On Tue, 17 May 2016, lejeczek wrote:
On Tue, 2016-05-17 at 17:10 +0300, Alexander Bokovoy wrote:
On Tue, 17 May 2016, lejeczek wrote:
> hi users/devs
>
> I've used wiki pages to set AD - IPA trust, and it always end up
> being
> realm type of trust (@ AC DC end) whereas wiki shows forest type.
> What am I doing wrong?
Probably because you are choosing wrong type of trust on AD side.

Remove any trust with the same name as IPA on AD side and try to
create
the trust using 'ipa trust-add' command, as described in the wiki or
in
the documentation.

but ipa trust-add renders one-way type of trust, at least here for me,
is this correct?
I go to AD DC and see only one-way trust.
By default 4.2+ does one-way forest trust, that's right. AD users can
login to IPA-managed services, that's what is supported.

Two-way trust can be established with --two-way=true option to 'ipa
trust-add' but it does not mean you'll get ability to login to Windows
machines as IPA user. This is not supported yet. One-way or two-way
trust type right now is a technical detail on how trust operations are
implemented.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to