RHEL 7/CENT0S 7 IPA/IDM transitive trusts

Question

I have a situation I am having a hard time getting a clean answer on.

I have a IDM/IPA domain setup and I have a trust setup with my Windows domain. That part is working perfectly.

I have a one way forest transitive trust (outgoing) with a second windows domain. I want users in this second domain to be able to authenticate to my IDM/IPA domain. I was hoping that this would be possible through my transitive trust with my primary windows domain.

When I issue the command ipa trust-fetch-domains for my primary domain I get the response no new domains found. The second domain is never found.

Here is my question. Is this even possible without creating a trust with the second domain directly? The documentation states that IPA will traverse all trusts and add them. However I am starting to believe that reference is for domains in only one forest. Can anyone clear up that point for me?

Thanks

Answer 1

I assume we are talking about AD forest A and a domain B within that forest. You established cross-forest trust between IPA domain C and forest root A. Inside forest A there is a domain B which has outgoing trust to A. Is this correct?

When you run 'ipa trust-fetch-domains', IPA will enumerate domains within forest A and filter out those that are not part of the forest A. If you get back empty list (as domain A is already known), it may mean that domain B is part of another forest.

To know more it would help if you add 'log level=100' to /usr/share/ipa/smb.conf.empty and re-run 'ipa trust-fetch-domains' (you don't need to restart anything). This will generate debug output of that operation in /var/log/httpd/error_log. Look for the output of netr_DsrEnumerateDomainTrusts near the end of the log file.