On ma, 14 kesä 2021, Ronald Wimmer via FreeIPA-users wrote:
On 12.06.21 13:08, Florence Renaud via FreeIPA-users wrote:
>Hi,
>
>please refer to External Trusts to Active Directory [1] from WIndows
>Integration guide, it nicely explains the difference between
>external trust and forest trust.
>flo
>
>[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
<
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
Sorry for my unspecific initial question. I did read the
documentation. As I understood it the external trust somehow isolates
the view on that particular domain.
If DomA_Trust is a normal one and DomB_Trust an external one I cannot
use DomB users in a DomA group for example, right? If DomB trust was
not external I could do that?
I think you need to start with Active Directory design and
documentation. In particular, group types in AD define who can be
included into them and how they can be consumed:
https://docs.microsoft.com/en-us/windows/security/identity-protection/acc...
Type of trust between domains influences the use of groups but group
scopes are ultimate ones here.
When applying that to a trust between IPA and AD, remember that we only
have two trust types:
- forest trust: IPA domain is in a separate forest than any AD domain
- external trust: only immediately trusted AD domain users and groups
can be seen and used for authentication across the trust, there is no
transitivity into any other trust that this AD domain may have
anywhere else
In addition to that, while forest trust in itself is transitive to
domains in the trusting forest, there is no transitivity across all
trusting forests. If forest A trusts forest B and forest B trusts forest
C, there is no trust from forest A to any domain in forest C.
The same applies to groups from those forests as well, complicated by
the group scopes.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland