All understood :) Thank you (and all others who responded) for the explanations.
Genadi. 2014-10-10 6:26 GMT+02:00 Alexander Bokovoy <[email protected]>: > On Fri, 10 Oct 2014, Genadi Postrilko wrote: > >> Thank you for providing the reference. >> I understood that when creating a forest trust between two AD forests, >> the trust is transitive to all domains in both forests (by default). >> And it has to be established between the two forest root domain. >> >> External trust (between AD forests or domains), is non transitive. >> Trust can be established between (child) domains in different forests, >> without the need to create trust between child domains and the forest >> root domain of the opposite forest. >> >> But i'm not sure about Realm Trust. >> Realm Trust considered as a kind of forest trust? And that why the trust >> has to be established between the forest root domains (and not like >> external trust) ? >> > FreeIPA only provides the first type of the trust -- a forest trust to > AD where AD thinks it trusts an AD forest. All other types of forest are > irrelevant in this context and have no implementation or support in > FreeIPA. > > >> Assuming i follow the IPA Trust setup guide- >> The trust created between red.com (AD forest root domain) and >> linux.blue.com (IPA domain) is configured to be transitive? Users from >> blue.com domain will able to login to IPA domain? And so are users >> from other child and root domains in the forest? >> > Yes, and yes. > > You have ipa trustdomain-find|del|disable|enable > > commands to manage what domains from the trust can have access to IPA > resources. Forest root domain is always allowed, you cannot disable it, > only delete the whole trust. > > > >> >> >> >> 2014-10-08 19:06 GMT+02:00 Alexander Bokovoy <[email protected]>: >> >> On Wed, 08 Oct 2014, Genadi Postrilko wrote: >>> >>> 2014-10-08 17:48 GMT+02:00 Alexander Bokovoy <[email protected]>: >>>> >>>> On Wed, 08 Oct 2014, Genadi Postrilko wrote: >>>> >>>>> >>>>> The forest root domain in my case is RED.COM. >>>>> >>>>>> >>>>>> You need to establish trust to red.com then. Any domain which is >>>>>> >>>>> member >>>>> of the forest red.com will be visible through trust. >>>>> >>>>> Forest trust can only be established between forest root domains, >>>>> that's >>>>> how it is designed by Microsoft. >>>>> >>>>> >>>>> It doesn't matter how complex the forest is? Even if the forest >>>>> contains >>>>> >>>> number of domain trees, the trust has to be >>>> established with the forest root domain? >>>> >>>> Yes, see "Forest trusts" section of >>> http://technet.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx >>> >>> I have attached the log files. >>> >>>> >>>>>> These logs show you are attempting to establish trust to blue.com >>>>>> >>>>> which >>>>> is not a forest root domain, thus nothing works. >>>>> >>>>> >>>>> I assumed that DNS forwarding has to be created between IPA ( >>>> linux.blue.com) >>>> and the AD (blue.com). >>>> Should any DNS configuration change? >>>> >>>> It should be between all AD domains which would use IPA services, >>> namely >>> forest root domain (red.com) and all other domains whose users will be >>> accessing the trust (blue.com in your case). >>> >>> Usually this is solved globally, of course. >>> -- >>> / Alexander Bokovoy >>> >>> > -- > / Alexander Bokovoy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
