Red Hat Bugzilla – Bug 1314786
[RFE] External Trust with Active Directory domain
Last modified: 2016-11-04 01:51:34 EDT
Description of problem: An external trust is a trust relationship between Active Directory domains that are in different Active Directory forests. While forest trust always requires to establish trust between root domains of the Active Directory forests, external trust can be established to any domain within the forest. User Story: As an Active Directory Administrator, I want to establish trust between IdM Server and my domain only. The trust between IdM Server and an external Active Directory domain will be non-transitive as no users or groups from other Active Directory domains will have access to IPA resources.
Upstream design page: http://www.freeipa.org/page/V4/External_trust_to_AD
Upstream ticket: https://fedorahosted.org/freeipa/ticket/5743
Upstream ticket: https://fedorahosted.org/freeipa/ticket/5904
master: https://fedorahosted.org/freeipa/changeset/8ca7a4c94796afa280de7e7f5191b48ad667b219
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/5b0dbe7e5996ef95301c5fdd530f2e2a18757f04 https://fedorahosted.org/freeipa/changeset/d6266476fa1425dfd62cf6138b9ca7ab7b270c23
This feature should be listed in the RHEL 7.3 release notes. Petr, can you please provide some general information for the release notes? E. g. - What is the new feature? - How it helps the user? - Anything else to mention in the release notes for this feature?
Added a note.
Able to add external trust using the below rpms. sssd-1.14.0-18.el7.x86_64 ipa-server-trust-ad-4.4.0-7.el7.x86_64 ipa-server-4.4.0-7.el7.x86_64 Tested using the below enviornment. pne.qe forest root domain chd.pne.qe child domain test.qa tree root domain [root@ipaserver sssd]# ipa trust-add --external=true --two-way=true Realm name: pne.qe Active Directory domain administrator: Administrator Active Directory domain administrator's password: ----------------------------------------------- Added Active Directory trust for realm "pne.qe" ----------------------------------------------- Realm name: pne.qe Domain NetBIOS name: PNE Domain Security Identifier: S-1-5-21-3912719521-1967590360-1136226524 Trust direction: Two-way trust Trust type: Non-transitive external trust to a domain in another Active Directory forest Trust status: Established and verified [root@ipaserver sssd]# ipa trust-add --external=true Realm name: pne.qe Active Directory domain administrator: Administrator Active Directory domain administrator's password: ----------------------------------------------- Added Active Directory trust for realm "pne.qe" ----------------------------------------------- Realm name: pne.qe Domain NetBIOS name: PNE Domain Security Identifier: S-1-5-21-3912719521-1967590360-1136226524 Trust direction: Trusting forest Trust type: Non-transitive external trust to a domain in another Active Directory forest Trust status: Established and verified [root@ipaserver sssd]# ipa trust-add --external=true Realm name: chd.pne.qe Active Directory domain administrator: administrator Active Directory domain administrator's password: --------------------------------------------------- Added Active Directory trust for realm "chd.pne.qe" --------------------------------------------------- Realm name: chd.pne.qe Domain NetBIOS name: CHD Domain Security Identifier: S-1-5-21-725505228-2944741108-2454985349 Trust direction: Trusting forest Trust type: Non-transitive external trust to a domain in another Active Directory forest Trust status: Established and verified [root@ipaserver sssd]# ipa trust-add --external=true Realm name: test.qa Active Directory domain administrator: administrator Active Directory domain administrator's password: ------------------------------------------------ Added Active Directory trust for realm "test.qa" ------------------------------------------------ Realm name: test.qa Domain NetBIOS name: TEST Domain Security Identifier: S-1-5-21-4204873575-1158510886-1449965812 Trust direction: Trusting forest Trust type: Non-transitive external trust to a domain in another Active Directory forest Trust status: Established and verified Note: bz1365546 handles the issue "External trust with root domain is transitive"
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html