Hi Alexander,

> On 6 Jul 2017, at 4:55 pm, Alexander Bokovoy <aboko...@redhat.com> wrote:
> Can you show 'ipa trust-show staff.localdomain'? It should have list of
> additional name suffixes we derive from the AD forest trust. After
> releasing 4.4.x we found out that there are some deployments where
> people modify userPrincipalName directly in AD LDAP and thus these name
> suffixes aren't visible through the trust topology discovery requests.

Yes, I suspect we are in that category, as the affiliate domain is not visible 
through the trust:

# ipa trust-show staff.localdomain
  Realm name: staff.localdomain
  Domain NetBIOS name: STAFF
  Domain Security Identifier: S-1-5-21-2593845812-3993450118-3195856661
  Trust direction: Trusting forest
  Trust type: Active Directory domain

> In 4.5.x I added a way to expand that information manually with 'ipa
> trust-mod'. You can do that yourself with an LDAP modify of the trust
> object for ipantadditionalsuffixes attribute.

I see.  So we can modify that attribute directly in 4.4.x as way forward with 
our current installation?


FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to