Re: [Freeipa-users] Cross Forest Transitive AD Trust
On Wed, 02 Mar 2016, PARTH MONGA wrote: Thanks Alexander for the prompt reply. Appreciated. Now i am wondering how likewise is able to do this stuff under the hood for me. I have similar setup with likewise and same one way incoming trust relationships towards my primary domain (dom1) from another external domain (dom2). You need to get your terminology right. Can you explain which of the cases from https://kb.vmware.com/kb/2064250 would apply to your situation? There are quite a number of differences between different types of trust. And i am able to login to my client machines using user accounts created in dom1 and dom2. Magic Any thoughts > There is no magic here, your likewise setup is using different trust mode than what IPA does. Most likely your likewise setup is a domain in dom1 forest already. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Cross Forest Transitive AD Trust
Thanks Alexander for the prompt reply. Appreciated. Now i am wondering how likewise is able to do this stuff under the hood for me. I have similar setup with likewise and same one way incoming trust relationships towards my primary domain (dom1) from another external domain (dom2). And i am able to login to my client machines using user accounts created in dom1 and dom2. Magic Any thoughts > On Wednesday, 2 March 2016, Alexander Bokovoy wrote: > On Wed, 02 Mar 2016, PARTH MONGA wrote: > >> Hi List Members, >> >> I have a situation I am having a hard time getting a clean answer on. >> >> I have a IDM/IPA domain setup and I have a trust setup with my Windows >> domain. That part is working perfectly. >> >> I have a one way forest transitive trust (outgoing) with a second windows >> domain. I want users in this second domain to be able to authenticate to >> my >> IDM/IPA domain. I was hoping that this would be possible through my >> transitive trust with my primary windows domain. >> > No, that's not possible by AD architecture. > > >> When I issue the command ipa trust-fetch-domains for my primary domain I >> get the response no new domains found. The second domain is never found. >> > That's correct. > > Here is my question. Is this even possible without creating a trust with >> the second domain directly? The documentation states that IPA will >> traverse >> all trusts and add them. However I am starting to believe that reference >> is >> for domains in only one forest. Can anyone clear up that point for me? >> > The documentation is correct, you can have multiple trusts to separate > forests and domains from all of them will be usable via trust to IPA. > However, we cannot access any domains from forests that AD forest trusts > itself because while forest trust is transitive, the transition is only > extends to domains within the forests that trust each other, there is no > transitivity across forest trusts. > > If forest A's root domain A trusts forest B's root domain B, and forest > B's root domain B trusts forest C's root domain C, then A only can > transit to domains in forest B, not forest C. > > See https://msdn.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx, > search for the section named "Forest trusts": > - > Forest trusts can be created between two forests only and cannot be > implicitly extended to a third forest. - > > -- > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Cross Forest Transitive AD Trust
On Wed, 02 Mar 2016, PARTH MONGA wrote: Hi List Members, I have a situation I am having a hard time getting a clean answer on. I have a IDM/IPA domain setup and I have a trust setup with my Windows domain. That part is working perfectly. I have a one way forest transitive trust (outgoing) with a second windows domain. I want users in this second domain to be able to authenticate to my IDM/IPA domain. I was hoping that this would be possible through my transitive trust with my primary windows domain. No, that's not possible by AD architecture. When I issue the command ipa trust-fetch-domains for my primary domain I get the response no new domains found. The second domain is never found. That's correct. Here is my question. Is this even possible without creating a trust with the second domain directly? The documentation states that IPA will traverse all trusts and add them. However I am starting to believe that reference is for domains in only one forest. Can anyone clear up that point for me? The documentation is correct, you can have multiple trusts to separate forests and domains from all of them will be usable via trust to IPA. However, we cannot access any domains from forests that AD forest trusts itself because while forest trust is transitive, the transition is only extends to domains within the forests that trust each other, there is no transitivity across forest trusts. If forest A's root domain A trusts forest B's root domain B, and forest B's root domain B trusts forest C's root domain C, then A only can transit to domains in forest B, not forest C. See https://msdn.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx, search for the section named "Forest trusts": - Forest trusts can be created between two forests only and cannot be implicitly extended to a third forest. - -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project