[Freeipa-users] Error: invalid 'AD domain controller' when establishing trust

Dmitri Pal dpal at redhat.com
Fri Oct 10 00:36:58 UTC 2014

On 10/09/2014 07:07 PM, Genadi Postrilko wrote:
> Thank you for providing the reference.
> I understood that when creating a forest trust between two AD forests,
> the trust is transitive to all domains in both forests (by default). 
> And it has
> to be established between the two forest root domain.
> External trust (between AD forests or domains), is non transitive.
> Trust can be established between (child) domains in different forests, 
> without the need to
> create trust between child domains and the forest root domain of 
> the opposite forest.
> But i'm not sure about Realm Trust.
> Realm Trust considered as a kind of forest trust? And that why the 
> trust has
> to be established between the forest root domains (and not like 
> external trust) ?
> Assuming i follow the IPA Trust setup guide-
> The trust created between red.com <http://red.com> (AD forest root 
> domain) and linux.blue.com <http://linux.blue.com> (IPA domain)
> is configured to be transitive? Users from blue.com <http://blue.com> 
> domain will able to login to IPA domain?
> And so are users from other child and root domains in the forest?

Yes. If you have forest trust between IPA and your AD forest where red 
is the root domain then users from all subdomains including blue would 
be able to access resources in the IPA domain.
This is true starting freeipa 3.3.

> 2014-10-08 19:06 GMT+02:00 Alexander Bokovoy <abokovoy at redhat.com 
> <mailto:abokovoy at redhat.com>>:
>     On Wed, 08 Oct 2014, Genadi Postrilko wrote:
>         2014-10-08 17:48 GMT+02:00 Alexander Bokovoy
>         <abokovoy at redhat.com <mailto:abokovoy at redhat.com>>:
>             On Wed, 08 Oct 2014, Genadi Postrilko wrote:
>                 The forest root domain in my case is RED.COM
>                 <http://RED.COM>.
>             You need to establish trust to red.com <http://red.com>
>             then. Any domain which is member
>             of the forest red.com <http://red.com> will be visible
>             through trust.
>             Forest trust can only be established between forest root
>             domains, that's
>             how it is designed by Microsoft.
>         It doesn't matter how complex the forest is? Even if the
>         forest contains
>         number of domain trees, the trust has to be
>         established with the forest root domain?
>     Yes, see "Forest trusts" section of
>     http://technet.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx
>                 I have attached the log files.
>             These logs show you are attempting to establish trust to
>             blue.com <http://blue.com> which
>             is not a forest root domain, thus nothing works.
>         I assumed that DNS forwarding has to be created between IPA
>         (linux.blue.com <http://linux.blue.com>)
>         and the AD (blue.com <http://blue.com>).
>         Should any DNS configuration change?
>     It should be between all AD domains which would use IPA services,
>     namely
>     forest root domain (red.com <http://red.com>) and all other
>     domains whose users will be
>     accessing the trust (blue.com <http://blue.com> in your case).
>     Usually this is solved globally, of course.
>     -- 
>     / Alexander Bokovoy

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141009/4026d2bd/attachment.htm>

More information about the Freeipa-users mailing list