Samba4/Proposal for IPA to AD trust
From SambaWiki
Purpose
To link FreeIPA to AD in a way that minimises replication of data.
Key assumptions
IPA and AD are both seperate DNS domains, seen by each other in the same company, that administrators which to join in such a way that users and services are easily accessed on both sides of the trust, using Kerberos.
That Kerberos is the only authentication protocol in use (that fallback to NTLM has been disabled or is unwanted)
Background
See the discussion of various trust types available in AD
Designs
There are two feasable designs for the IPA to AD trust: