domain of the opposite forest.

But i'm not sure about Realm Trust.
Realm Trust considered as a kind of forest trust? And that why the trust
has to be established between the forest root domains (and not like
external trust) ?
FreeIPA only provides the first type of the trust -- a forest trust to
AD where AD thinks it trusts an AD forest. All other types of forest are
irrelevant in this context and have no implementation or support in

Assuming i follow the IPA Trust setup guide-
The trust created between red.com (AD forest root domain) and
linux.blue.com (IPA domain) is configured to be transitive? Users from
blue.com domain will able to login to IPA domain?  And so are users
from other child and root domains in the forest?
Yes, and yes.

You have ipa trustdomain-find|del|disable|enable

commands to manage what domains from the trust can have access to IPA
resources. Forest root domain is always allowed, you cannot disable it,
only delete the whole trust.

2014-10-08 19:06 GMT+02:00 Alexander Bokovoy <aboko...@redhat.com>:

On Wed, 08 Oct 2014, Genadi Postrilko wrote:

2014-10-08 17:48 GMT+02:00 Alexander Bokovoy <aboko...@redhat.com>:

 On Wed, 08 Oct 2014, Genadi Postrilko wrote:

 The forest root domain in my case is RED.COM.

 You need to establish trust to red.com then. Any domain which is
of the forest red.com will be visible through trust.

Forest trust can only be established between forest root domains, that's
how it is designed by Microsoft.

 It doesn't matter how complex the forest is? Even if the forest contains
number of domain trees, the trust has to be
established with the forest root domain?

Yes, see "Forest trusts" section of

 I have attached the log files.

 These logs show you are attempting to establish trust to blue.com
is not a forest root domain, thus nothing works.

I assumed that DNS forwarding has to be created between IPA (
and the AD (blue.com).
Should any DNS configuration change?

It should be between all AD domains which would use IPA services, namely
forest root domain (red.com) and all other domains whose users will be
accessing the trust (blue.com in your case).

Usually this is solved globally, of course.
/ Alexander Bokovoy

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to