Alexander Bokovoy wrote:
Hi,

Realm administrator account may be specified using different form:
Administrator, DOM\Administrator, Administrator@DOMAIN

This patch introduces handling of the second two forms:
- In DOM\Administrator only user name is used, short domain name
  is then taken from a discovered record from the AD DC
- In Administrator@DOMAIN first DOMAIN is verified to be the same
  as the domain we are establishing trust to, and then user name
  is taken, together with short domain name taken from a discovered
  record from the AD DC

Note that we do not support using to-be-trusted domain's trusted
domains' accounts to establish trust as there is basically zero chance
to verify that things will work with them. In addition, in order to
establish trust one needs to belong to Enterprise Admins group in AD or
have specially delegated permissions. These permissions are unlikely
delegated to the ones in already trusted domain.

https://fedorahosted.org/freeipa/ticket/2864


ACK

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to