Bug 1314786 - [RFE] External Trust with Active Directory domain
Summary: [RFE] External Trust with Active Directory domain
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks: 1351237
TreeView+ depends on / blocked
 
Reported: 2016-03-04 13:33 UTC by Martin Kosek
Modified: 2016-11-04 05:51 UTC (History)
9 users (show)

Fixed In Version: ipa-4.4.0-0.el7.1.alpha1
Doc Type: Enhancement
Doc Text:
IdM now supports establishing an external trust to an AD domain Red Hat Enterprise Linux Identity Management (IdM) now supports establishing an external trust to an Active Directory (AD) domain in a forest. An external trust is non-transitive and can be established to any domain in an AD forest. This allows to limit a trusted relationship to a specific domain rather than trusting the whole AD forest.
Clone Of:
: 1351237 (view as bug list)
Environment:
Last Closed: 2016-11-04 05:51:34 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Martin Kosek 2016-03-04 13:33:59 UTC 
Description of problem:
An external trust is a trust relationship between Active Directory domains that are in different Active Directory forests. While forest trust always requires to establish trust between root domains of the Active Directory forests, external trust can be established to any domain within the forest.

User Story:
As an Active Directory Administrator, I want to establish trust between IdM Server and my domain only. The trust between IdM Server and an external Active Directory domain will be non-transitive as no users or groups from other Active Directory domains will have access to IPA resources.
Comment 1 Martin Kosek 2016-03-04 13:34:13 UTC 
Upstream design page:
http://www.freeipa.org/page/V4/External_trust_to_AD
Comment 2 Petr Vobornik 2016-03-17 14:02:56 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5743
Comment 6 Petr Vobornik 2016-06-02 12:57:35 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5904
Comment 11 Marc Muehlfeld 2016-07-08 10:30:54 UTC 
This feature should be listed in the RHEL 7.3 release notes.

Petr, can you please provide some general information for the release notes? E. g.
- What is the new feature?
- How it helps the user?
- Anything else to mention in the release notes for this feature?
Comment 12 Alexander Bokovoy 2016-07-08 10:55:47 UTC 
Added a note.
Comment 17 Sudhir Menon 2016-08-16 13:21:34 UTC 
Able to add external trust using the below rpms.

sssd-1.14.0-18.el7.x86_64
ipa-server-trust-ad-4.4.0-7.el7.x86_64
ipa-server-4.4.0-7.el7.x86_64

Tested using the below enviornment.
pne.qe forest root domain
chd.pne.qe child domain
test.qa tree root domain

[root@ipaserver sssd]# ipa trust-add --external=true --two-way=true
Realm name: pne.qe
Active Directory domain administrator: Administrator
Active Directory domain administrator's password: 
-----------------------------------------------
Added Active Directory trust for realm "pne.qe"
-----------------------------------------------
  Realm name: pne.qe
  Domain NetBIOS name: PNE
  Domain Security Identifier: S-1-5-21-3912719521-1967590360-1136226524
  Trust direction: Two-way trust
  Trust type: Non-transitive external trust to a domain in another Active Directory forest
  Trust status: Established and verified


[root@ipaserver sssd]# ipa trust-add --external=true
Realm name: pne.qe
Active Directory domain administrator: Administrator
Active Directory domain administrator's password: 
-----------------------------------------------
Added Active Directory trust for realm "pne.qe"
-----------------------------------------------
  Realm name: pne.qe
  Domain NetBIOS name: PNE
  Domain Security Identifier: S-1-5-21-3912719521-1967590360-1136226524
  Trust direction: Trusting forest
  Trust type: Non-transitive external trust to a domain in another Active Directory forest
  Trust status: Established and verified


[root@ipaserver sssd]# ipa trust-add --external=true
Realm name: chd.pne.qe
Active Directory domain administrator: administrator
Active Directory domain administrator's password: 
---------------------------------------------------
Added Active Directory trust for realm "chd.pne.qe"
---------------------------------------------------
  Realm name: chd.pne.qe
  Domain NetBIOS name: CHD
  Domain Security Identifier: S-1-5-21-725505228-2944741108-2454985349
  Trust direction: Trusting forest
  Trust type: Non-transitive external trust to a domain in another Active Directory forest
  Trust status: Established and verified

[root@ipaserver sssd]# ipa trust-add --external=true
Realm name: test.qa
Active Directory domain administrator: administrator  
Active Directory domain administrator's password: 
------------------------------------------------
Added Active Directory trust for realm "test.qa"
------------------------------------------------
  Realm name: test.qa
  Domain NetBIOS name: TEST
  Domain Security Identifier: S-1-5-21-4204873575-1158510886-1449965812
  Trust direction: Trusting forest
  Trust type: Non-transitive external trust to a domain in another Active Directory forest
  Trust status: Established and verified

Note: bz1365546 handles the issue "External trust with root domain is transitive"
Comment 19 errata-xmlrpc 2016-11-04 05:51:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html
Note You need to log in before you can comment on or make changes to this bug.