Re: [Freeipa-users] IPA/AD domain trust - unidirectional or bidirectional?
Hi Alex, thanks for your prompt response. This more/less sums up our arguments, but definitely the AD protocol documentation might be helpful. Best regards, Jan 2015-05-20 11:39 GMT+02:00 Alexander Bokovoy : > On Wed, 20 May 2015, opsource trail wrote: > >> Hello, >> we plan to deploy IPA (Red Hat IdM) trust with AD domain but at the moment >> we are kind of confused about what type of trust we will need to deal >> with. >> In Red Hat documentation we get an information that: >> >> "... Trusts, then, are essentially unidirectional. Active Directory users >> can access IdM resources and services, but IdM users cannot access Active >> Directory resources... " >> ( >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/active-directory-trust.html >> ) >> > I tried to get technical writers to rewrite this sentence but so far > unsuccessful. There seems to be some fundamental misunderstanding at > hand, unfortunately. > > On the other hand, when I configure the trust I can clearly see that it is >> actually bidirectional: >> [root@ipaserver ~]# ipa trust-add --type=ad adexample.com --admin >> Administrator --password >> -- >> Added Active Directory trust for realm "adexample.com" >> -- >> Realm name: adexample.com >> Domain NetBIOS name: ADEXAMPLE >> Domain Security Identifier: S-1-5-21-1689615952-3716327440-3249090444 >> Trust direction: Two-way trust >> Trust type: Active Directory domain >> Trust status: Established and verified >> >> I'm afraid that our Windows department will complain and consider this as >> a >> security issue. >> > No, it is not a security issue, regardless what your Windows department > would like to think. They may better spend time looking into actual > Active Directory protocols documentation at > https://msdn.microsoft.com/en-us/library/jj712081.aspx to realise > situation is much more complex than a binary division between 'secure' > and 'insecure'. > > Is there anybody who could help me understand this? >> > You can start with http://www.freeipa.org/page/V4/One-way_trust to get > yourself a high level overview and comparison of what two-way and > one-way trust mean in the context of IPA and Active Directory. > > -- > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA/AD domain trust - unidirectional or bidirectional?
On Wed, 20 May 2015, opsource trail wrote: Hello, we plan to deploy IPA (Red Hat IdM) trust with AD domain but at the moment we are kind of confused about what type of trust we will need to deal with. In Red Hat documentation we get an information that: "... Trusts, then, are essentially unidirectional. Active Directory users can access IdM resources and services, but IdM users cannot access Active Directory resources... " ( https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/active-directory-trust.html ) I tried to get technical writers to rewrite this sentence but so far unsuccessful. There seems to be some fundamental misunderstanding at hand, unfortunately. On the other hand, when I configure the trust I can clearly see that it is actually bidirectional: [root@ipaserver ~]# ipa trust-add --type=ad adexample.com --admin Administrator --password -- Added Active Directory trust for realm "adexample.com" -- Realm name: adexample.com Domain NetBIOS name: ADEXAMPLE Domain Security Identifier: S-1-5-21-1689615952-3716327440-3249090444 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified I'm afraid that our Windows department will complain and consider this as a security issue. No, it is not a security issue, regardless what your Windows department would like to think. They may better spend time looking into actual Active Directory protocols documentation at https://msdn.microsoft.com/en-us/library/jj712081.aspx to realise situation is much more complex than a binary division between 'secure' and 'insecure'. Is there anybody who could help me understand this? You can start with http://www.freeipa.org/page/V4/One-way_trust to get yourself a high level overview and comparison of what two-way and one-way trust mean in the context of IPA and Active Directory. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA/AD domain trust - unidirectional or bidirectional?
Hello, we plan to deploy IPA (Red Hat IdM) trust with AD domain but at the moment we are kind of confused about what type of trust we will need to deal with. In Red Hat documentation we get an information that: "... Trusts, then, are essentially unidirectional. Active Directory users can access IdM resources and services, but IdM users cannot access Active Directory resources... " ( https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/active-directory-trust.html ) On the other hand, when I configure the trust I can clearly see that it is actually bidirectional: [root@ipaserver ~]# ipa trust-add --type=ad adexample.com --admin Administrator --password -- Added Active Directory trust for realm "adexample.com" -- Realm name: adexample.com Domain NetBIOS name: ADEXAMPLE Domain Security Identifier: S-1-5-21-1689615952-3716327440-3249090444 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified I'm afraid that our Windows department will complain and consider this as a security issue. Is there anybody who could help me understand this? Thanks! All the best. Jan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project