<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 10/09/2014 07:07 PM, Genadi
      Postrilko wrote:<br>
    </div>
    <blockquote
cite="mid:CAPP+0v+UB1VvzELSSd3y+RLs0T8u9oo9fDLSw-XR_H=vMQbGwA@mail.gmail.com"
      type="cite">
      <div dir="rtl">
        <div dir="ltr">Thank you for providing the reference.</div>
        <div dir="ltr">I understood that when creating a forest trust
          between two AD forests, </div>
        <div dir="ltr">the trust is transitive to all domains in both
          forests (by default). And it has</div>
        <div dir="ltr">to be established between the two <span
            style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">forest
            root domain.</span></div>
        <div dir="ltr"><span
            style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px"><br>
          </span></div>
        <div dir="ltr"><span
            style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">External
            trust (between AD forests or domains), is non transitive.</span></div>
        <div dir="ltr"><font color="#500050" face="arial, sans-serif">Trust
            can be established between (child) domains in different
            forests, without the need to</font></div>
        <div dir="ltr"><font color="#500050" face="arial, sans-serif">create
            trust between child domains and the </font><font
            color="#500050" face="arial, sans-serif">forest root domain
            of the opposite forest.</font></div>
        <div dir="ltr"><span
            style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px"><br>
          </span></div>
        <div dir="ltr"><span
            style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">But
            i'm not sure about Realm Trust. </span></div>
        <div dir="ltr"><font color="#500050" face="arial, sans-serif">Realm
            Trust considered as a kind of forest trust? And that why the
            trust has </font></div>
        <div dir="ltr"><font color="#500050" face="arial, sans-serif">to
            be established between the f</font><span
            style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">orest
            root domains (and not like external trust) ?</span></div>
        <div dir="ltr"><br>
        </div>
        <div dir="ltr">Assuming i follow the IPA Trust setup guide-</div>
        <div dir="ltr">The trust created between <a
            moz-do-not-send="true" href="http://red.com">red.com</a> (AD
          forest root domain) and <a moz-do-not-send="true"
            href="http://linux.blue.com">linux.blue.com</a> (IPA domain)</div>
        <div dir="ltr">is configured to be transitive? Users from <a
            moz-do-not-send="true" href="http://blue.com">blue.com</a>
          domain will able to login to IPA domain?</div>
        <div dir="ltr">And so are users from other child and root
          domains in the forest?</div>
      </div>
    </blockquote>
    <br>
    <br>
    Yes. If you have forest trust between IPA and your AD forest where
    red is the root domain then users from all subdomains including blue
    would be able to access resources in the IPA domain.<br>
    This is true starting freeipa 3.3.<br>
    <br>
    <blockquote
cite="mid:CAPP+0v+UB1VvzELSSd3y+RLs0T8u9oo9fDLSw-XR_H=vMQbGwA@mail.gmail.com"
      type="cite">
      <div dir="rtl">
        <div dir="ltr"><br>
        </div>
        <div dir="ltr"><br>
        </div>
        <div dir="ltr"><br>
        </div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">
          <div dir="ltr">2014-10-08 19:06 GMT+02:00 Alexander Bokovoy <span
              dir="ltr"><<a moz-do-not-send="true"
                href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>></span>:</div>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex"><span
              class="">On Wed, 08 Oct 2014, Genadi Postrilko wrote:<br>
              <blockquote class="gmail_quote" style="margin:0 0 0
                .8ex;border-left:1px #ccc solid;padding-left:1ex">
                2014-10-08 17:48 GMT+02:00 Alexander Bokovoy <<a
                  moz-do-not-send="true"
                  href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>>:<br>
                <br>
                <blockquote class="gmail_quote" style="margin:0 0 0
                  .8ex;border-left:1px #ccc solid;padding-left:1ex">
                  On Wed, 08 Oct 2014, Genadi Postrilko wrote:<br>
                  <br>
                  <blockquote class="gmail_quote" style="margin:0 0 0
                    .8ex;border-left:1px #ccc solid;padding-left:1ex">
                    The forest root domain in my case is <a
                      moz-do-not-send="true" href="http://RED.COM"
                      target="_blank">RED.COM</a>.<br>
                    <br>
                  </blockquote>
                  You need to establish trust to <a
                    moz-do-not-send="true" href="http://red.com"
                    target="_blank">red.com</a> then. Any domain which
                  is member<br>
                  of the forest <a moz-do-not-send="true"
                    href="http://red.com" target="_blank">red.com</a>
                  will be visible through trust.<br>
                  <br>
                  Forest trust can only be established between forest
                  root domains, that's<br>
                  how it is designed by Microsoft.<br>
                  <br>
                  <br>
                </blockquote>
                It doesn't matter how complex the forest is? Even if the
                forest contains<br>
                number of domain trees, the trust has to be<br>
                established with the forest root domain?<br>
              </blockquote>
            </span>
            Yes, see "Forest trusts" section of<br>
            <a moz-do-not-send="true"
href="http://technet.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx"
              target="_blank">http://technet.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx</a><span
              class=""><br>
              <br>
              <blockquote class="gmail_quote" style="margin:0 0 0
                .8ex;border-left:1px #ccc solid;padding-left:1ex">
                <blockquote class="gmail_quote" style="margin:0 0 0
                  .8ex;border-left:1px #ccc solid;padding-left:1ex">
                  <blockquote class="gmail_quote" style="margin:0 0 0
                    .8ex;border-left:1px #ccc solid;padding-left:1ex">
                    I have attached the log files.<br>
                    <br>
                  </blockquote>
                  These logs show you are attempting to establish trust
                  to <a moz-do-not-send="true" href="http://blue.com"
                    target="_blank">blue.com</a> which<br>
                  is not a forest root domain, thus nothing works.<br>
                  <br>
                </blockquote>
                <br>
                I assumed that DNS forwarding has to be created between
                IPA (<a moz-do-not-send="true"
                  href="http://linux.blue.com" target="_blank">linux.blue.com</a>)<br>
                and the AD (<a moz-do-not-send="true"
                  href="http://blue.com" target="_blank">blue.com</a>).<br>
                Should any DNS configuration change?<br>
              </blockquote>
            </span>
            It should be between all AD domains which would use IPA
            services, namely<br>
            forest root domain (<a moz-do-not-send="true"
              href="http://red.com" target="_blank">red.com</a>) and all
            other domains whose users will be<br>
            accessing the trust (<a moz-do-not-send="true"
              href="http://blue.com" target="_blank">blue.com</a> in
            your case).<br>
            <br>
            Usually this is solved globally, of course.<span
              class="HOEnZb"><font color="#888888"><br>
                -- <br>
                / Alexander Bokovoy<br>
              </font></span></blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
    </blockquote>
    <br>
    <br>
    <pre class="moz-signature" cols="72">-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
  </body>
</html>