On Tue, 30 Jun 2015, Steve Justice wrote:
All,  I am testing an IDM/IPA setup for out RHEL environment.

My current setup.


sjlab.local - domain one
mylab.local - domain two

sjlab and mylab are two separate AD Domain's  sjlab is the primary domain
IDM will be integrated with.  sjlab has a one way (outgoing) Forest type
transitive trust with mylab.

idm.sjlab.local - IDM domain

I have the trust between IDM and sjlab working.

when I perform an ipa trust-show on sjlab.local I see that it is connected
with a trust direction of Two-way trust and type of Active Directory

I can authenticate with users from sjlab.local to a server on the idm
domain.  That all appears to be working ok.

What I cannot do however is authenticate with users from the mylab.local
You wouldn't be able to do so because there is no transitivity for
forest trusts in Active Directory, see below for explanation.

When I perform an ipa trust-fetch-domains for sjlab.local it states that no
new domains can be found.

I know the documentation refers to this trust as a transitive trust within
the forest.  I have a forest level trust between sjlab and mylab,  however
I realize they are not in the same forest.  Does that mean that this type
of setup will not work, or is there something I am missing?
You are missing the fact that forest trusts in Active Directory are not
transitive. If you have forests A, B, and C, and A trusts B, B trusts C,
there is no way in Active Directory for A to trust C other than
explicitly establishing forest trust with it. This is true for Active
Directory to Active Directory forest trusts.

What FreeIPA documentation tells you is that for domains belonging to an
Active Directory forest, the forest trust between FreeIPA and Active
Directory forest root domain allows to transitively trust those other
domains in the same forest.

E.g. if A is an AD forest, its forest root domain is A. If there are
other domains in the same forest, they trust A and by extension FreeIPA
domain will be able to trust all of them (barring cases where trust is
one-way and doesn't allow to reach FreeIPA via forest root domain A).

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to