On Wed, 20 May 2015, opsource trail wrote:
Hello,
we plan to deploy IPA (Red Hat IdM) trust with AD domain but at the moment
we are kind of confused about what type of trust we will need to deal with.
In Red Hat documentation we get an information that:

"... Trusts, then, are essentially unidirectional. Active Directory users
can access IdM resources and services, but IdM users cannot access Active
Directory resources... "
(
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/active-directory-trust.html
)
I tried to get technical writers to rewrite this sentence but so far
unsuccessful. There seems to be some fundamental misunderstanding at
hand, unfortunately.

On the other hand, when I configure the trust I can clearly see that it is
actually bidirectional:
[root@ipaserver ~]# ipa trust-add --type=ad adexample.com --admin
Administrator --password
------------------------------------------------------
Added Active Directory trust for realm "adexample.com"
------------------------------------------------------
 Realm name: adexample.com
 Domain NetBIOS name: ADEXAMPLE
 Domain Security Identifier: S-1-5-21-1689615952-3716327440-3249090444
 Trust direction: Two-way trust
 Trust type: Active Directory domain
 Trust status: Established and verified

I'm afraid that our Windows department will complain and consider this as a
security issue.
No, it is not a security issue, regardless what your Windows department
would like to think. They may better spend time looking into actual
Active Directory protocols documentation at
https://msdn.microsoft.com/en-us/library/jj712081.aspx to realise
situation is much more complex than a binary division between 'secure'
and 'insecure'.

Is there anybody who could help me understand this?
You can start with http://www.freeipa.org/page/V4/One-way_trust to get
yourself a high level overview and comparison of what two-way and
one-way trust mean in the context of IPA and Active Directory.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to