On 15.06.21 07:39, Alexander Bokovoy via FreeIPA-users wrote:
On ma, 14 kesä 2021, Ronald Wimmer wrote:
On 14.06.21 13:37, Alexander Bokovoy wrote:
On ma, 14 kesä 2021, Ronald Wimmer via FreeIPA-users wrote:
On 12.06.21 13:08, Florence Renaud via FreeIPA-users wrote:
Hi,
please refer to External Trusts to Active Directory [1] from
WIndows Integration guide, it nicely explains the difference
between external trust and forest trust.
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/active-directory-trust#ext-trust-to-ad
<https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/active-directory-trust#ext-trust-to-ad>
Sorry for my unspecific initial question. I did read the
documentation. As I understood it the external trust somehow
isolates the view on that particular domain.
If DomA_Trust is a normal one and DomB_Trust an external one I
cannot use DomB users in a DomA group for example, right? If DomB
trust was not external I could do that?
I think you need to start with Active Directory design and
documentation. In particular, group types in AD define who can be
included into them and how they can be consumed:
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups
Type of trust between domains influences the use of groups but group
scopes are ultimate ones here.
When applying that to a trust between IPA and AD, remember that we only
have two trust types:
- forest trust: IPA domain is in a separate forest than any AD domain
- external trust: only immediately trusted AD domain users and groups
can be seen and used for authentication across the trust, there is no
transitivity into any other trust that this AD domain may have
anywhere else
In addition to that, while forest trust in itself is transitive to
domains in the trusting forest, there is no transitivity across all
trusting forests. If forest A trusts forest B and forest B trusts forest
C, there is no trust from forest A to any domain in forest C.
The same applies to groups from those forests as well, complicated by
the group scopes.
In our case IPA hast a trust to the forest root of domain A which
itself has a trust to domain B. IPA has an external trust to domain B.
With the AD management tool we are using I can put users of domain B
into a group of domain A.
What matters is where domain B is located. Is it part of the same forest
as domain A? Is it outside of forest A?
It is outside of forest A but forest A has a trust to it.
When I try to use that particular group (POSIX group that has the AD
group as its member) in a HBAC scenario I do get a permission denied
error.
It can be anything. This information does not give any chance to
understand why there is a problem.
At the moment I do have users of domain B in a group of domain A. I
cannot use that particular group in IPA. I think this could be because I
setup the IPA trust to domain B as external.
External trust to domain B was setup years ago when we were still
experimenting with IPA. So my first question is if the separate trust
to domain B is needed at all? (because there is a trust from domain A
to domain B on the AD side.) If yes I probably would not want domain B
trust to be an external one in my scenario, would I?
You need to decide what you want. ;) If A and B are in the same forest,
then you don't need an external trust to B from IPA side.
If I want to use users of domain B in a domain A group I will probably
have to set up a 'normal' trust to domain B and not an 'external' one.
Do you agree?
Cheers,
Ronald
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
