Can AD admins convert a 1-way trust to a 2-way trust without touching the freeIPA system?
I just got CCd on an email chain concerning a conversion of 1-way AD trusts to 2-way trust for some realms and domains we use in one of the public cloud providers.
The AD team is finally responding to all the issues they caused us in the cloud by refusing a 2-way trust in the first place. It caused enough hassles on the pure Windows side of things that Senior Management got involved, heh.
I was the one who worked with the AD folk to set up the 1-way trust to our custom realm and it involved pre-shared secrets and joint coordinated actions.
But this time around the language in the email is sort of like "hey we are just giving you a heads up on a change that will be made live this weekend .."
So consider this a vague query along the lines of "Will this actually work?" -- Can a 1-way trust be made into a 2-way trust with actions entirely performed on the AD side of things? The AD people have no access and no idea how FreeIPA works.
I was sort of thinking that I'd have to tear down the 1-way and set up a new 2-way trust but then I realized I've never done that before and I'm not sure how it works on the AD side of things.
Any tips on FreeIPA and 1-way to 2-way trust conversions would be appreciated, thanks!
Chris
On pe, 15 marras 2019, Chris Dagdigian via FreeIPA-users wrote:
I just got CCd on an email chain concerning a conversion of 1-way AD trusts to 2-way trust for some realms and domains we use in one of the public cloud providers.
The AD team is finally responding to all the issues they caused us in the cloud by refusing a 2-way trust in the first place. It caused enough hassles on the pure Windows side of things that Senior Management got involved, heh.
I was the one who worked with the AD folk to set up the 1-way trust to our custom realm and it involved pre-shared secrets and joint coordinated actions.
But this time around the language in the email is sort of like "hey we are just giving you a heads up on a change that will be made live this weekend .."
So consider this a vague query along the lines of "Will this actually work?" -- Can a 1-way trust be made into a 2-way trust with actions entirely performed on the AD side of things? The AD people have no access and no idea how FreeIPA works.
Yes and no. It really depends on how they would try to set it up. If they are going to use administrative privileges to re-create trusts, they out of luck -- you said they don't have administrative access to FreeIPA side. If they would try to set shared secrets on the trust objects, somebody will still need to create a trust on your side.
There are two objects need to be created for each trust direction, one on each side of the trust. For two-way trust, thus, you have four objects total. Given that for one-way trust you already have objects in one direction, another set needs to be added and they only can add own part, not IPA's.
From your side it should be
ipa trust-add foo.bar.z --two-way=true --trust-secret
This will remove old objects and create new ones on IPA side.
You also need to ensure you are using at least RHEL 7.7 because this is where we fixed shared secret trust creation from AD side. There are still missing parts for topology configuration retrieval, though, but since you have it working for one-way trust already, it should be OK.
I was sort of thinking that I'd have to tear down the 1-way and set up a new 2-way trust but then I realized I've never done that before and I'm not sure how it works on the AD side of things.
Any tips on FreeIPA and 1-way to 2-way trust conversions would be appreciated, thanks!
See above. 'ipa trust-add' should take care of it already.
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Chris Dagdigian