[Freeipa-users] FreeIPA in a locked down Active Directory environment
Simo Sorce
simo at redhat.com
Tue Jun 19 14:41:10 UTC 2012
On Tue, 2012-06-19 at 13:26 +0100, James Hogarth wrote:
> > I wonder if the (very) new IPA AD trust feature could solve at least
> > some of your problems. Have a look at
> > http://freeipa.org/page/IPAv3_testing_AD_trust for some info on how this
> > can be tested.
> >
>
> The initial documentation looks like it's describing a full two way
> trust - in principal would a one way trust be feasible?
>
> Allow the AD users (or a selection thereof) access to the systems part
> of the IPA domain but not vice versa?
Well, at the moment we only set up a two way trust
but the windows admins would certainly be able to delete the outgoing
trust right after it is created, it should cause trouble for win users
that want to access ipa hosts.
We may take an RFE about creating only a one way trust, but it won't be
there by 3.0 I think.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list