[Freeipa-users] Looking to test one-way trust
Alexander Bokovoy
abokovoy at redhat.com
Tue Oct 13 12:45:15 UTC 2015
On Tue, 13 Oct 2015, Michael Barkdoll wrote:
>Hello, I've successfully setup a two-way trust between FreeIPA and AD. My
>understanding is that FreeIPA is currently or planning to support Global
>Cataloging. I'm looking to implement a one-way trust between AD and
>FreeIPA to remove security concerns with my AD administrators in my
>organization.
You didn't specify what FreeIPA version you are talking about. One-way
trust is implemented in FreeIPA 4.2 (4.2.2 right now, RHEL 7.2 beta has
it under 'ipa-server-4.2.0-*' package).
>My questions are as follows:
>1) Is there a guide/post that I can follow for setting up a one-way trust
>between FreeIPA and AD?
In FreeIPA 4.2+ one-way trust is the default. So if you want to
establish trust and don't specify --bi-directional flag, you are
establishing one-way trust.
For earlier-established trust relationship, you need to re-run 'ipa
trust-add' again to convert to one-way.
>2) What type of trust is being created on the AD side, is it a cross-forest
>outgoing trust to the FreeIPA server from the AD server?
Yes. Instead of creating both legs of the trust, only one of them is
created.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list