Hello, I have 2 AD domains on windows 2016 with a forest trust, two-way, and "Selective authentication": mydomain.com <--trust--> other.company.org
Now I have built an IDM instance on RHEL 7.5 and IPA version 4.5.4 on the subdomain "ipa.mydomain.com". I need to use users from the 2 domains above, to I have created a trust transitive and one way: ipa.mydomain.com --trust--> mydomain.com But I can not do the trust between ipa.mydomain.com <-- other.company.org because on AD side there is already a trust between other.company.org and the root of ipa (mydomain.com). As the trust is transitive, in theory users from other.company.org should be allowed on ipa subdomain because: ipa.mydomain.com --trust--> mydomain.com <--trust--> other.company.org
I can get a kerberos TGT with: "kinit user@OTHER.COMPANY.ORG" But I can not do "id user@other.company.org" neither I can add it to an external group, it complains: member group: user@other.company.org: invalid 'trusted domain object': domain is not trusted"
Should I change something on the sssd or kerberos configuration for make the users trusted by my trust work? Is the "Selective authentication" configured at AD level the problem?
thanks.
Thanks & Regards.
______________________________
On ke, 30 tammi 2019, SOLER SANGUESA Miguel via FreeIPA-users wrote:
Hello, I have 2 AD domains on windows 2016 with a forest trust, two-way, and "Selective authentication": mydomain.com <--trust--> other.company.org
Now I have built an IDM instance on RHEL 7.5 and IPA version 4.5.4 on the subdomain "ipa.mydomain.com". I need to use users from the 2 domains above, to I have created a trust transitive and one way: ipa.mydomain.com --trust--> mydomain.com
But I can not do the trust between ipa.mydomain.com <-- other.company.org because on AD side there is already a trust between other.company.org and the root of ipa (mydomain.com). As the trust is transitive, in theory users from other.company.org should be allowed on ipa subdomain because: ipa.mydomain.com --trust--> mydomain.com <--trust--> other.company.org
This is working as designed.
I can get a kerberos TGT with: "kinit user@OTHER.COMPANY.ORG" But I can not do "id user@other.company.org" neither I can add it to an external group, it complains: member group: user@other.company.org: invalid 'trusted domain object': domain is not trusted"
Should I change something on the sssd or kerberos configuration for make the users trusted by my trust work? Is the "Selective authentication" configured at AD level the problem?
You have to configure separate forest trusts to both mydomain.com and other.company.org from IPA side. There is no way around it. Selective authentication only affects forest trust link between the two forests.
This is a fundamental design decision in Active Directory architecture, nothing specific to FreeIPA.
See section 'Forest trusts' in the following document: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-se...)
------ A forest trust can be created only between a forest root domain in one Windows Server 2003 forest and a forest root domain in another Windows Server 2003 forest. Forest trusts can be created between two forests only and cannot be implicitly extended to a third forest. This means that if a forest trust is created between Forest 1 and Forest 2, and another forest trust is created between Forest 2 and Forest 3, Forest 1 does not have an implicit trust with Forest 3. ------
Hello and thanks for your time,
My first approach was to create 2 trust:
ipa.mydomain.com --trust--> mydomain.com (already DONE)
ipa.mydomain.com --trust--> other.company.org (not possible)
When I try to do the second one, I have the error:
# ipa trust-add --type=ad other.company.org --range-type=ipa-ad-trust --all --external=true
Active Directory domain administrator: ad_ADMIN
Active Directory domain administrator's password:
ipa: ERROR: CIFS server communication error: code "-1073741771", message "The object name already exists." (both may be "None")
checking on the http error log with samba debug =100, we have: result : NT_STATUS_OBJECT_NAME_COLLISION
On AD side we have: "a trust relationship with the domain you specified already exist"
[cid:image001.jpg@01D4B960.B4CA41E0]
That is because we already have a transitive trust between other.company.org and mydomain.com, so *.mydomain.com (in our case ipa.mydomain.com) already has a trust with other.company.org on AD side.
Then, the only way I see is using the transitivity for making users from other.company.org, login on ipa.mydomain.com services. Is that possible?
That's the reason because I'm thinking that "Selective authentication" can be de problem.
Regards.
On ke, 30 tammi 2019, SOLER SANGUESA Miguel via FreeIPA-users wrote:
Hello,
I have 2 AD domains on windows 2016 with a forest trust, two-way, and "Selective authentication":
mydomain.com <--trust--> other.company.org
Now I have built an IDM instance on RHEL 7.5 and IPA version 4.5.4 on
the subdomain "ipa.mydomain.com". I need to use users from the 2
domains above, to I have created a trust transitive and one way:
ipa.mydomain.com --trust--> mydomain.com
But I can not do the trust between ipa.mydomain.com <--
other.company.org because on AD side there is already a trust between
other.company.org and the root of ipa (mydomain.com). As the trust is
transitive, in theory users from other.company.org should be allowed on
ipa subdomain because:
ipa.mydomain.com --trust--> mydomain.com <--trust--> other.company.org
This is working as designed.
I can get a kerberos TGT with: "kinit user@OTHER.COMPANY.ORGmailto:user@OTHER.COMPANY.ORG"
But I can not do "id user@other.company.orgmailto:user@other.company.org" neither I can add it to
an external group, it complains: member group: user@other.company.orgmailto:user@other.company.org:
invalid 'trusted domain object': domain is not trusted"
Should I change something on the sssd or kerberos configuration for
make the users trusted by my trust work? Is the "Selective
authentication" configured at AD level the problem?
You have to configure separate forest trusts to both mydomain.com and other.company.org from IPA side. There is no way around it. Selective authentication only affects forest trust link between the two forests.
This is a fundamental design decision in Active Directory architecture, nothing specific to FreeIPA.
See section 'Forest trusts' in the following document:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-se...)
------
A forest trust can be created only between a forest root domain in one Windows Server 2003 forest and a forest root domain in another Windows Server 2003 forest. Forest trusts can be created between two forests only and cannot be implicitly extended to a third forest. This means that if a forest trust is created between Forest 1 and Forest 2, and another forest trust is created between Forest 2 and Forest 3, Forest 1 does not have an implicit trust with Forest 3.
------
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering Red Hat Limited, Finland
On to, 31 tammi 2019, SOLER SANGUESA Miguel wrote:
Hello and thanks for your time,
My first approach was to create 2 trust:
ipa.mydomain.com --trust--> mydomain.com (already DONE)
ipa.mydomain.com --trust--> other.company.org (not possible)
When I try to do the second one, I have the error:
# ipa trust-add --type=ad other.company.org --range-type=ipa-ad-trust --all --external=true
Active Directory domain administrator: ad_ADMIN
Active Directory domain administrator's password:
ipa: ERROR: CIFS server communication error: code "-1073741771", message "The object name already exists." (both may be "None")
checking on the http error log with samba debug =100, we have: result : NT_STATUS_OBJECT_NAME_COLLISION
On AD side we have: "a trust relationship with the domain you specified already exist"
[cid:image001.jpg@01D4B960.B4CA41E0]
That is because we already have a transitive trust between other.company.org and mydomain.com, so *.mydomain.com (in our case ipa.mydomain.com) already has a trust with other.company.org on AD side.
Correct, the issue here is not ipa.mydomain.com but that the trust between mydomain.com and other.company.org does not have an exclusion entry for ipa.mydomain.com. You should be able to add one on other.company.org side for a trust to mydomain.com.
Then, the only way I see is using the transitivity for making users from other.company.org, login on ipa.mydomain.com services. Is that possible?
It is possible, if you arrange it properly.
That's the reason because I'm thinking that "Selective authentication" can be de problem.
Nope.
Add an exclusion entry on mydomain.com trust at other.company.org that tells that 'ipa.mydomain.com' is excluded from that trust.
Then add a trust between ipa.mydomain.com and other.company.org. You don't need to use --external trust flag (better not to).
freeipa-users@lists.fedorahosted.org