On Wed, 2016-03-02 at 01:20 +1100, PARTH MONGA wrote: > Hi Jakub, > > Thanks for the prompt reply. > I understood that cross forest transitive trust is not possible with sssd > right now. > But can we make this realistic by introducing freeipa with sssd? > I've checked there documentation seems like they only support domains in a > forest not and to another forest. > Is this even possible without creating a trust with the second domain > directly using freeipa?
The Windows cross-forest trust model does not allow transitive trusts across forests. This is not a limitation of FreeIPA, it's by Microsoft's design (based on various security reasons). Simo. > Regards, > Parth > > > On Tue, Mar 1, 2016 at 6:21 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > > > On Tue, Mar 01, 2016 at 12:10:30AM -0000, kpr...@gmail.com wrote: > > > Hi List, > > > > > > I am using sssd-1.13 to authenticate my linux clients against Active > > Directory. > > > Got this working too. > > > > > > Now we have an incoming one way trust from another domain. > > > So here is the scenario: > > > > > > > > > AD1: dom1.com - One-way incoming trust from AD2. > > > AD2: dom2.com - One-way outgoing trust to AD1. > > > LinuxClient1: member of AD1/dom1.com > > > Can lookup User1(Created in AD1/DOM1): Linux1>$id AD1\User1 - OK > > > Can't lookup User2(Created in AD2/DOM2) Linux1>$id AD2\User2 - Not OK. > > > SSSD is configured with AD1 domain. > > > > > > Is this kind of configuration possible with SSSD and sssd-ad provider > > because i am able to achieve the above using likewise but not sssd. > > > Please show some light on this. > > > > Not supported at the moment short of joining the client to the two > > forests and defining two [domain] sections. > > > > It's planned but we're not there yet: > > https://fedorahosted.org/sssd/ticket/2078 > > _______________________________________________ > > sssd-users mailing list > > sssd-users@lists.fedorahosted.org > > > > https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org > > > _______________________________________________ > sssd-users mailing list > sssd-users@lists.fedorahosted.org > https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org