[Freeipa-users] Cross Forest Transitive AD Trust

Tue Mar 1 14:50:18 UTC 2016

Thanks Alexander for the prompt reply.
Appreciated.

Now i am wondering how likewise is able to do this stuff under the hood for
me.

I have similar setup with likewise and same one way incoming trust
relationships towards my primary domain (dom1) from another external domain
(dom2).

And i am able to login to my client machines using user accounts created in
dom1 and dom2.
Magic
Any thoughts >

On Wednesday, 2 March 2016, Alexander Bokovoy <abokovoy at redhat.com> wrote:

> On Wed, 02 Mar 2016, PARTH MONGA wrote:
>
>> Hi List Members,
>>
>> I have a situation I am having a hard time getting a clean answer on.
>>
>> I have a IDM/IPA domain setup and I have a trust setup with my Windows
>> domain. That part is working perfectly.
>>
>> I have a one way forest transitive trust (outgoing) with a second windows
>> domain. I want users in this second domain to be able to authenticate to
>> my
>> IDM/IPA domain. I was hoping that this would be possible through my
>> transitive trust with my primary windows domain.
>>
> No, that's not possible by AD architecture.
>
>
>> When I issue the command ipa trust-fetch-domains for my primary domain I
>> get the response no new domains found. The second domain is never found.
>>
> That's correct.
>
> Here is my question. Is this even possible without creating a trust with
>> the second domain directly? The documentation states that IPA will
>> traverse
>> all trusts and add them. However I am starting to believe that reference
>> is
>> for domains in only one forest. Can anyone clear up that point for me?
>>
> The documentation is correct, you can have multiple trusts to separate
> forests and domains from all of them will be usable via trust to IPA.
> However, we cannot access any domains from forests that AD forest trusts
> itself because while forest trust is transitive, the transition is only
> extends to domains within the forests that trust each other, there is no
> transitivity across forest trusts.
>
> If forest A's root domain A trusts forest B's root domain B, and forest
> B's root domain B trusts forest C's root domain C, then A only can
> transit to domains in forest B, not forest C.
>
> See https://msdn.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx,
> search for the section named "Forest trusts":
> ---------
> Forest trusts can be created between two forests only and cannot be
> implicitly extended to a third forest. ---------
>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160302/969d4277/attachment.htm>