On pe, 15 marras 2019, Chris Dagdigian via FreeIPA-users wrote:
I just got CCd on an email chain concerning a conversion of 1-way AD
trusts to 2-way trust for some realms and domains we use in one of the
public cloud providers.
The AD team is finally responding to all the issues they caused us in
the cloud by refusing a 2-way trust in the first place. It caused
enough hassles on the pure Windows side of things that Senior
Management got involved, heh.
I was the one who worked with the AD folk to set up the 1-way trust to
our custom realm and it involved pre-shared secrets and joint
coordinated actions.
But this time around the language in the email is sort of like "hey we
are just giving you a heads up on a change that will be made live this
weekend .."
So consider this a vague query along the lines of "Will this actually
work?" -- Can a 1-way trust be made into a 2-way trust with actions
entirely performed on the AD side of things? The AD people have no
access and no idea how FreeIPA works.
Yes and no. It really depends on how they would try to set it up. If
they are going to use administrative privileges to re-create trusts,
they out of luck -- you said they don't have administrative access to
FreeIPA side. If they would try to set shared secrets on the trust
objects, somebody will still need to create a trust on your side.
There are two objects need to be created for each trust direction, one
on each side of the trust. For two-way trust, thus, you have four
objects total. Given that for one-way trust you already have objects in
one direction, another set needs to be added and they only can add own
part, not IPA's.
From your side it should be
ipa trust-add foo.bar.z --two-way=true --trust-secret
This will remove old objects and create new ones on IPA side.
You also need to ensure you are using at least RHEL 7.7 because this is
where we fixed shared secret trust creation from AD side. There are
still missing parts for topology configuration retrieval, though, but
since you have it working for one-way trust already, it should be OK.
I was sort of thinking that I'd have to tear down the 1-way and
set up
a new 2-way trust but then I realized I've never done that before and
I'm not sure how it works on the AD side of things.
Any tips on FreeIPA and 1-way to 2-way trust conversions would be
appreciated, thanks!
See above. 'ipa trust-add' should take care of it already.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland