Thanks for the clarification. I'll dig deeper into all that.
On Wed, 2020-05-27 at 11:28 +0300, Alexander Bokovoy wrote:
On ke, 27 touko 2020, Monkey Bizness via FreeIPA-users wrote:
Thanks for the quick response Alexander. AD1 and AD2 will be seperate forests. So an external trust...But be reading the docs, it seems to be possible to create a trnasitive external one-way trust between the 2 ADs. But that allow user from AD2 to access ressources enrolled in freeipa?Or have I missed something?
I think you are mixing things up.
AD1 and AD2 are separate forests, so you have to establish normal forest trust between them and IPA.
ipa trust-add AD1 ... ipa trust-add AD2 ...
Then users from both AD1 and AD2 will be able to access resources in IPA.
External trust is typically a trust between two domains that cannot be connected by a forest trust because they aren't both root domains in their own forests. The external trust doesn't allow to route requests beyond both immediate trusting parties, so it is typically last resort option for some specific situation. I'd suggest avoid using it unless you know what you are doing.