[Freeipa-users] Error: invalid 'AD domain controller' when establishing trust
Genadi Postrilko
genadipost at gmail.com
Sat Oct 11 20:03:13 UTC 2014
All understood :)
Thank you (and all others who responded) for the explanations.
Genadi.
2014-10-10 6:26 GMT+02:00 Alexander Bokovoy <abokovoy at redhat.com>:
> On Fri, 10 Oct 2014, Genadi Postrilko wrote:
>
>> Thank you for providing the reference.
>> I understood that when creating a forest trust between two AD forests,
>> the trust is transitive to all domains in both forests (by default).
>> And it has to be established between the two forest root domain.
>>
>> External trust (between AD forests or domains), is non transitive.
>> Trust can be established between (child) domains in different forests,
>> without the need to create trust between child domains and the forest
>> root domain of the opposite forest.
>>
>> But i'm not sure about Realm Trust.
>> Realm Trust considered as a kind of forest trust? And that why the trust
>> has to be established between the forest root domains (and not like
>> external trust) ?
>>
> FreeIPA only provides the first type of the trust -- a forest trust to
> AD where AD thinks it trusts an AD forest. All other types of forest are
> irrelevant in this context and have no implementation or support in
> FreeIPA.
>
>
>> Assuming i follow the IPA Trust setup guide-
>> The trust created between red.com (AD forest root domain) and
>> linux.blue.com (IPA domain) is configured to be transitive? Users from
>> blue.com domain will able to login to IPA domain? And so are users
>> from other child and root domains in the forest?
>>
> Yes, and yes.
>
> You have ipa trustdomain-find|del|disable|enable
>
> commands to manage what domains from the trust can have access to IPA
> resources. Forest root domain is always allowed, you cannot disable it,
> only delete the whole trust.
>
>
>
>>
>>
>>
>> 2014-10-08 19:06 GMT+02:00 Alexander Bokovoy <abokovoy at redhat.com>:
>>
>> On Wed, 08 Oct 2014, Genadi Postrilko wrote:
>>>
>>> 2014-10-08 17:48 GMT+02:00 Alexander Bokovoy <abokovoy at redhat.com>:
>>>>
>>>> On Wed, 08 Oct 2014, Genadi Postrilko wrote:
>>>>
>>>>>
>>>>> The forest root domain in my case is RED.COM.
>>>>>
>>>>>>
>>>>>> You need to establish trust to red.com then. Any domain which is
>>>>>>
>>>>> member
>>>>> of the forest red.com will be visible through trust.
>>>>>
>>>>> Forest trust can only be established between forest root domains,
>>>>> that's
>>>>> how it is designed by Microsoft.
>>>>>
>>>>>
>>>>> It doesn't matter how complex the forest is? Even if the forest
>>>>> contains
>>>>>
>>>> number of domain trees, the trust has to be
>>>> established with the forest root domain?
>>>>
>>>> Yes, see "Forest trusts" section of
>>> http://technet.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx
>>>
>>> I have attached the log files.
>>>
>>>>
>>>>>> These logs show you are attempting to establish trust to blue.com
>>>>>>
>>>>> which
>>>>> is not a forest root domain, thus nothing works.
>>>>>
>>>>>
>>>>> I assumed that DNS forwarding has to be created between IPA (
>>>> linux.blue.com)
>>>> and the AD (blue.com).
>>>> Should any DNS configuration change?
>>>>
>>>> It should be between all AD domains which would use IPA services,
>>> namely
>>> forest root domain (red.com) and all other domains whose users will be
>>> accessing the trust (blue.com in your case).
>>>
>>> Usually this is solved globally, of course.
>>> --
>>> / Alexander Bokovoy
>>>
>>>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141011/cb98dfb3/attachment.htm>
More information about the Freeipa-users
mailing list