Thanks Alexander for the prompt reply.

Now i am wondering how likewise is able to do this stuff under the hood for

I have similar setup with likewise and same one way incoming trust
relationships towards my primary domain (dom1) from another external domain

And i am able to login to my client machines using user accounts created in
dom1 and dom2.
Any thoughts >

On Wednesday, 2 March 2016, Alexander Bokovoy <> wrote:

> On Wed, 02 Mar 2016, PARTH MONGA wrote:
>> Hi List Members,
>> I have a situation I am having a hard time getting a clean answer on.
>> I have a IDM/IPA domain setup and I have a trust setup with my Windows
>> domain. That part is working perfectly.
>> I have a one way forest transitive trust (outgoing) with a second windows
>> domain. I want users in this second domain to be able to authenticate to
>> my
>> IDM/IPA domain. I was hoping that this would be possible through my
>> transitive trust with my primary windows domain.
> No, that's not possible by AD architecture.
>> When I issue the command ipa trust-fetch-domains for my primary domain I
>> get the response no new domains found. The second domain is never found.
> That's correct.
> Here is my question. Is this even possible without creating a trust with
>> the second domain directly? The documentation states that IPA will
>> traverse
>> all trusts and add them. However I am starting to believe that reference
>> is
>> for domains in only one forest. Can anyone clear up that point for me?
> The documentation is correct, you can have multiple trusts to separate
> forests and domains from all of them will be usable via trust to IPA.
> However, we cannot access any domains from forests that AD forest trusts
> itself because while forest trust is transitive, the transition is only
> extends to domains within the forests that trust each other, there is no
> transitivity across forest trusts.
> If forest A's root domain A trusts forest B's root domain B, and forest
> B's root domain B trusts forest C's root domain C, then A only can
> transit to domains in forest B, not forest C.
> See,
> search for the section named "Forest trusts":
> ---------
> Forest trusts can be created between two forests only and cannot be
> implicitly extended to a third forest. ---------
> --
> / Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to