Thanks Alexander for the prompt reply.
Appreciated.

Now i am wondering how likewise is able to do this stuff under the hood for
me.

I have similar setup with likewise and same one way incoming trust
relationships towards my primary domain (dom1) from another external domain
(dom2).

And i am able to login to my client machines using user accounts created in
dom1 and dom2.
Magic
Any thoughts >

On Wednesday, 2 March 2016, Alexander Bokovoy <aboko...@redhat.com> wrote:

> On Wed, 02 Mar 2016, PARTH MONGA wrote:
>
>> Hi List Members,
>>
>> I have a situation I am having a hard time getting a clean answer on.
>>
>> I have a IDM/IPA domain setup and I have a trust setup with my Windows
>> domain. That part is working perfectly.
>>
>> I have a one way forest transitive trust (outgoing) with a second windows
>> domain. I want users in this second domain to be able to authenticate to
>> my
>> IDM/IPA domain. I was hoping that this would be possible through my
>> transitive trust with my primary windows domain.
>>
> No, that's not possible by AD architecture.
>
>
>> When I issue the command ipa trust-fetch-domains for my primary domain I
>> get the response no new domains found. The second domain is never found.
>>
> That's correct.
>
> Here is my question. Is this even possible without creating a trust with
>> the second domain directly? The documentation states that IPA will
>> traverse
>> all trusts and add them. However I am starting to believe that reference
>> is
>> for domains in only one forest. Can anyone clear up that point for me?
>>
> The documentation is correct, you can have multiple trusts to separate
> forests and domains from all of them will be usable via trust to IPA.
> However, we cannot access any domains from forests that AD forest trusts
> itself because while forest trust is transitive, the transition is only
> extends to domains within the forests that trust each other, there is no
> transitivity across forest trusts.
>
> If forest A's root domain A trusts forest B's root domain B, and forest
> B's root domain B trusts forest C's root domain C, then A only can
> transit to domains in forest B, not forest C.
>
> See https://msdn.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx,
> search for the section named "Forest trusts":
> ---------
> Forest trusts can be created between two forests only and cannot be
> implicitly extended to a third forest. ---------
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to