On to, 31 tammi 2019, SOLER SANGUESA Miguel wrote:
Hello and thanks for your time,
My first approach was to create 2 trust:
ipa.mydomain.com --trust-->
mydomain.com (already DONE)
ipa.mydomain.com --trust-->
other.company.org (not possible)
When I try to do the second one, I have the error:
# ipa trust-add --type=ad
other.company.org --range-type=ipa-ad-trust --all
--external=true
Active Directory domain administrator: ad_ADMIN
Active Directory domain administrator's password:
ipa: ERROR: CIFS server communication error: code "-1073741771", message
"The object name already exists." (both may be "None")
checking on the http error log with samba debug =100, we have:
result : NT_STATUS_OBJECT_NAME_COLLISION
On AD side we have:
"a trust relationship with the domain you specified already exist"
[cid:image001.jpg@01D4B960.B4CA41E0]
That is because we already have a transitive trust between
other.company.org and
mydomain.com, so *.mydomain.com (in our case
ipa.mydomain.com) already has a trust with
other.company.org on AD
side.
Correct, the issue here is not
ipa.mydomain.com but that the trust
between
mydomain.com and
other.company.org does not have an exclusion
entry for
ipa.mydomain.com. You should be able to add one on
other.company.org side for a trust to
mydomain.com.
Then, the only way I see is using the transitivity for making users
from
other.company.org, login on
ipa.mydomain.com services. Is that
possible?
It is possible, if you arrange it properly.
That's the reason because I'm thinking that "Selective
authentication"
can be de problem.
Nope.
Add an exclusion entry on
mydomain.com trust at
other.company.org that
tells that 'ipa.mydomain.com' is excluded from that trust.
Then add a trust between
ipa.mydomain.com and
other.company.org. You
don't need to use --external trust flag (better not to).
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland