<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 10/09/2014 07:07 PM, Genadi
Postrilko wrote:<br>
</div>
<blockquote
cite="mid:CAPP+0v+UB1VvzELSSd3y+RLs0T8u9oo9fDLSw-XR_H=vMQbGwA@mail.gmail.com"
type="cite">
<div dir="rtl">
<div dir="ltr">Thank you for providing the reference.</div>
<div dir="ltr">I understood that when creating a forest trust
between two AD forests, </div>
<div dir="ltr">the trust is transitive to all domains in both
forests (by default). And it has</div>
<div dir="ltr">to be established between the two <span
style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">forest
root domain.</span></div>
<div dir="ltr"><span
style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px"><br>
</span></div>
<div dir="ltr"><span
style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">External
trust (between AD forests or domains), is non transitive.</span></div>
<div dir="ltr"><font color="#500050" face="arial, sans-serif">Trust
can be established between (child) domains in different
forests, without the need to</font></div>
<div dir="ltr"><font color="#500050" face="arial, sans-serif">create
trust between child domains and the </font><font
color="#500050" face="arial, sans-serif">forest root domain
of the opposite forest.</font></div>
<div dir="ltr"><span
style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px"><br>
</span></div>
<div dir="ltr"><span
style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">But
i'm not sure about Realm Trust. </span></div>
<div dir="ltr"><font color="#500050" face="arial, sans-serif">Realm
Trust considered as a kind of forest trust? And that why the
trust has </font></div>
<div dir="ltr"><font color="#500050" face="arial, sans-serif">to
be established between the f</font><span
style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">orest
root domains (and not like external trust) ?</span></div>
<div dir="ltr"><br>
</div>
<div dir="ltr">Assuming i follow the IPA Trust setup guide-</div>
<div dir="ltr">The trust created between <a
moz-do-not-send="true" href="http://red.com">red.com</a> (AD
forest root domain) and <a moz-do-not-send="true"
href="http://linux.blue.com">linux.blue.com</a> (IPA domain)</div>
<div dir="ltr">is configured to be transitive? Users from <a
moz-do-not-send="true" href="http://blue.com">blue.com</a>
domain will able to login to IPA domain?</div>
<div dir="ltr">And so are users from other child and root
domains in the forest?</div>
</div>
</blockquote>
<br>
<br>
Yes. If you have forest trust between IPA and your AD forest where
red is the root domain then users from all subdomains including blue
would be able to access resources in the IPA domain.<br>
This is true starting freeipa 3.3.<br>
<br>
<blockquote
cite="mid:CAPP+0v+UB1VvzELSSd3y+RLs0T8u9oo9fDLSw-XR_H=vMQbGwA@mail.gmail.com"
type="cite">
<div dir="rtl">
<div dir="ltr"><br>
</div>
<div dir="ltr"><br>
</div>
<div dir="ltr"><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">
<div dir="ltr">2014-10-08 19:06 GMT+02:00 Alexander Bokovoy <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>></span>:</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><span
class="">On Wed, 08 Oct 2014, Genadi Postrilko wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
2014-10-08 17:48 GMT+02:00 Alexander Bokovoy <<a
moz-do-not-send="true"
href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>>:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
On Wed, 08 Oct 2014, Genadi Postrilko wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
The forest root domain in my case is <a
moz-do-not-send="true" href="http://RED.COM"
target="_blank">RED.COM</a>.<br>
<br>
</blockquote>
You need to establish trust to <a
moz-do-not-send="true" href="http://red.com"
target="_blank">red.com</a> then. Any domain which
is member<br>
of the forest <a moz-do-not-send="true"
href="http://red.com" target="_blank">red.com</a>
will be visible through trust.<br>
<br>
Forest trust can only be established between forest
root domains, that's<br>
how it is designed by Microsoft.<br>
<br>
<br>
</blockquote>
It doesn't matter how complex the forest is? Even if the
forest contains<br>
number of domain trees, the trust has to be<br>
established with the forest root domain?<br>
</blockquote>
</span>
Yes, see "Forest trusts" section of<br>
<a moz-do-not-send="true"
href="http://technet.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx"
target="_blank">http://technet.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx</a><span
class=""><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
I have attached the log files.<br>
<br>
</blockquote>
These logs show you are attempting to establish trust
to <a moz-do-not-send="true" href="http://blue.com"
target="_blank">blue.com</a> which<br>
is not a forest root domain, thus nothing works.<br>
<br>
</blockquote>
<br>
I assumed that DNS forwarding has to be created between
IPA (<a moz-do-not-send="true"
href="http://linux.blue.com" target="_blank">linux.blue.com</a>)<br>
and the AD (<a moz-do-not-send="true"
href="http://blue.com" target="_blank">blue.com</a>).<br>
Should any DNS configuration change?<br>
</blockquote>
</span>
It should be between all AD domains which would use IPA
services, namely<br>
forest root domain (<a moz-do-not-send="true"
href="http://red.com" target="_blank">red.com</a>) and all
other domains whose users will be<br>
accessing the trust (<a moz-do-not-send="true"
href="http://blue.com" target="_blank">blue.com</a> in
your case).<br>
<br>
Usually this is solved globally, of course.<span
class="HOEnZb"><font color="#888888"><br>
-- <br>
/ Alexander Bokovoy<br>
</font></span></blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>