On ke, 27 touko 2020, Monkey Bizness via FreeIPA-users wrote:

Thanks for the quick response Alexander.

AD1 and AD2 will be seperate forests. So an external trust...But be

reading the docs, it seems to be possible to create a trnasitive

external one-way trust between the 2 ADs.

But that allow user from AD2 to access ressources enrolled in

freeipa?Or have I missed something?

I think you are mixing things up.

AD1 and AD2 are separate forests, so you have to establish normal forest

trust between them and IPA.

ipa trust-add AD1 ...

ipa trust-add AD2 ...

Then users from both AD1 and AD2 will be able to access resources in

IPA.

External trust is typically a trust between two domains that cannot be connected

by a forest trust because they aren't both root domains in their own

forests. The external trust doesn't allow to route requests beyond both

immediate trusting parties, so it is typically last resort option for

some specific situation. I'd suggest avoid using it unless you know what

you are doing.