Hi all,

Refering to this bit of older post,

What now the difference between a One-way or Two-Way Trust anyway....? The docs are not too clear abut it:

" Two-way trust enables AD users and groups to access resources in IdM. However, the two-way trust in IdM does not give the users any additional rights compared to the one-way trust solution in AD. Both solutions are considered equally secure because of default cross-forest trust SID filtering settings"

What a use-case for using a Two-Way Trust? (since Windows cannot use IPA as a AD replacement)

-----Oorspronkelijk bericht-----
Van: Alexander Bokovoy via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
Antwoord-naar: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Aan: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Cc: Michal Sladek <michal@sladkovi.eu>, Alexander Bokovoy <abokovoy@redhat.com>
Onderwerp: [Freeipa-users] Re: Is IPA-AD two-way trust really two-way?
Datum: Thu, 23 Aug 2018 12:08:17 +0300

On to, 23 elo 2018, Michal Sladek via FreeIPA-users wrote:

I would like to use IPA server in heterogeneous environment with Linux servers and Windows workstations.
IPA domain would be used as a primary source of users and groups.
AD domain would be used for management of Widows hosts only (group policies etc.).

I have setup a test network with two-trust between AD and IPA domain
and realized, that IPA domain sees AD users but AD domain doesn't see
IPA users. Am I missing something or the two-way trust is not two-way
in fact?
It is two-way in principle. However, FreeIPA does not implement features
required by AD DC to resolve IPA users on Windows workstations. It is on
our long term roadmap.

/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/OJCXN7VI2NZAUWUHVZDKEZB7SF72NSR2/