Hello all ! I am working on integrating IPA in a Microsoft dominated organization. After playing around with Cross forest trust and Directory server synchronization i came to the conclusion that Trust is the right way to go. Because it involves less configuration on AD side and its the direction the development community is focusing on.
As i started discussing with AD administrators team, they expressed their concerns on the two-way trust needed. I have found the following thread in the freeipa archives: https://www.redhat.com/archives/freeipa-users/2012-June/msg00206.html where Simo Sorce explained why the two way trust is necessary. But then this thread appeared: https://www.redhat.com/archives/freeipa-users/2014-September/msg00276.html The discussion in the thread helped me *a lot* (especially the summary https://www.redhat.com/archives/freeipa-users/2014-September/msg00303.html) to explain the AD team why two-way trust is necessary and *not *a security risk. After convincing them that two-way trust in necessary, they still have put up a demand that the out-going AD->IPA trust authentication will be configured as *Selective **authentication.* Selective authentication is described as follows: *"Windows will not automatically authenticate users form the specified forest for any resources in the local forest. After you close this dialog. grant individual access to each domain and server that you want to make available to users in the specified forest."* While the default is Forest- wide authentication: *"Windows will automatically athenticate users from the specified forest for the recourses in the local forest."* Can this be done? Or it will break how IPA operates the trust? Thanks.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project