RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1314786 - [RFE] External Trust with Active Directory domain
Summary: [RFE] External Trust with Active Directory domain
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks: 1351237
TreeView+ depends on / blocked
 
Reported: 2016-03-04 13:33 UTC by Martin Kosek
Modified: 2021-12-10 14:52 UTC (History)
9 users (show)

Fixed In Version: ipa-4.4.0-0.el7.1.alpha1
Doc Type: Enhancement
Doc Text:
IdM now supports establishing an external trust to an AD domain Red Hat Enterprise Linux Identity Management (IdM) now supports establishing an external trust to an Active Directory (AD) domain in a forest. An external trust is non-transitive and can be established to any domain in an AD forest. This allows to limit a trusted relationship to a specific domain rather than trusting the whole AD forest.
Clone Of:
: 1351237 (view as bug list)
Environment:
Last Closed: 2016-11-04 05:51:34 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FREEIPA-7510 0 None None None 2021-12-10 14:52:18 UTC
Red Hat Product Errata RHBA-2016:2404 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Martin Kosek 2016-03-04 13:33:59 UTC 
Description of problem:
An external trust is a trust relationship between Active Directory domains that are in different Active Directory forests. While forest trust always requires to establish trust between root domains of the Active Directory forests, external trust can be established to any domain within the forest.

User Story:
As an Active Directory Administrator, I want to establish trust between IdM Server and my domain only. The trust between IdM Server and an external Active Directory domain will be non-transitive as no users or groups from other Active Directory domains will have access to IPA resources.
Comment 1 Martin Kosek 2016-03-04 13:34:13 UTC 
Upstream design page:
http://www.freeipa.org/page/V4/External_trust_to_AD
Comment 2 Petr Vobornik 2016-03-17 14:02:56 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5743
Comment 6 Petr Vobornik 2016-06-02 12:57:35 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5904
Comment 7 Martin Bašti 2016-06-09 19:08:19 UTC 
master:
https://fedorahosted.org/freeipa/changeset/8ca7a4c94796afa280de7e7f5191b48ad667b219
Comment 8 Martin Bašti 2016-06-11 15:32:22 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/5b0dbe7e5996ef95301c5fdd530f2e2a18757f04
https://fedorahosted.org/freeipa/changeset/d6266476fa1425dfd62cf6138b9ca7ab7b270c23
Comment 11 Marc Muehlfeld 2016-07-08 10:30:54 UTC 
This feature should be listed in the RHEL 7.3 release notes.

Petr, can you please provide some general information for the release notes? E. g.
- What is the new feature?
- How it helps the user?
- Anything else to mention in the release notes for this feature?
Comment 12 Alexander Bokovoy 2016-07-08 10:55:47 UTC 
Added a note.
Comment 17 Sudhir Menon 2016-08-16 13:21:34 UTC 
Able to add external trust using the below rpms.

sssd-1.14.0-18.el7.x86_64
ipa-server-trust-ad-4.4.0-7.el7.x86_64
ipa-server-4.4.0-7.el7.x86_64

Tested using the below enviornment.
pne.qe forest root domain
chd.pne.qe child domain
test.qa tree root domain

[root@ipaserver sssd]# ipa trust-add --external=true --two-way=true
Realm name: pne.qe
Active Directory domain administrator: Administrator
Active Directory domain administrator's password: 
-----------------------------------------------
Added Active Directory trust for realm "pne.qe"
-----------------------------------------------
  Realm name: pne.qe
  Domain NetBIOS name: PNE
  Domain Security Identifier: S-1-5-21-3912719521-1967590360-1136226524
  Trust direction: Two-way trust
  Trust type: Non-transitive external trust to a domain in another Active Directory forest
  Trust status: Established and verified


[root@ipaserver sssd]# ipa trust-add --external=true
Realm name: pne.qe
Active Directory domain administrator: Administrator
Active Directory domain administrator's password: 
-----------------------------------------------
Added Active Directory trust for realm "pne.qe"
-----------------------------------------------
  Realm name: pne.qe
  Domain NetBIOS name: PNE
  Domain Security Identifier: S-1-5-21-3912719521-1967590360-1136226524
  Trust direction: Trusting forest
  Trust type: Non-transitive external trust to a domain in another Active Directory forest
  Trust status: Established and verified


[root@ipaserver sssd]# ipa trust-add --external=true
Realm name: chd.pne.qe
Active Directory domain administrator: administrator
Active Directory domain administrator's password: 
---------------------------------------------------
Added Active Directory trust for realm "chd.pne.qe"
---------------------------------------------------
  Realm name: chd.pne.qe
  Domain NetBIOS name: CHD
  Domain Security Identifier: S-1-5-21-725505228-2944741108-2454985349
  Trust direction: Trusting forest
  Trust type: Non-transitive external trust to a domain in another Active Directory forest
  Trust status: Established and verified

[root@ipaserver sssd]# ipa trust-add --external=true
Realm name: test.qa
Active Directory domain administrator: administrator  
Active Directory domain administrator's password: 
------------------------------------------------
Added Active Directory trust for realm "test.qa"
------------------------------------------------
  Realm name: test.qa
  Domain NetBIOS name: TEST
  Domain Security Identifier: S-1-5-21-4204873575-1158510886-1449965812
  Trust direction: Trusting forest
  Trust type: Non-transitive external trust to a domain in another Active Directory forest
  Trust status: Established and verified

Note: bz1365546 handles the issue "External trust with root domain is transitive"
Comment 19 errata-xmlrpc 2016-11-04 05:51:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html
Note You need to log in before you can comment on or make changes to this bug.