On Fri, Aug 17, 2012 at 06:04:51PM +0300, Alexander Bokovoy wrote: > Hi, > > The credentials of the admin user will be used to obtain Kerberos ticket > before configuring cross-realm trusts support and afterwards, to > ensure that the ticket contains MS-PAC information required to actually > add a trust with Active Directory domain via 'ipa trust-add --type=ad' > command. > > We discussed few other approaches with Simo and decided to go for this > one as the simplest. By default Kerberos tickets issued in IPA install > are not renewable so it is not possible to use 'kinit -R' to renew > existing ticket. Another approach was to modify our KDB driver to attach > MS-PAC to selected service tickets rather than to TGT but this means we > are losing advantage of 'caching' MS-PAC creation (which may be costly > due to LDAP lookups for gathering group membership) as part of TGT > ticket. > > In the end, adding two options to ipa-adtrust-install which is run only > once is simpler. > > -A (--admin-name, defaults to 'admin') allows to specify admin user > -a (--admin-password) allows to specify admin user's password > > If admin password is not specified, existing default ccache credentials > are used and warning message about need to re-kinit is shown at the end. > > Unattended install is treated as if admin password was not specified. > > http://fedorahosted.org/freeipa/ticket/2852 > > -- > / Alexander Bokovoy
Working as described and expected, ACK. bye, Sumit _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel