On to, 06 heinä 2017, Robert Sturrock wrote:
On 6 Jul 2017, at 4:55 pm, Alexander Bokovoy <aboko...@redhat.com> wrote:
Can you show 'ipa trust-show staff.localdomain'? It should have list of
additional name suffixes we derive from the AD forest trust. After
releasing 4.4.x we found out that there are some deployments where
people modify userPrincipalName directly in AD LDAP and thus these name
suffixes aren't visible through the trust topology discovery requests.
Yes, I suspect we are in that category, as the affiliate domain is not visible
through the trust:
# ipa trust-show staff.localdomain
Realm name: staff.localdomain
Domain NetBIOS name: STAFF
Domain Security Identifier: S-1-5-21-2593845812-3993450118-3195856661
Trust direction: Trusting forest
Trust type: Active Directory domain
In 4.5.x I added a way to expand that information manually with 'ipa
trust-mod'. You can do that yourself with an LDAP modify of the trust
object for ipantadditionalsuffixes attribute.
I see. So we can modify that attribute directly in 4.4.x as way forward with
our current installation?
Yes. Let me know how it goes. You'd probably want to restart krb5kdc
after the change.
/ Alexander Bokovoy
FreeIPA-users mailing list -- email@example.com
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org