Hello,

I have 2 AD domains on windows 2016 with a forest trust, two-way, and “Selective authentication”:

mydomain.com <--trust--> other.company.org

 

Now I have built an IDM instance on RHEL 7.5 and IPA version 4.5.4 on the subdomain "ipa.mydomain.com". I need to use users from the 2 domains above, to I have created a trust transitive and one way:

ipa.mydomain.com --trust--> mydomain.com

But I can not do the trust between ipa.mydomain.com <-- other.company.org because on AD side there is already a trust between other.company.org and the root of ipa (mydomain.com).

As the trust is transitive, in theory users from other.company.org should be allowed on ipa subdomain because:

ipa.mydomain.com --trust--> mydomain.com <--trust--> other.company.org

 

I can get a kerberos TGT with: "kinit user@OTHER.COMPANY.ORG"

But I can not do  "id user@other.company.org" neither I can add it to an external group, it complains:

member group: user@other.company.org: invalid 'trusted domain object': domain is not trusted"

 

Should I change something on the sssd or kerberos configuration for make the users trusted by my trust work?

Is the “Selective authentication” configured at AD level the problem?

 

thanks.

 

Thanks & Regards.

 

______________________________