<div dir="rtl"><div dir="ltr">All understood :) </div><div dir="ltr">Thank you (and all others who responded) for the explanations.</div><div dir="ltr"> </div><div dir="ltr">Genadi.</div></div><div class="gmail_extra"> <div class="gmail_quote"><div dir="ltr">2014-10-10 6:26 GMT+02:00 Alexander Bokovoy <<a href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>>:</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Fri, 10 Oct 2014, Genadi Postrilko wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Thank you for providing the reference. I understood that when creating a forest trust between two AD forests, the trust is transitive to all domains in both forests (by default). And it has to be established between the two forest root domain. External trust (between AD forests or domains), is non transitive. Trust can be established between (child) domains in different forests, without the need to create trust between child domains and the forest root domain of the opposite forest. But i'm not sure about Realm Trust. Realm Trust considered as a kind of forest trust? And that why the trust has to be established between the forest root domains (and not like external trust) ? </blockquote> FreeIPA only provides the first type of the trust -- a forest trust to AD where AD thinks it trusts an AD forest. All other types of forest are irrelevant in this context and have no implementation or support in FreeIPA. <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Assuming i follow the IPA Trust setup guide- The trust created between <a href="http://red.com" target="_blank">red.com</a> (AD forest root domain) and <a href="http://linux.blue.com" target="_blank">linux.blue.com</a> (IPA domain) is configured to be transitive? Users from <a href="http://blue.com" target="_blank">blue.com</a> domain will able to login to IPA domain? And so are users from other child and root domains in the forest? </blockquote> Yes, and yes. You have ipa trustdomain-find|del|disable|enable commands to manage what domains from the trust can have access to IPA resources. Forest root domain is always allowed, you cannot disable it, only delete the whole trust.<div class="HOEnZb"><div class="h5"> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> 2014-10-08 19:06 GMT+02:00 Alexander Bokovoy <<a href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>>: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> On Wed, 08 Oct 2014, Genadi Postrilko wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> 2014-10-08 17:48 GMT+02:00 Alexander Bokovoy <<a href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>>: On Wed, 08 Oct 2014, Genadi Postrilko wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> The forest root domain in my case is <a href="http://RED.COM" target="_blank">RED.COM</a>. <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> You need to establish trust to <a href="http://red.com" target="_blank">red.com</a> then. Any domain which is </blockquote> member of the forest <a href="http://red.com" target="_blank">red.com</a> will be visible through trust. Forest trust can only be established between forest root domains, that's how it is designed by Microsoft. It doesn't matter how complex the forest is? Even if the forest contains </blockquote> number of domain trees, the trust has to be established with the forest root domain? </blockquote> Yes, see "Forest trusts" section of <a href="http://technet.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx" target="_blank">http://technet.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx</a> I have attached the log files. <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> These logs show you are attempting to establish trust to <a href="http://blue.com" target="_blank">blue.com</a> </blockquote> which is not a forest root domain, thus nothing works. </blockquote> I assumed that DNS forwarding has to be created between IPA ( <a href="http://linux.blue.com" target="_blank">linux.blue.com</a>) and the AD (<a href="http://blue.com" target="_blank">blue.com</a>). Should any DNS configuration change? </blockquote> It should be between all AD domains which would use IPA services, namely forest root domain (<a href="http://red.com" target="_blank">red.com</a>) and all other domains whose users will be accessing the trust (<a href="http://blue.com" target="_blank">blue.com</a> in your case). Usually this is solved globally, of course. -- / Alexander Bokovoy </blockquote></blockquote> </div></div> -- / Alexander Bokovoy </blockquote></div> </div>