[Freeipa-users] Error: invalid 'AD domain controller' when establishing trust

Alexander Bokovoy abokovoy at redhat.com
Fri Oct 10 04:26:27 UTC 2014 

On Fri, 10 Oct 2014, Genadi Postrilko wrote:
>Thank you for providing the reference.
>I understood that when creating a forest trust between two AD forests,
>the trust is transitive to all domains in both forests (by default).
>And it has to be established between the two forest root domain.
>
>External trust (between AD forests or domains), is non transitive.
>Trust can be established between (child) domains in different forests,
>without the need to create trust between child domains and the forest
>root domain of the opposite forest.
>
>But i'm not sure about Realm Trust.
>Realm Trust considered as a kind of forest trust? And that why the trust
>has to be established between the forest root domains (and not like
>external trust) ?
FreeIPA only provides the first type of the trust -- a forest trust to
AD where AD thinks it trusts an AD forest. All other types of forest are
irrelevant in this context and have no implementation or support in
FreeIPA.

>
>Assuming i follow the IPA Trust setup guide-
>The trust created between red.com (AD forest root domain) and
>linux.blue.com (IPA domain) is configured to be transitive? Users from
>blue.com domain will able to login to IPA domain?  And so are users
>from other child and root domains in the forest?
Yes, and yes.

You have 
	ipa trustdomain-find|del|disable|enable

commands to manage what domains from the trust can have access to IPA
resources. Forest root domain is always allowed, you cannot disable it,
only delete the whole trust.

>
>
>
>
>2014-10-08 19:06 GMT+02:00 Alexander Bokovoy <abokovoy at redhat.com>:
>
>> On Wed, 08 Oct 2014, Genadi Postrilko wrote:
>>
>>> 2014-10-08 17:48 GMT+02:00 Alexander Bokovoy <abokovoy at redhat.com>:
>>>
>>>  On Wed, 08 Oct 2014, Genadi Postrilko wrote:
>>>>
>>>>  The forest root domain in my case is RED.COM.
>>>>>
>>>>>  You need to establish trust to red.com then. Any domain which is
>>>> member
>>>> of the forest red.com will be visible through trust.
>>>>
>>>> Forest trust can only be established between forest root domains, that's
>>>> how it is designed by Microsoft.
>>>>
>>>>
>>>>  It doesn't matter how complex the forest is? Even if the forest contains
>>> number of domain trees, the trust has to be
>>> established with the forest root domain?
>>>
>> Yes, see "Forest trusts" section of
>> http://technet.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx
>>
>>  I have attached the log files.
>>>>>
>>>>>  These logs show you are attempting to establish trust to blue.com
>>>> which
>>>> is not a forest root domain, thus nothing works.
>>>>
>>>>
>>> I assumed that DNS forwarding has to be created between IPA (
>>> linux.blue.com)
>>> and the AD (blue.com).
>>> Should any DNS configuration change?
>>>
>> It should be between all AD domains which would use IPA services, namely
>> forest root domain (red.com) and all other domains whose users will be
>> accessing the trust (blue.com in your case).
>>
>> Usually this is solved globally, of course.
>> --
>> / Alexander Bokovoy
>>

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list