Thanks for the quick response Alexander. AD1 and AD2 will be seperate forests. So an external trust...But be reading the docs, it seems to be possible to create a trnasitive external one-way trust between the 2 ADs. But that allow user from AD2 to access ressources enrolled in freeipa?Or have I missed something? On Wed, 2020-05-27 at 09:03 +0300, Alexander Bokovoy via FreeIPA-users wrote:
On ti, 26 touko 2020, Monkey Bizness via FreeIPA-users wrote:
Hi, I have an infrastructure with 2 ad clusters.AD 1 trusts AD 2
How does it trust each other? Forest trust between AD 1 and AD 2, theyare part of the same (bigger) forest, they have external trust to eachother or something else?
If I establish a one way trust between freeipa and AD1, users from AD2can authenticate on feeipa clients right?based on https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm... id="-x-evo-selection-start-marker">
If these are two separate forests, AD1 and AD2, then you need toestablish trust between IPA and AD1 and between IPA and AD2 separately.This is a requirement from Active Directory side. Forest trustrelationship does not extend onto other trust relations outside thetrusting forest. The following document gives an overview of how Active Directory domainand forest structure is designed https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-se...)
At the end of that document there is a tiny bit that explains it,burried in a paragraph that is not marked any special way so it is easyto miss it: Forest trusts can be created between two forests only and cannot be implicitly extended to a third forest. This means that if a forest trust is created between Forest 1 and Forest 2, and another forest trust is created between Forest 2 and Forest 3, Forest 1 does not have an implicit trust with Forest 3. -- / Alexander BokovoySr. Principal Software EngineerSecurity / Identity Management EngineeringRed Hat Limited, Finland_______________________________________________FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...