On Wed, 02 Mar 2016, PARTH MONGA wrote:
Hi List Members,

I have a situation I am having a hard time getting a clean answer on.

I have a IDM/IPA domain setup and I have a trust setup with my Windows
domain. That part is working perfectly.

I have a one way forest transitive trust (outgoing) with a second windows
domain. I want users in this second domain to be able to authenticate to my
IDM/IPA domain. I was hoping that this would be possible through my
transitive trust with my primary windows domain.
No, that's not possible by AD architecture.

When I issue the command ipa trust-fetch-domains for my primary domain I
get the response no new domains found. The second domain is never found.
That's correct.

Here is my question. Is this even possible without creating a trust with
the second domain directly? The documentation states that IPA will traverse
all trusts and add them. However I am starting to believe that reference is
for domains in only one forest. Can anyone clear up that point for me?
The documentation is correct, you can have multiple trusts to separate
forests and domains from all of them will be usable via trust to IPA.
However, we cannot access any domains from forests that AD forest trusts
itself because while forest trust is transitive, the transition is only
extends to domains within the forests that trust each other, there is no
transitivity across forest trusts.

If forest A's root domain A trusts forest B's root domain B, and forest
B's root domain B trusts forest C's root domain C, then A only can
transit to domains in forest B, not forest C.

See https://msdn.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx,
search for the section named "Forest trusts":
Forest trusts can be created between two forests only and cannot be
implicitly extended to a third forest. ---------

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to