Quite some time ago I added a trust to another AD domain. IIRC I added an "external trust" for a reason I do not remember.
What is the "Non-transitive external trust to a domain in another Active Directory forest" trust type for? Could I not just have added another "Active Directory domain" trust?
Any clarification on this matter would be highly appreciated!
Cheers, Ronald
Hi,
please refer to External Trusts to Active Directory [1] from WIndows Integration guide, it nicely explains the difference between external trust and forest trust. flo
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
On Wed, Jun 9, 2021 at 11:09 AM Ronald Wimmer via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Quite some time ago I added a trust to another AD domain. IIRC I added an "external trust" for a reason I do not remember.
What is the "Non-transitive external trust to a domain in another Active Directory forest" trust type for? Could I not just have added another "Active Directory domain" trust?
Any clarification on this matter would be highly appreciated!
Cheers, Ronald _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On 12.06.21 13:08, Florence Renaud via FreeIPA-users wrote:
Hi,
please refer to External Trusts to Active Directory [1] from WIndows Integration guide, it nicely explains the difference between external trust and forest trust. flo
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm... https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/active-directory-trust#ext-trust-to-ad
Sorry for my unspecific initial question. I did read the documentation. As I understood it the external trust somehow isolates the view on that particular domain.
If DomA_Trust is a normal one and DomB_Trust an external one I cannot use DomB users in a DomA group for example, right? If DomB trust was not external I could do that?
Cheers, Ronald
On ma, 14 kesä 2021, Ronald Wimmer via FreeIPA-users wrote:
On 12.06.21 13:08, Florence Renaud via FreeIPA-users wrote:
Hi,
please refer to External Trusts to Active Directory [1] from WIndows Integration guide, it nicely explains the difference between external trust and forest trust. flo
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm... https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/active-directory-trust#ext-trust-to-ad
Sorry for my unspecific initial question. I did read the documentation. As I understood it the external trust somehow isolates the view on that particular domain.
If DomA_Trust is a normal one and DomB_Trust an external one I cannot use DomB users in a DomA group for example, right? If DomB trust was not external I could do that?
I think you need to start with Active Directory design and documentation. In particular, group types in AD define who can be included into them and how they can be consumed: https://docs.microsoft.com/en-us/windows/security/identity-protection/access...
Type of trust between domains influences the use of groups but group scopes are ultimate ones here.
When applying that to a trust between IPA and AD, remember that we only have two trust types:
- forest trust: IPA domain is in a separate forest than any AD domain
- external trust: only immediately trusted AD domain users and groups can be seen and used for authentication across the trust, there is no transitivity into any other trust that this AD domain may have anywhere else
In addition to that, while forest trust in itself is transitive to domains in the trusting forest, there is no transitivity across all trusting forests. If forest A trusts forest B and forest B trusts forest C, there is no trust from forest A to any domain in forest C.
The same applies to groups from those forests as well, complicated by the group scopes.
On 14.06.21 13:37, Alexander Bokovoy wrote:
On ma, 14 kesä 2021, Ronald Wimmer via FreeIPA-users wrote:
On 12.06.21 13:08, Florence Renaud via FreeIPA-users wrote:
Hi,
please refer to External Trusts to Active Directory [1] from WIndows Integration guide, it nicely explains the difference between external trust and forest trust. flo
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm... https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/active-directory-trust#ext-trust-to-ad
Sorry for my unspecific initial question. I did read the documentation. As I understood it the external trust somehow isolates the view on that particular domain.
If DomA_Trust is a normal one and DomB_Trust an external one I cannot use DomB users in a DomA group for example, right? If DomB trust was not external I could do that?
I think you need to start with Active Directory design and documentation. In particular, group types in AD define who can be included into them and how they can be consumed: https://docs.microsoft.com/en-us/windows/security/identity-protection/access...
Type of trust between domains influences the use of groups but group scopes are ultimate ones here.
When applying that to a trust between IPA and AD, remember that we only have two trust types:
- forest trust: IPA domain is in a separate forest than any AD domain
- external trust: only immediately trusted AD domain users and groups can be seen and used for authentication across the trust, there is no transitivity into any other trust that this AD domain may have anywhere else
In addition to that, while forest trust in itself is transitive to domains in the trusting forest, there is no transitivity across all trusting forests. If forest A trusts forest B and forest B trusts forest C, there is no trust from forest A to any domain in forest C.
The same applies to groups from those forests as well, complicated by the group scopes.
In our case IPA hast a trust to the forest root of domain A which itself has a trust to domain B. IPA has an external trust to domain B. With the AD management tool we are using I can put users of domain B into a group of domain A.
When I try to use that particular group (POSIX group that has the AD group as its member) in a HBAC scenario I do get a permission denied error.
External trust to domain B was setup years ago when we were still experimenting with IPA. So my first question is if the separate trust to domain B is needed at all? (because there is a trust from domain A to domain B on the AD side.) If yes I probably would not want domain B trust to be an external one in my scenario, would I?
Cheers, Ronald
On ma, 14 kesä 2021, Ronald Wimmer wrote:
On 14.06.21 13:37, Alexander Bokovoy wrote:
On ma, 14 kesä 2021, Ronald Wimmer via FreeIPA-users wrote:
On 12.06.21 13:08, Florence Renaud via FreeIPA-users wrote:
Hi,
please refer to External Trusts to Active Directory [1] from WIndows Integration guide, it nicely explains the difference between external trust and forest trust. flo
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm... https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/active-directory-trust#ext-trust-to-ad
Sorry for my unspecific initial question. I did read the documentation. As I understood it the external trust somehow isolates the view on that particular domain.
If DomA_Trust is a normal one and DomB_Trust an external one I cannot use DomB users in a DomA group for example, right? If DomB trust was not external I could do that?
I think you need to start with Active Directory design and documentation. In particular, group types in AD define who can be included into them and how they can be consumed: https://docs.microsoft.com/en-us/windows/security/identity-protection/access...
Type of trust between domains influences the use of groups but group scopes are ultimate ones here.
When applying that to a trust between IPA and AD, remember that we only have two trust types:
- forest trust: IPA domain is in a separate forest than any AD domain
- external trust: only immediately trusted AD domain users and groups can be seen and used for authentication across the trust, there is no transitivity into any other trust that this AD domain may have anywhere else
In addition to that, while forest trust in itself is transitive to domains in the trusting forest, there is no transitivity across all trusting forests. If forest A trusts forest B and forest B trusts forest C, there is no trust from forest A to any domain in forest C.
The same applies to groups from those forests as well, complicated by the group scopes.
In our case IPA hast a trust to the forest root of domain A which itself has a trust to domain B. IPA has an external trust to domain B. With the AD management tool we are using I can put users of domain B into a group of domain A.
What matters is where domain B is located. Is it part of the same forest as domain A? Is it outside of forest A?
When I try to use that particular group (POSIX group that has the AD group as its member) in a HBAC scenario I do get a permission denied error.
It can be anything. This information does not give any chance to understand why there is a problem.
External trust to domain B was setup years ago when we were still experimenting with IPA. So my first question is if the separate trust to domain B is needed at all? (because there is a trust from domain A to domain B on the AD side.) If yes I probably would not want domain B trust to be an external one in my scenario, would I?
You need to decide what you want. ;) If A and B are in the same forest, then you don't need an external trust to B from IPA side.
On 15.06.21 07:39, Alexander Bokovoy via FreeIPA-users wrote:
On ma, 14 kesä 2021, Ronald Wimmer wrote:
On 14.06.21 13:37, Alexander Bokovoy wrote:
On ma, 14 kesä 2021, Ronald Wimmer via FreeIPA-users wrote:
On 12.06.21 13:08, Florence Renaud via FreeIPA-users wrote:
Hi,
please refer to External Trusts to Active Directory [1] from WIndows Integration guide, it nicely explains the difference between external trust and forest trust. flo
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm... https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/active-directory-trust#ext-trust-to-ad
Sorry for my unspecific initial question. I did read the documentation. As I understood it the external trust somehow isolates the view on that particular domain.
If DomA_Trust is a normal one and DomB_Trust an external one I cannot use DomB users in a DomA group for example, right? If DomB trust was not external I could do that?
I think you need to start with Active Directory design and documentation. In particular, group types in AD define who can be included into them and how they can be consumed: https://docs.microsoft.com/en-us/windows/security/identity-protection/access...
Type of trust between domains influences the use of groups but group scopes are ultimate ones here.
When applying that to a trust between IPA and AD, remember that we only have two trust types:
- forest trust: IPA domain is in a separate forest than any AD domain
- external trust: only immediately trusted AD domain users and groups can be seen and used for authentication across the trust, there is no transitivity into any other trust that this AD domain may have anywhere else
In addition to that, while forest trust in itself is transitive to domains in the trusting forest, there is no transitivity across all trusting forests. If forest A trusts forest B and forest B trusts forest C, there is no trust from forest A to any domain in forest C.
The same applies to groups from those forests as well, complicated by the group scopes.
In our case IPA hast a trust to the forest root of domain A which itself has a trust to domain B. IPA has an external trust to domain B. With the AD management tool we are using I can put users of domain B into a group of domain A.
What matters is where domain B is located. Is it part of the same forest as domain A? Is it outside of forest A?
It is outside of forest A but forest A has a trust to it.
When I try to use that particular group (POSIX group that has the AD group as its member) in a HBAC scenario I do get a permission denied error.
It can be anything. This information does not give any chance to understand why there is a problem.
At the moment I do have users of domain B in a group of domain A. I cannot use that particular group in IPA. I think this could be because I setup the IPA trust to domain B as external.
External trust to domain B was setup years ago when we were still experimenting with IPA. So my first question is if the separate trust to domain B is needed at all? (because there is a trust from domain A to domain B on the AD side.) If yes I probably would not want domain B trust to be an external one in my scenario, would I?
You need to decide what you want. ;) If A and B are in the same forest, then you don't need an external trust to B from IPA side.
If I want to use users of domain B in a domain A group I will probably have to set up a 'normal' trust to domain B and not an 'external' one. Do you agree?
Cheers, Ronald
On ti, 15 kesä 2021, Ronald Wimmer via FreeIPA-users wrote:
On 15.06.21 07:39, Alexander Bokovoy via FreeIPA-users wrote:
On ma, 14 kesä 2021, Ronald Wimmer wrote:
On 14.06.21 13:37, Alexander Bokovoy wrote:
On ma, 14 kesä 2021, Ronald Wimmer via FreeIPA-users wrote:
On 12.06.21 13:08, Florence Renaud via FreeIPA-users wrote:
Hi,
please refer to External Trusts to Active Directory [1] from WIndows Integration guide, it nicely explains the difference between external trust and forest trust. flo
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm... https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/active-directory-trust#ext-trust-to-ad
Sorry for my unspecific initial question. I did read the documentation. As I understood it the external trust somehow isolates the view on that particular domain.
If DomA_Trust is a normal one and DomB_Trust an external one I cannot use DomB users in a DomA group for example, right? If DomB trust was not external I could do that?
I think you need to start with Active Directory design and documentation. In particular, group types in AD define who can be included into them and how they can be consumed: https://docs.microsoft.com/en-us/windows/security/identity-protection/access...
Type of trust between domains influences the use of groups but group scopes are ultimate ones here.
When applying that to a trust between IPA and AD, remember that we only have two trust types:
- forest trust: IPA domain is in a separate forest than any AD domain
- external trust: only immediately trusted AD domain users and groups can be seen and used for authentication across the trust, there is no transitivity into any other trust that this AD domain may have anywhere else
In addition to that, while forest trust in itself is transitive to domains in the trusting forest, there is no transitivity across all trusting forests. If forest A trusts forest B and forest B trusts forest C, there is no trust from forest A to any domain in forest C.
The same applies to groups from those forests as well, complicated by the group scopes.
In our case IPA hast a trust to the forest root of domain A which itself has a trust to domain B. IPA has an external trust to domain B. With the AD management tool we are using I can put users of domain B into a group of domain A.
What matters is where domain B is located. Is it part of the same forest as domain A? Is it outside of forest A?
It is outside of forest A but forest A has a trust to it.
As I already said, forest trust is not transitive to other forest trusts. So it does not count, a trust to B has to be explicitly created.
When I try to use that particular group (POSIX group that has the AD group as its member) in a HBAC scenario I do get a permission denied error.
It can be anything. This information does not give any chance to understand why there is a problem.
At the moment I do have users of domain B in a group of domain A. I cannot use that particular group in IPA. I think this could be because I setup the IPA trust to domain B as external.
Check the first link I gave. Only 'domain local' groups can include members from "Accounts, Global groups, and Universal groups from other forests and from external domains". Domain local groups, on the other hand, can only be used inside the domain they defined.
Thus, such groups cannot be used over a trust to IPA.
External trust to domain B was setup years ago when we were still experimenting with IPA. So my first question is if the separate trust to domain B is needed at all? (because there is a trust from domain A to domain B on the AD side.) If yes I probably would not want domain B trust to be an external one in my scenario, would I?
You need to decide what you want. ;) If A and B are in the same forest, then you don't need an external trust to B from IPA side.
If I want to use users of domain B in a domain A group I will probably have to set up a 'normal' trust to domain B and not an 'external' one. Do you agree?
No. It does not matter. What matters is a group type. If you have group members from outside your own forest, you can only use them in domain local groups but these groups then cannot be used in other forests or even within your own forests but in other domains. This is Active Directory's design limitation.
What you could do is to have a trust in IPA to both forest A and a domain B, then have IPA external groups that include individually users/groups from A and B, then use IPA POSIX groups to include IPA external groups. Those IPA POSIX groups then can be used to apply permissions on IPA side.
On 15.06.21 08:42, Alexander Bokovoy via FreeIPA-users wrote:
[...] Check the first link I gave. Only 'domain local' groups can include members from "Accounts, Global groups, and Universal groups from other forests and from external domains". Domain local groups, on the other hand, can only be used inside the domain they defined.
Thus, such groups cannot be used over a trust to IPA.
I was not aware that only 'domain local' groups allow members from other forests and/or domains. I know that 'domain local' groups cannot be used in IPA.
The group my colleague created is a 'domain local' group although I told them many times not to create local groups because they cannot be used in IPA...
Thanks a lot for clarification. I think I do have a better picture now.
Is it true that the main use case for creating an 'external' trust is to establish a trust to just one domain of a forest?
Cheers, Ronald
On ti, 15 kesä 2021, Ronald Wimmer via FreeIPA-users wrote:
On 15.06.21 08:42, Alexander Bokovoy via FreeIPA-users wrote:
[...] Check the first link I gave. Only 'domain local' groups can include members from "Accounts, Global groups, and Universal groups from other forests and from external domains". Domain local groups, on the other hand, can only be used inside the domain they defined.
Thus, such groups cannot be used over a trust to IPA.
I was not aware that only 'domain local' groups allow members from other forests and/or domains. I know that 'domain local' groups cannot be used in IPA.
The group my colleague created is a 'domain local' group although I told them many times not to create local groups because they cannot be used in IPA...
Thanks a lot for clarification. I think I do have a better picture now.
Is it true that the main use case for creating an 'external' trust is to establish a trust to just one domain of a forest?
On Active Directory side external trust is often used to perform a shortcut in an authentication request processing. This is often needed if you have a deep hierarchy of child domains in a forest and you only want to have a trust to a specific child domain. This allows to avoid going through parent domains' domain controllers for each Kerberos or identity resolution request.
Another reason is that people often use external trust in a situation where they have organizational barriers to set up a proper forest trust.
Both of these could apply to IPA to AD trust as well. As always, one needs to carefully plan the deployment in advance, as external trust has clear limitations.
freeipa-users@lists.fedorahosted.org