[Freeipa-users] CentOS 7 with IPA 4.1

Alexander Bokovoy abokovoy at redhat.com
Mon Jul 6 13:51:50 UTC 2015 

On Tue, 30 Jun 2015, Steve Justice wrote:
>All,  I am testing an IDM/IPA setup for out RHEL environment.
>
>My current setup.
>
>Windows
>
>sjlab.local - domain one
>mylab.local - domain two
>
>sjlab and mylab are two separate AD Domain's  sjlab is the primary domain
>IDM will be integrated with.  sjlab has a one way (outgoing) Forest type
>transitive trust with mylab.
>
>
>Linux
>idm.sjlab.local - IDM domain
>
>
>
>I have the trust between IDM and sjlab working.
>
>
>when I perform an ipa trust-show on sjlab.local I see that it is connected
>with a trust direction of Two-way trust and type of Active Directory
>domain.
>
>I can authenticate with users from sjlab.local to a server on the idm
>domain.  That all appears to be working ok.
>
>What I cannot do however is authenticate with users from the mylab.local
>domain.
You wouldn't be able to do so because there is no transitivity for
forest trusts in Active Directory, see below for explanation.

>
>When I perform an ipa trust-fetch-domains for sjlab.local it states that no
>new domains can be found.
>
>I know the documentation refers to this trust as a transitive trust within
>the forest.  I have a forest level trust between sjlab and mylab,  however
>I realize they are not in the same forest.  Does that mean that this type
>of setup will not work, or is there something I am missing?
You are missing the fact that forest trusts in Active Directory are not
transitive. If you have forests A, B, and C, and A trusts B, B trusts C,
there is no way in Active Directory for A to trust C other than
explicitly establishing forest trust with it. This is true for Active
Directory to Active Directory forest trusts.

What FreeIPA documentation tells you is that for domains belonging to an
Active Directory forest, the forest trust between FreeIPA and Active
Directory forest root domain allows to transitively trust those other
domains in the same forest.

E.g. if A is an AD forest, its forest root domain is A. If there are
other domains in the same forest, they trust A and by extension FreeIPA
domain will be able to trust all of them (barring cases where trust is
one-way and doesn't allow to reach FreeIPA via forest root domain A).

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list