On ke, 30 tammi 2019, SOLER SANGUESA Miguel via FreeIPA-users wrote:
Hello,
I have 2 AD domains on windows 2016 with a forest trust, two-way, and "Selective
authentication":
mydomain.com <--trust-->
other.company.org
Now I have built an IDM instance on RHEL 7.5 and IPA version 4.5.4 on
the subdomain "ipa.mydomain.com". I need to use users from the 2
domains above, to I have created a trust transitive and one way:
ipa.mydomain.com --trust-->
mydomain.com
But I can not do the trust between
ipa.mydomain.com <--
other.company.org because on AD side there is already a trust between
other.company.org and the root of ipa (
mydomain.com). As the trust is
transitive, in theory users from
other.company.org should be allowed on
ipa subdomain because:
ipa.mydomain.com --trust-->
mydomain.com <--trust-->
other.company.org This
is working as designed.
I can get a kerberos TGT with: "kinit
user(a)OTHER.COMPANY.ORG"
But I can not do "id user(a)other.company.org" neither I can add it to
an external group, it complains: member group: user(a)other.company.org:
invalid 'trusted domain object': domain is not trusted"
Should I change something on the sssd or kerberos configuration for
make the users trusted by my trust work? Is the "Selective
authentication" configured at AD level the problem?
You have to configure
separate forest trusts to both
mydomain.com and
other.company.org from IPA side. There is no way around it. Selective
authentication only affects forest trust link between the two forests.
This is a fundamental design decision in Active Directory architecture,
nothing specific to FreeIPA.
See section 'Forest trusts' in the following document:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows...
------
A forest trust can be created only between a forest root domain in one
Windows Server 2003 forest and a forest root domain in another Windows
Server 2003 forest. Forest trusts can be created between two forests
only and cannot be implicitly extended to a third forest. This means
that if a forest trust is created between Forest 1 and Forest 2, and
another forest trust is created between Forest 2 and Forest 3, Forest 1
does not have an implicit trust with Forest 3.
------
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland