On 08/17/2012 11:04 AM, Alexander Bokovoy wrote:

The credentials of the admin user will be used to obtain Kerberos ticket
before configuring  cross-realm  trusts  support and afterwards, to
ensure that the ticket contains MS-PAC information required to actually
add a trust with Active Directory domain via 'ipa trust-add --type=ad'

We discussed few other approaches with Simo and decided to go for this
one as the simplest. By default Kerberos tickets issued in IPA install
are not renewable so it is not possible to use 'kinit -R' to renew
existing ticket. Another approach was to modify our KDB driver to attach
MS-PAC to selected service tickets rather than to TGT but this means we
are losing advantage of 'caching' MS-PAC creation (which may be costly
due to LDAP lookups for gathering group membership) as part of TGT

In the end, adding two options to ipa-adtrust-install which is run only
once is simpler.

-A (--admin-name, defaults to 'admin') allows to specify admin user
-a (--admin-password) allows to specify admin user's password

If admin password is not specified, existing default ccache credentials
are used and warning message about need to re-kinit is shown at the end.

Unattended install is treated as if admin password was not specified.


Looks good, ACK. Just put in spaces after the commas before you push:
+    admin_password = read_password(admin_name,confirm=False,validate=None)


Freeipa-devel mailing list

Reply via email to