On ti, 26 touko 2020, Monkey Bizness via FreeIPA-users wrote:
Hi,
I have an infrastructure with 2 ad clusters.
AD 1 trusts AD 2
How does it trust each other? Forest trust between AD 1 and AD 2, they
are part of the same (bigger) forest, they have external trust to each
other or something else?
If I establish a one way trust between freeipa and AD1, users from
AD2
can authenticate on feeipa clients right?
based on
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
id="-x-evo-selection-start-marker">
If these are two separate forests, AD1 and AD2, then you need to
establish trust between IPA and AD1 and between IPA and AD2 separately.
This is a requirement from Active Directory side. Forest trust
relationship does not extend onto other trust relations outside the
trusting forest.
The following document gives an overview of how Active Directory domain
and forest structure is designed
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows...
At the end of that document there is a tiny bit that explains it,
burried in a paragraph that is not marked any special way so it is easy
to miss it:
Forest trusts can be created between two forests only and cannot be
implicitly extended to a third forest. This means that if a forest
trust is created between Forest 1 and Forest 2, and another forest
trust is created between Forest 2 and Forest 3, Forest 1 does not have
an implicit trust with Forest 3.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland