1 00:00:05,000 --> 00:00:23,000 First make sure you are allowed to create a trust. The admin user is the right choice in the default installation. 2 00:00:24,000 --> 00:00:35,000 Then start your web browser and go to the IPA Web UI. 3 00:00:36,000 --> 00:00:45,000 Select the IPA Server tab and choose the Trust section. 4 00:00:46,000 --> 00:00:55,000 In the Add dialog you have to specific the name of the AD forest you want to trust. 5 00:00:56,000 --> 00:01:14,000 To create the AD side of the trust credentials with sufficient privileges are needed. 6 00:01:15,000 --> 00:01:40,000 Now IPA preforms the needs steps to establish and verify the trust. 7 00:01:41,000 --> 00:01:59,000 You can check the properties of the trusted forest. Blacklists are used to filter unwanted Security Identifiers. 8 00:02:00,000 --> 00:02:08,000 The other domains of the trusted forest can be found in the Trusted Domains tab. 9 00:02:09,000 --> 00:02:23,000 To demonstrate the trust we switch to a Windows Client from the trusted forest. 10 00:02:24,000 --> 00:02:43,000 Putty is called with an IPA host as target, but with the user name of the AD user and GSSAPI authentication enabled. 11 00:02:44,000 --> 00:03:01,000 Without a password prompt the user is authenticated and logged in. 12 00:03:02,000 --> 00:03:15,000 Now Kerberos tickets for the IPA host can be found on the AD side. 13 00:03:16,000 --> 00:03:25,000 To enable access control we switch to the Policy tab of the IPA Web UI. 14 00:03:26,000 --> 00:03:50,000 The allow_all HBAC rule is disabled and a more restrictive rule is enabled. 15 00:03:51,000 --> 00:04:15,000 This rule only allows members of the ssh_users group to connect with ssh to any host in the IPA domain. 16 00:04:17,000 --> 00:04:41,000 If we try to log in again from the Windows client we fail. 17 00:04:42,000 --> 00:04:53,000 No other authentication is offered because GSSAPI authentication was successful but access was denied by the HBAC rule.