[Freeipa-users] win2012 r2 and trust type = realm

[Alexander Bokovoy]

On Tue, 17 May 2016, lejeczek wrote:
>On Tue, 2016-05-17 at 17:10 +0300, Alexander Bokovoy wrote:
>> On Tue, 17 May 2016, lejeczek wrote:
>> > hi users/devs
>> >
>> > I've used wiki pages to set AD - IPA trust, and it always end up
>> > being
>> > realm type of trust (@ AC DC end) whereas wiki shows forest type.
>> > What am I doing wrong?
>> Probably because you are choosing wrong type of trust on AD side.
>>
>> Remove any trust with the same name as IPA on AD side and try to
>> create
>> the trust using 'ipa trust-add' command, as described in the wiki or
>> in
>> the documentation.
>>
>but ipa trust-add renders one-way type of trust, at least here for me,
>is this correct?
>I go to AD DC and see only one-way trust.
By default 4.2+ does one-way forest trust, that's right. AD users can
login to IPA-managed services, that's what is supported.

Two-way trust can be established with --two-way=true option to 'ipa
trust-add' but it does not mean you'll get ability to login to Windows
machines as IPA user. This is not supported yet. One-way or two-way
trust type right now is a technical detail on how trust operations are
implemented.

-- 
/ Alexander Bokovoy