On su, 27 helmi 2022, Cyrus via FreeIPA-users wrote:
>Hello!,
>
>I'm in a interop puzzle dilemma, hope you can help me out.
>
>Currently all our user accounts are hosted in an Active Directory
>environment we don't own (another team handles that for us), acme.tld for
>this discussion.
>
>We're in the need to implement:
>- FreeIPA to handle our linux machine accounts and process/app users with
>ipa.domain.tld
>- FreeIPA (same as above or different cluster?) to handle external provider
>accounts with ext.domain.tld
>- Own AD Controllers to handle our Windows machines with ad.domain.tld
>
>The aim is:
>1. Allow acme.tld users to access ipa.domain.tld machines.
>2. Allow acme.tld users to access ad.domain.tld machines
>3. Allow ext.domain.tld users to access ipa.domain.tld machines
>4. Allow ext.domain.tld users to access ad.domain.tld machines
>
>1 seems to be solved trusting acme.tld on FreeIPA side
>2 seems to be solved trusting acme.tld on AD side
>Not sure how to solve 3 and 4, can you provide any recommendation?.

Neither is supported. That is, there is no support for login into AD
machines and there is currently no support for IPA-IPA trust.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland