On Tue, 03 Mar 2015, Jan Pazdziora wrote:
On Mon, Feb 23, 2015 at 06:02:53PM +0200, Alexander Bokovoy wrote:
trust-related functionality would be limited to IPA admins or TDO
object in LDAP would have to be more accessible. Given that TDO
credentials can be used to compromise access to our domain, it is not
Could you clarify which domain is the "our" domain?
From SMB perspective whole IPA realm is a single domain.
advisable to give a wider access to them.
As a side-effect of reducing exposure of TDO credentials, FreeIPA lost
ability to establish and use one-way trust to Active Directory. The
"Lost ability" might be confusing -- was removed in 3.1 (?) might be
We never had it as a feature so support for that wasn't removed. Rather,
we lost ability to add that support.
purpose of this feature is to regain the one-way trust support, yet
without giving an elevated access to TDO credentials.
You might also want to either add a note or a link, explaining why
one-way trust is harder than two-way, IOW, why we lost the one-way
ability when we have the two-way one.
I think current text covers it clearly. If you have concrete
suggestions, feel free to edit the wiki, it is not locked down. :)
/ Alexander Bokovoy
Freeipa-devel mailing list