[Freeipa-users] Cross Forest Transitive AD Trust

[Alexander Bokovoy]

On Wed, 02 Mar 2016, PARTH MONGA wrote:
>Hi List Members,
>
>I have a situation I am having a hard time getting a clean answer on.
>
>I have a IDM/IPA domain setup and I have a trust setup with my Windows
>domain. That part is working perfectly.
>
>I have a one way forest transitive trust (outgoing) with a second windows
>domain. I want users in this second domain to be able to authenticate to my
>IDM/IPA domain. I was hoping that this would be possible through my
>transitive trust with my primary windows domain.
No, that's not possible by AD architecture.

>
>When I issue the command ipa trust-fetch-domains for my primary domain I
>get the response no new domains found. The second domain is never found.
That's correct.

>Here is my question. Is this even possible without creating a trust with
>the second domain directly? The documentation states that IPA will traverse
>all trusts and add them. However I am starting to believe that reference is
>for domains in only one forest. Can anyone clear up that point for me?
The documentation is correct, you can have multiple trusts to separate
forests and domains from all of them will be usable via trust to IPA.
However, we cannot access any domains from forests that AD forest trusts
itself because while forest trust is transitive, the transition is only
extends to domains within the forests that trust each other, there is no
transitivity across forest trusts.

If forest A's root domain A trusts forest B's root domain B, and forest
B's root domain B trusts forest C's root domain C, then A only can
transit to domains in forest B, not forest C.

See https://msdn.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx,
search for the section named "Forest trusts":
---------
Forest trusts can be created between two forests only and cannot be
implicitly extended to a third forest. 
---------

-- 
/ Alexander Bokovoy