Hi,
I have an infrastructure with 2 ad clusters. AD 1 trusts AD 2
If I establish a one way trust between freeipa and AD1, users from AD2 can authenticate on feeipa clients right? based on https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm... id="-x-evo-selection-start-marker">
Thanks
On ti, 26 touko 2020, Monkey Bizness via FreeIPA-users wrote:
Hi,
I have an infrastructure with 2 ad clusters. AD 1 trusts AD 2
How does it trust each other? Forest trust between AD 1 and AD 2, they are part of the same (bigger) forest, they have external trust to each other or something else?
If I establish a one way trust between freeipa and AD1, users from AD2 can authenticate on feeipa clients right? based on https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm... id="-x-evo-selection-start-marker">
If these are two separate forests, AD1 and AD2, then you need to establish trust between IPA and AD1 and between IPA and AD2 separately. This is a requirement from Active Directory side. Forest trust relationship does not extend onto other trust relations outside the trusting forest.
The following document gives an overview of how Active Directory domain and forest structure is designed https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-se...)
At the end of that document there is a tiny bit that explains it, burried in a paragraph that is not marked any special way so it is easy to miss it:
Forest trusts can be created between two forests only and cannot be implicitly extended to a third forest. This means that if a forest trust is created between Forest 1 and Forest 2, and another forest trust is created between Forest 2 and Forest 3, Forest 1 does not have an implicit trust with Forest 3.
Thanks for the quick response Alexander. AD1 and AD2 will be seperate forests. So an external trust...But be reading the docs, it seems to be possible to create a trnasitive external one-way trust between the 2 ADs. But that allow user from AD2 to access ressources enrolled in freeipa?Or have I missed something? On Wed, 2020-05-27 at 09:03 +0300, Alexander Bokovoy via FreeIPA-users wrote:
On ti, 26 touko 2020, Monkey Bizness via FreeIPA-users wrote:
Hi, I have an infrastructure with 2 ad clusters.AD 1 trusts AD 2
How does it trust each other? Forest trust between AD 1 and AD 2, theyare part of the same (bigger) forest, they have external trust to eachother or something else?
If I establish a one way trust between freeipa and AD1, users from AD2can authenticate on feeipa clients right?based on https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm... id="-x-evo-selection-start-marker">
If these are two separate forests, AD1 and AD2, then you need toestablish trust between IPA and AD1 and between IPA and AD2 separately.This is a requirement from Active Directory side. Forest trustrelationship does not extend onto other trust relations outside thetrusting forest. The following document gives an overview of how Active Directory domainand forest structure is designed https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-se...)
At the end of that document there is a tiny bit that explains it,burried in a paragraph that is not marked any special way so it is easyto miss it: Forest trusts can be created between two forests only and cannot be implicitly extended to a third forest. This means that if a forest trust is created between Forest 1 and Forest 2, and another forest trust is created between Forest 2 and Forest 3, Forest 1 does not have an implicit trust with Forest 3. -- / Alexander BokovoySr. Principal Software EngineerSecurity / Identity Management EngineeringRed Hat Limited, Finland_______________________________________________FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On ke, 27 touko 2020, Monkey Bizness via FreeIPA-users wrote:
Thanks for the quick response Alexander. AD1 and AD2 will be seperate forests. So an external trust...But be reading the docs, it seems to be possible to create a trnasitive external one-way trust between the 2 ADs. But that allow user from AD2 to access ressources enrolled in freeipa?Or have I missed something?
I think you are mixing things up.
AD1 and AD2 are separate forests, so you have to establish normal forest trust between them and IPA.
ipa trust-add AD1 ... ipa trust-add AD2 ...
Then users from both AD1 and AD2 will be able to access resources in IPA.
External trust is typically a trust between two domains that cannot be connected by a forest trust because they aren't both root domains in their own forests. The external trust doesn't allow to route requests beyond both immediate trusting parties, so it is typically last resort option for some specific situation. I'd suggest avoid using it unless you know what you are doing.
Thanks for the clarification. I'll dig deeper into all that.
On Wed, 2020-05-27 at 11:28 +0300, Alexander Bokovoy wrote:
On ke, 27 touko 2020, Monkey Bizness via FreeIPA-users wrote:
Thanks for the quick response Alexander. AD1 and AD2 will be seperate forests. So an external trust...But be reading the docs, it seems to be possible to create a trnasitive external one-way trust between the 2 ADs. But that allow user from AD2 to access ressources enrolled in freeipa?Or have I missed something?
I think you are mixing things up.
AD1 and AD2 are separate forests, so you have to establish normal forest trust between them and IPA.
ipa trust-add AD1 ... ipa trust-add AD2 ...
Then users from both AD1 and AD2 will be able to access resources in IPA.
External trust is typically a trust between two domains that cannot be connected by a forest trust because they aren't both root domains in their own forests. The external trust doesn't allow to route requests beyond both immediate trusting parties, so it is typically last resort option for some specific situation. I'd suggest avoid using it unless you know what you are doing.
freeipa-users@lists.fedorahosted.org