Hello,
On Срд, 26 сак 2025, Jostein Fossheim via FreeIPA-users wrote:
Hello all,
We are playing with trust-setups in our lab-environment. I was hoping
to create a setup with a "single computer active directory domain"
acting as a domain controller and file-server (SMB and NFS), with a
one-way trust relationship to our main ipa-realm. That is this (mini)
AD-Realm trusts IPA and not the other way around.
I am not sure it will work though, so far windows will not resolve my
IPA users, even thought the trust-setup seems to validate (but neither
are ipa, so there is something wrong with the current config). If we
define a two-way trust relationship we are not able to do this:
Resolving IPA users on Windows machines is not supported and is not in
the scope of trust to Active Directory feature.
https://www.server-world.info/en/note?os=AlmaLinux_9&p=freeipa&f=8
I know that full windows-logon won’t work. But I had hopes that file
services in question would. If manual user-mapping (via ksetup or
something similar, that can make windows-logon with kerberos
credentials work) is possible that would suffice as well.
See note at this page:
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/using_external_red_hat_utilities_with_identity_management/setting-up-samba-on-an-idm-domain-member_using-external-red-hat-utilities-with-idm#setting-up-samba-on-an-idm-domain-member_using-external-red-hat-utilities-with-idm
And how about samba, does anyone know, if such a setup would work
there? That is: A samba AD populated with the real users and groups,
and a Microsoft Server running it’s own AD trusting the samba realm,
but not the other way around? (yes I know that the server could join
the samba domain instead, but this is not the point in this
lab-excersise).
Samba AD implements most of AD DC compatibility, so it would work.
Is there any information about the work on IPA-to-IPA trust? I read
with great enjoyment lasts year’s progress report on this:
https://vda.li/posts/2024/05/31/ipa-ipa-trust-progress/
You can watch our talk at FOSDEM 2025:
https://fosdem.org/2025/schedule/event/fosdem-2025-5178-building-cross-domain-trust-between-freeipa-deployments/
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
