[Freeipa-users] Using Selective authentication on AD->IPA trust.

Genadi Postrilko genadipost at gmail.com
Sun Oct 19 21:27:15 UTC 2014

Hello all !

I am working on integrating IPA in a Microsoft dominated organization.
After playing around with Cross forest trust and Directory server
i came to the conclusion that Trust is the right way to go. Because it
involves less configuration on AD side and its the direction
the development community is focusing on.

As i started discussing with AD administrators team, they expressed their
concerns on the two-way trust needed.

I have found the following thread in the freeipa archives:
where Simo Sorce explained why the two way trust is necessary.

But then this thread appeared:

The discussion in the thread helped me *a lot* (especially the summary
to explain the AD team why two-way trust is necessary and *not *a security

After convincing them that two-way trust in necessary, they still have put
up a demand that the out-going AD->IPA trust authentication will be
configured as *Selective **authentication.*

Selective authentication is described as follows:
*"Windows will not automatically authenticate users form the specified
forest for any resources in the local forest. After you close this dialog.
grant individual access to each domain and server that you want to make
available to users in the specified forest."*

While the default is Forest- wide authentication:

*"Windows will automatically athenticate users from the specified forest
for the recourses in the local forest."*

Can this be done? Or it will break how IPA operates the trust?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141019/12cc756e/attachment.htm>

More information about the Freeipa-users mailing list