On ma, 28 tammi 2019, TomK via FreeIPA-users wrote:
Suppose I have the following scenario:
AD DC Cluster = b.a ( user: b.a\jack )
IPA Cluster 01 = c.b.a
IPA Cluster 02 = d.b.a
IPA Cluster 03 = e.b.a
If I setup all 3 IPA clusters as subdomains of b.a, I know each one
can establish a trust with the AD DC and I can authenticate as
'b.a\jack' through servers connected to each cluster.
But if I want to do something like this (just theoretical):
AD DC Cluster = b.a ( user: b.a\jack )
IPA Cluster 01 = c.b.a
IPA Sub Cluster 01 = d.c.b.a
IPA Sub Cluster 02 = e.c.b.a
Meaning only c.b.a has a trust with the AD DC Cluster but d.c.b.a and
e.c.b.a don't have a direct trust with the AD DC however c.b.a
forwards anything on 'd' and 'e' over to the sub clusters.
You are
using confusing terminology. We don't have 'clusters' and I
suspect you are speaking about IPA realm in each case, so c.b.a,
d.c.b.a, and e.c.b.a are three different IPA deployments, each with its
own Kerberos realm.
Can the IPA Cluster 01 'delegate' the AD DC trust to the sub
IPA
clusters? I imagine it's not possible.
It cannot, indeed. It is a requirement
of forest trust in Active
Directory, forest trust is not transitive (if forest A trusts forest B
and forest B trusts forest C, you need to establish an explicit forest
trust between A and C to make it working).
It doesn't matter where DNS-wise those zones are located, this is about
trust relationship, not DNS zones.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland