Bug 1314786 - [RFE] External Trust with Active Directory domain
[RFE] External Trust with Active Directory domain
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.3
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
Kaleem
Marc Muehlfeld
: FutureFeature
Depends On:
Blocks: 1351237
  Show dependency treegraph
 
Reported: 2016-03-04 08:33 EST by Martin Kosek
Modified: 2016-11-04 01:51 EDT (History)
9 users (show)

See Also:
Fixed In Version: ipa-4.4.0-0.el7.1.alpha1
Doc Type: Enhancement
Doc Text:
IdM now supports establishing an external trust to an AD domain Red Hat Enterprise Linux Identity Management (IdM) now supports establishing an external trust to an Active Directory (AD) domain in a forest. An external trust is non-transitive and can be established to any domain in an AD forest. This allows to limit a trusted relationship to a specific domain rather than trusting the whole AD forest.
Story Points: ---
Clone Of:
: 1351237 (view as bug list)
Environment:
Last Closed: 2016-11-04 01:51:34 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Martin Kosek 2016-03-04 08:33:59 EST
Description of problem:
An external trust is a trust relationship between Active Directory domains that are in different Active Directory forests. While forest trust always requires to establish trust between root domains of the Active Directory forests, external trust can be established to any domain within the forest.

User Story:
As an Active Directory Administrator, I want to establish trust between IdM Server and my domain only. The trust between IdM Server and an external Active Directory domain will be non-transitive as no users or groups from other Active Directory domains will have access to IPA resources.
Comment 1 Martin Kosek 2016-03-04 08:34:13 EST
Upstream design page:
http://www.freeipa.org/page/V4/External_trust_to_AD
Comment 2 Petr Vobornik 2016-03-17 10:02:56 EDT
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5743
Comment 6 Petr Vobornik 2016-06-02 08:57:35 EDT
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5904
Comment 11 Marc Muehlfeld 2016-07-08 06:30:54 EDT
This feature should be listed in the RHEL 7.3 release notes.

Petr, can you please provide some general information for the release notes? E. g.
- What is the new feature?
- How it helps the user?
- Anything else to mention in the release notes for this feature?
Comment 12 Alexander Bokovoy 2016-07-08 06:55:47 EDT
Added a note.
Comment 17 Sudhir Menon 2016-08-16 09:21:34 EDT
Able to add external trust using the below rpms.

sssd-1.14.0-18.el7.x86_64
ipa-server-trust-ad-4.4.0-7.el7.x86_64
ipa-server-4.4.0-7.el7.x86_64

Tested using the below enviornment.
pne.qe forest root domain
chd.pne.qe child domain
test.qa tree root domain

[root@ipaserver sssd]# ipa trust-add --external=true --two-way=true
Realm name: pne.qe
Active Directory domain administrator: Administrator
Active Directory domain administrator's password: 
-----------------------------------------------
Added Active Directory trust for realm "pne.qe"
-----------------------------------------------
  Realm name: pne.qe
  Domain NetBIOS name: PNE
  Domain Security Identifier: S-1-5-21-3912719521-1967590360-1136226524
  Trust direction: Two-way trust
  Trust type: Non-transitive external trust to a domain in another Active Directory forest
  Trust status: Established and verified


[root@ipaserver sssd]# ipa trust-add --external=true
Realm name: pne.qe
Active Directory domain administrator: Administrator
Active Directory domain administrator's password: 
-----------------------------------------------
Added Active Directory trust for realm "pne.qe"
-----------------------------------------------
  Realm name: pne.qe
  Domain NetBIOS name: PNE
  Domain Security Identifier: S-1-5-21-3912719521-1967590360-1136226524
  Trust direction: Trusting forest
  Trust type: Non-transitive external trust to a domain in another Active Directory forest
  Trust status: Established and verified


[root@ipaserver sssd]# ipa trust-add --external=true
Realm name: chd.pne.qe
Active Directory domain administrator: administrator
Active Directory domain administrator's password: 
---------------------------------------------------
Added Active Directory trust for realm "chd.pne.qe"
---------------------------------------------------
  Realm name: chd.pne.qe
  Domain NetBIOS name: CHD
  Domain Security Identifier: S-1-5-21-725505228-2944741108-2454985349
  Trust direction: Trusting forest
  Trust type: Non-transitive external trust to a domain in another Active Directory forest
  Trust status: Established and verified

[root@ipaserver sssd]# ipa trust-add --external=true
Realm name: test.qa
Active Directory domain administrator: administrator  
Active Directory domain administrator's password: 
------------------------------------------------
Added Active Directory trust for realm "test.qa"
------------------------------------------------
  Realm name: test.qa
  Domain NetBIOS name: TEST
  Domain Security Identifier: S-1-5-21-4204873575-1158510886-1449965812
  Trust direction: Trusting forest
  Trust type: Non-transitive external trust to a domain in another Active Directory forest
  Trust status: Established and verified

Note: bz1365546 handles the issue "External trust with root domain is transitive"
Comment 19 errata-xmlrpc 2016-11-04 01:51:34 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html

Note You need to log in before you can comment on or make changes to this bug.