Thanks for the quick response Alexander.

AD1 and AD2 will be seperate forests. So an external trust...

But be reading the docs, it seems to be possible to create a trnasitive external one-way trust between the 2 ADs.

But that allow user from AD2 to access ressources enrolled in freeipa?

Or have I missed something?

On Wed, 2020-05-27 at 09:03 +0300, Alexander Bokovoy via FreeIPA-users wrote:

On ti, 26 touko 2020, Monkey Bizness via FreeIPA-users wrote:

Hi,

I have an infrastructure with 2 ad clusters.

AD 1 trusts AD 2

How does it trust each other? Forest trust between AD 1 and AD 2, they

are part of the same (bigger) forest, they have external trust to each

other or something else?

If I establish a one way trust between freeipa and AD1, users from AD2

can authenticate on feeipa clients right?

based on

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/active-directory-trust

 id="-x-evo-selection-start-marker">

If these are two separate forests, AD1 and AD2, then you need to

establish trust between IPA and AD1 and between IPA and AD2 separately.

This is a requirement from Active Directory side. Forest trust

relationship does not extend onto other trust relations outside the

trusting forest.

The following document gives an overview of how Active Directory domain

and forest structure is designed

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759073(v=ws.10)

At the end of that document there is a tiny bit that explains it,

burried in a paragraph that is not marked any special way so it is easy

to miss it:

  Forest trusts can be created between two forests only and cannot be

  implicitly extended to a third forest. This means that if a forest

  trust is created between Forest 1 and Forest 2, and another forest

  trust is created between Forest 2 and Forest 3, Forest 1 does not have

  an implicit trust with Forest 3.

--

/ Alexander Bokovoy

Sr. Principal Software Engineer

Security / Identity Management Engineering

Red Hat Limited, Finland

_______________________________________________

FreeIPA-users mailing list --

freeipa-users@lists.fedorahosted.org

To unsubscribe send an email to

freeipa-users-leave@lists.fedorahosted.org

Fedora Code of Conduct:

https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines:

https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives:

https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org