Suppose I have the following scenario:
AD DC Cluster = b.a ( user: b.a\jack ) IPA Cluster 01 = c.b.a IPA Cluster 02 = d.b.a IPA Cluster 03 = e.b.a
If I setup all 3 IPA clusters as subdomains of b.a, I know each one can establish a trust with the AD DC and I can authenticate as 'b.a\jack' through servers connected to each cluster.
But if I want to do something like this (just theoretical):
AD DC Cluster = b.a ( user: b.a\jack ) IPA Cluster 01 = c.b.a IPA Sub Cluster 01 = d.c.b.a IPA Sub Cluster 02 = e.c.b.a
Meaning only c.b.a has a trust with the AD DC Cluster but d.c.b.a and e.c.b.a don't have a direct trust with the AD DC however c.b.a forwards anything on 'd' and 'e' over to the sub clusters.
Can the IPA Cluster 01 'delegate' the AD DC trust to the sub IPA clusters? I imagine it's not possible.
If by chance it is, what would I need to do to make that work? Guessing allowing the AD DC to trust the subdomains would be one of the things I need to do. But what else?
On ma, 28 tammi 2019, TomK via FreeIPA-users wrote:
Suppose I have the following scenario:
AD DC Cluster = b.a ( user: b.a\jack ) IPA Cluster 01 = c.b.a IPA Cluster 02 = d.b.a IPA Cluster 03 = e.b.a
If I setup all 3 IPA clusters as subdomains of b.a, I know each one can establish a trust with the AD DC and I can authenticate as 'b.a\jack' through servers connected to each cluster.
But if I want to do something like this (just theoretical):
AD DC Cluster = b.a ( user: b.a\jack ) IPA Cluster 01 = c.b.a IPA Sub Cluster 01 = d.c.b.a IPA Sub Cluster 02 = e.c.b.a
Meaning only c.b.a has a trust with the AD DC Cluster but d.c.b.a and e.c.b.a don't have a direct trust with the AD DC however c.b.a forwards anything on 'd' and 'e' over to the sub clusters.
You are using confusing terminology. We don't have 'clusters' and I suspect you are speaking about IPA realm in each case, so c.b.a, d.c.b.a, and e.c.b.a are three different IPA deployments, each with its own Kerberos realm.
Can the IPA Cluster 01 'delegate' the AD DC trust to the sub IPA clusters? I imagine it's not possible.
It cannot, indeed. It is a requirement of forest trust in Active Directory, forest trust is not transitive (if forest A trusts forest B and forest B trusts forest C, you need to establish an explicit forest trust between A and C to make it working).
It doesn't matter where DNS-wise those zones are located, this is about trust relationship, not DNS zones.
freeipa-users@lists.fedorahosted.org