AD Bridge Agent Active Directory Trust Support
The AD Bridge agent supports the following Active Directory trusts:
| Trust Type | Transitivity | Direction | Default Cell | Named Cells |
|---|---|---|---|---|
|
Parent and child |
Transitive |
Two-way |
Yes |
Yes |
|
External |
Nontransitive |
One-way |
No |
Yes |
|
External |
Nontransitive |
Two-way |
Yes |
Yes |
|
Forest |
Transitive |
One-way |
No |
Yes |
|
Forest |
Transitive |
Two-way |
Yes |
Yes |
For more information on the types of trusts, see the Microsoft article Trust Types.
Notes on Trusts
The following is general information about working with trusts.
- To access a trust, users or groups must be added to a cell.
- In a two-way trust, AD Bridge searches across all trusted global catalogs. Each domain must opt in by creating the Default Cell object within that domain.
- If there is a UID conflict across two domains, only the user provisioned to the cell authenticates. If both are provisioned, a true conflict occurs and the users are not allowed access until it is resolved.
- In a one-way trust in which Forest A trusts Forest B, a computer in Forest A cannot get group information from Forest B, because Forest B does not trust Forest A. The computer in Forest A can obtain group information if the user logs on with a password for a domain user, but not if the user logs on with Kerberos single sign-on credentials. Only the primary group information, not the secondary group information, is obtained.
- To support a one-way trust without duplicating user accounts, you must use a Named Cell, not a Default Cell. If Domain A trusts Domain B (but not the reverse) and if Domain B contains all the account information in cells associated with OUs, then when a user from Domain B logs on a machine joined to Domain A, Domain B will authenticate the user and authorize access to the machine in Domain A.
In such a scenario, you should also add a domain user from the trusted domain to an administrative group in the trusting domain so you can manage the trusting domain with the appropriate level of read access to trusted user and group information. However, before you add the domain user from the trusted domain to the trusting domain, you must first add to the trusting domain a group that includes the user because Unix and Linux computers require membership in at least one group and Active Directory does not enumerate a user's membership in foreign groups.
-
If joining a domain with an administrative account from a different domain, you must provide the account's UPN:
domainjoin-cli join domainA.com administrator@domainB.com
Trusts and Cells in AD Bridge
In AD Bridge, a cell contains Unix settings, such as a UID and a GID, for an Active Directory user. When an AD user logs in to an AD Bridge client, AD Bridge searches Active Directory for the user's cell information and must find it to operate properly. Thus, your AD topology and your trust relationships may dictate where to locate a cell in Active Directory so that your AD Bridge clients can access their Unix settings.
With a Default Cell, AD Bridge searches for user or group attributes in the forest's global catalog. In a multi-domain topology, a Default Cell must exist in the domain where user and group objects reside in addition to the Default Cell that exists in the domain to which Linux or Unix computers are joined.
In a multi-domain topology, be sure to create a Default Cell in each domain.
Ideally, Unix information is stored on the User and Group objects in Default Cell Directory Integrated mode. If the client computer does not have the access rights to read and write the information to the user object, as in an external one-way trust, the Unix information is stored locally in a Named Cell, that is, a cell associated with an organizational unit.
For information about cells, see Plan Your AD Bridge Deployment.
