[Freeipa-users] Two way A/D trust versus one way trust

Greg Scott GregScott at infrasupport.com
Tue Sep 16 14:28:54 UTC 2014

Hello - 

I went through this thread:

but I have some more questions.

I have another situation where I need a one way AD trust.  We have an IPA domain with a bunch of Linux servers and an AD domain for the corporate network.  Typical scenario.  We want IPA to trust AD but do not want AD to trust IPA.  Access is availalbe to administrator/root accounts in both the AD and IPA domains.

The IPA server is RHEL 7 running the IPA bundled with RHEL - I think that's IPA 3.3.5 right now?  

Reading through the thread above, when we set up cross forest trusts with this version, the IPA side does not yet have the equivalent of a Windows Global Catalog.  So even though it says it's a 2-way trust, it's really not because IPA has no way to store the global catalog copies of what it needs for Windows to trust IPA.  So with the version right now as it exists today, de-facto, IPA trusts AD, but AD has no way to trust IPA yet because IPA doesn't have all the pieces in place.  

So far so good.  Here is the challenge.

The AD group at this site is concerned that with some future version of IPA, since Windows already "thinks" it trusts IPA, that IPA will get the correct components and that suddenly IPA users will be able to authenticate in the AD domain.  Ideally, they would like to set up an official one way trust today so that future possibility never happens.  If that isn't possible, what other steps could they take to guard against that future possibility?  

Quoting from the earlier thread:

> global catalog support is being worked on. As soon as it is implemented we will add more 
> granularity to the way the trusts are established and thus allow formal one way trusts

Is there a time frame for this?  I know it's tough to give completion dates and that's not what I'm asking for - just a feel for how active the development is around global catalog support.  Is this something this site should expect in the next few months or is it 5+ years away or somewhere in the middle?  Is there a projected version number where the support will land?  

Given what we have in place today, what is the best way to handle the situation where a site wants a one way trust but must set up a 2-way trust now with only one side of the trust functional?  I suppose it is always possible in the future when all the pieces are in place to just destroy the 2 way trust and re-create a one way trust, but by that time, there will probably be lots of mapping between AD SIDs and Linux UID/GID pairs and destroying and recreating the trust could make a royal mess out of those.  Would it be possible to modify an existing 2-way trust to only be a one-way trust when the time comes?


- Greg

More information about the Freeipa-users mailing list