Hi Alex, thanks for your prompt response. This more/less sums up our arguments, but definitely the AD protocol documentation might be helpful.
Best regards, Jan 2015-05-20 11:39 GMT+02:00 Alexander Bokovoy <aboko...@redhat.com>: > On Wed, 20 May 2015, opsource trail wrote: > >> Hello, >> we plan to deploy IPA (Red Hat IdM) trust with AD domain but at the moment >> we are kind of confused about what type of trust we will need to deal >> with. >> In Red Hat documentation we get an information that: >> >> "... Trusts, then, are essentially unidirectional. Active Directory users >> can access IdM resources and services, but IdM users cannot access Active >> Directory resources... " >> ( >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/active-directory-trust.html >> ) >> > I tried to get technical writers to rewrite this sentence but so far > unsuccessful. There seems to be some fundamental misunderstanding at > hand, unfortunately. > > On the other hand, when I configure the trust I can clearly see that it is >> actually bidirectional: >> [root@ipaserver ~]# ipa trust-add --type=ad adexample.com --admin >> Administrator --password >> ------------------------------------------------------ >> Added Active Directory trust for realm "adexample.com" >> ------------------------------------------------------ >> Realm name: adexample.com >> Domain NetBIOS name: ADEXAMPLE >> Domain Security Identifier: S-1-5-21-1689615952-3716327440-3249090444 >> Trust direction: Two-way trust >> Trust type: Active Directory domain >> Trust status: Established and verified >> >> I'm afraid that our Windows department will complain and consider this as >> a >> security issue. >> > No, it is not a security issue, regardless what your Windows department > would like to think. They may better spend time looking into actual > Active Directory protocols documentation at > https://msdn.microsoft.com/en-us/library/jj712081.aspx to realise > situation is much more complex than a binary division between 'secure' > and 'insecure'. > > Is there anybody who could help me understand this? >> > You can start with http://www.freeipa.org/page/V4/One-way_trust to get > yourself a high level overview and comparison of what two-way and > one-way trust mean in the context of IPA and Active Directory. > > -- > / Alexander Bokovoy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
