[Freeipa-users] IPA/AD domain trust - unidirectional or bidirectional?

Alexander Bokovoy abokovoy at redhat.com
Wed May 20 09:39:10 UTC 2015 

On Wed, 20 May 2015, opsource trail wrote:
>Hello,
>we plan to deploy IPA (Red Hat IdM) trust with AD domain but at the moment
>we are kind of confused about what type of trust we will need to deal with.
>In Red Hat documentation we get an information that:
>
>"... Trusts, then, are essentially unidirectional. Active Directory users
>can access IdM resources and services, but IdM users cannot access Active
>Directory resources... "
>(
>https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/active-directory-trust.html
>)
I tried to get technical writers to rewrite this sentence but so far
unsuccessful. There seems to be some fundamental misunderstanding at
hand, unfortunately.

>On the other hand, when I configure the trust I can clearly see that it is
>actually bidirectional:
>[root at ipaserver ~]# ipa trust-add --type=ad adexample.com --admin
>Administrator --password
>------------------------------------------------------
>Added Active Directory trust for realm "adexample.com"
>------------------------------------------------------
>  Realm name: adexample.com
>  Domain NetBIOS name: ADEXAMPLE
>  Domain Security Identifier: S-1-5-21-1689615952-3716327440-3249090444
>  Trust direction: Two-way trust
>  Trust type: Active Directory domain
>  Trust status: Established and verified
>
>I'm afraid that our Windows department will complain and consider this as a
>security issue.
No, it is not a security issue, regardless what your Windows department
would like to think. They may better spend time looking into actual
Active Directory protocols documentation at
https://msdn.microsoft.com/en-us/library/jj712081.aspx to realise
situation is much more complex than a binary division between 'secure'
and 'insecure'.

>Is there anybody who could help me understand this?
You can start with http://www.freeipa.org/page/V4/One-way_trust to get
yourself a high level overview and comparison of what two-way and
one-way trust mean in the context of IPA and Active Directory.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list