Hi Alex,
thanks for your prompt response. This more/less sums up our arguments, but
definitely the AD protocol documentation might be helpful.

Best regards,

2015-05-20 11:39 GMT+02:00 Alexander Bokovoy <aboko...@redhat.com>:

> On Wed, 20 May 2015, opsource trail wrote:
>> Hello,
>> we plan to deploy IPA (Red Hat IdM) trust with AD domain but at the moment
>> we are kind of confused about what type of trust we will need to deal
>> with.
>> In Red Hat documentation we get an information that:
>> "... Trusts, then, are essentially unidirectional. Active Directory users
>> can access IdM resources and services, but IdM users cannot access Active
>> Directory resources... "
>> (
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/active-directory-trust.html
>> )
> I tried to get technical writers to rewrite this sentence but so far
> unsuccessful. There seems to be some fundamental misunderstanding at
> hand, unfortunately.
>  On the other hand, when I configure the trust I can clearly see that it is
>> actually bidirectional:
>> [root@ipaserver ~]# ipa trust-add --type=ad adexample.com --admin
>> Administrator --password
>> ------------------------------------------------------
>> Added Active Directory trust for realm "adexample.com"
>> ------------------------------------------------------
>>  Realm name: adexample.com
>>  Domain NetBIOS name: ADEXAMPLE
>>  Domain Security Identifier: S-1-5-21-1689615952-3716327440-3249090444
>>  Trust direction: Two-way trust
>>  Trust type: Active Directory domain
>>  Trust status: Established and verified
>> I'm afraid that our Windows department will complain and consider this as
>> a
>> security issue.
> No, it is not a security issue, regardless what your Windows department
> would like to think. They may better spend time looking into actual
> Active Directory protocols documentation at
> https://msdn.microsoft.com/en-us/library/jj712081.aspx to realise
> situation is much more complex than a binary division between 'secure'
> and 'insecure'.
>  Is there anybody who could help me understand this?
> You can start with http://www.freeipa.org/page/V4/One-way_trust to get
> yourself a high level overview and comparison of what two-way and
> one-way trust mean in the context of IPA and Active Directory.
> --
> / Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to