On 15.06.21 07:39, Alexander Bokovoy via FreeIPA-users wrote:
On ma, 14 kesä 2021, Ronald Wimmer wrote:
> On 14.06.21 13:37, Alexander Bokovoy wrote:
>> On ma, 14 kesä 2021, Ronald Wimmer via FreeIPA-users wrote:
>>> On 12.06.21 13:08, Florence Renaud via FreeIPA-users wrote:
>>>> Hi,
>>>>
>>>> please refer to External Trusts to Active Directory [1] from
>>>> WIndows Integration guide, it nicely explains the difference
>>>> between external trust and forest trust.
>>>> flo
>>>>
>>>> [1]
>>>>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
>>>>
<
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
>>>>
>>>>
>>>
>>> Sorry for my unspecific initial question. I did read the
>>> documentation. As I understood it the external trust somehow
>>> isolates the view on that particular domain.
>>>
>>> If DomA_Trust is a normal one and DomB_Trust an external one I
>>> cannot use DomB users in a DomA group for example, right? If DomB
>>> trust was not external I could do that?
>>
>> I think you need to start with Active Directory design and
>> documentation. In particular, group types in AD define who can be
>> included into them and how they can be consumed:
>>
https://docs.microsoft.com/en-us/windows/security/identity-protection/acc...
>>
>>
>>
>> Type of trust between domains influences the use of groups but group
>> scopes are ultimate ones here.
>>
>> When applying that to a trust between IPA and AD, remember that we only
>> have two trust types:
>>
>> - forest trust: IPA domain is in a separate forest than any AD domain
>>
>> - external trust: only immediately trusted AD domain users and groups
>> can be seen and used for authentication across the trust, there is no
>> transitivity into any other trust that this AD domain may have
>> anywhere else
>>
>> In addition to that, while forest trust in itself is transitive to
>> domains in the trusting forest, there is no transitivity across all
>> trusting forests. If forest A trusts forest B and forest B trusts forest
>> C, there is no trust from forest A to any domain in forest C.
>>
>> The same applies to groups from those forests as well, complicated by
>> the group scopes.
>
> In our case IPA hast a trust to the forest root of domain A which
> itself has a trust to domain B. IPA has an external trust to domain B.
> With the AD management tool we are using I can put users of domain B
> into a group of domain A.
What matters is where domain B is located. Is it part of the same forest
as domain A? Is it outside of forest A?
It is outside of forest A but forest A has a trust to it.
> When I try to use that particular group (POSIX group that has the
AD
> group as its member) in a HBAC scenario I do get a permission denied
> error.
It can be anything. This information does not give any chance to
understand why there is a problem.
At the moment I do have users of domain B in a group of domain A. I
cannot use that particular group in IPA. I think this could be because I
setup the IPA trust to domain B as external.
>
> External trust to domain B was setup years ago when we were still
> experimenting with IPA. So my first question is if the separate trust
> to domain B is needed at all? (because there is a trust from domain A
> to domain B on the AD side.) If yes I probably would not want domain B
> trust to be an external one in my scenario, would I?
You need to decide what you want. ;) If A and B are in the same forest,
then you don't need an external trust to B from IPA side.
If I want to use users of domain B in a domain A group I will probably
have to set up a 'normal' trust to domain B and not an 'external' one.
Do you agree?
Cheers,
Ronald