Thanks Alexander for the prompt reply. Appreciated. Now i am wondering how likewise is able to do this stuff under the hood for me.
I have similar setup with likewise and same one way incoming trust relationships towards my primary domain (dom1) from another external domain (dom2). And i am able to login to my client machines using user accounts created in dom1 and dom2. Magic Any thoughts > On Wednesday, 2 March 2016, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Wed, 02 Mar 2016, PARTH MONGA wrote: > >> Hi List Members, >> >> I have a situation I am having a hard time getting a clean answer on. >> >> I have a IDM/IPA domain setup and I have a trust setup with my Windows >> domain. That part is working perfectly. >> >> I have a one way forest transitive trust (outgoing) with a second windows >> domain. I want users in this second domain to be able to authenticate to >> my >> IDM/IPA domain. I was hoping that this would be possible through my >> transitive trust with my primary windows domain. >> > No, that's not possible by AD architecture. > > >> When I issue the command ipa trust-fetch-domains for my primary domain I >> get the response no new domains found. The second domain is never found. >> > That's correct. > > Here is my question. Is this even possible without creating a trust with >> the second domain directly? The documentation states that IPA will >> traverse >> all trusts and add them. However I am starting to believe that reference >> is >> for domains in only one forest. Can anyone clear up that point for me? >> > The documentation is correct, you can have multiple trusts to separate > forests and domains from all of them will be usable via trust to IPA. > However, we cannot access any domains from forests that AD forest trusts > itself because while forest trust is transitive, the transition is only > extends to domains within the forests that trust each other, there is no > transitivity across forest trusts. > > If forest A's root domain A trusts forest B's root domain B, and forest > B's root domain B trusts forest C's root domain C, then A only can > transit to domains in forest B, not forest C. > > See https://msdn.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx, > search for the section named "Forest trusts": > --------- > Forest trusts can be created between two forests only and cannot be > implicitly extended to a third forest. --------- > > -- > / Alexander Bokovoy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project