FreeIPA supports trusted relationships with Active Directory via cross-forest trust. Currently all functionality to support trusted relationships with Active Directory must be present on every IPA master which controls IPA clients where access to AD users is desired. There is certain difference between uses of the IPA infrastructure which allow to reduce requirements towards IPA masters involved in providing trust features.
A trust controller is a FreeIPA master which runs following services:
A trust agent is a FreeIPA master which runs following services
Trust agent is a master that relies on SSSD to do resolution of IDs. Trust controller is used for managing trust: add trust agreements, enable/disable separate domains from a trusted forest to access FreeIPA resources, etc. Trust controller is also what Active Directory's domain controllers contact when validating the trust by means of SMB protocol using LSA calls which implies running a Samba server.
Following work needs to be done:
related to one way trust
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1206613
Alexander's work (feel free to distribute further).
One-Way trust patch set was pushed, it fixes also this ticket.
master:[[BR]] 2dd5b46 trust: support retrieving POSIX IDs with one-way trust during trust-add[[BR]] 5025204 trusts: add ACIs to allow AD trust agents to fetch cross-realm keytabs[[BR]] a9570e8 ipa-pwd-extop: expand error message to tell what user is not allowed to fetch keytab[[BR]] d5aa1ee trusts: add support for one-way trust and switch to it by default[[BR]] 14992a0 ipa-adtrust-install: allow configuring of trust agents[[BR]] aa21600 ipa-sidgen: reduce log level to normal if domain SID is not available[[BR]] 47e1de7 trusts: pass AD DC hostname if specified explicitly[[BR]] 03c2d76 ipa-adtrust-install: add IPA master host principal to adtrust agents[[BR]] 785f659 add one-way trust support to ipasam[[BR]]
Metadata Update from @abbra: - Issue assigned to abbra - Issue set to the milestone: FreeIPA 4.2
Login to comment on this ticket.