On to, 06 heinä 2017, Robert Sturrock wrote:
Hi Alexander,

On 6 Jul 2017, at 4:55 pm, Alexander Bokovoy <aboko...@redhat.com> wrote:

Can you show 'ipa trust-show staff.localdomain'? It should have list of
additional name suffixes we derive from the AD forest trust. After
releasing 4.4.x we found out that there are some deployments where
people modify userPrincipalName directly in AD LDAP and thus these name
suffixes aren't visible through the trust topology discovery requests.

Yes, I suspect we are in that category, as the affiliate domain is not visible 
through the trust:

# ipa trust-show staff.localdomain
 Realm name: staff.localdomain
 Domain NetBIOS name: STAFF
 Domain Security Identifier: S-1-5-21-2593845812-3993450118-3195856661
 Trust direction: Trusting forest
 Trust type: Active Directory domain

In 4.5.x I added a way to expand that information manually with 'ipa
trust-mod'. You can do that yourself with an LDAP modify of the trust
object for ipantadditionalsuffixes attribute.

I see.  So we can modify that attribute directly in 4.4.x as way forward with 
our current installation?
Yes. Let me know how it goes. You'd probably want to restart krb5kdc
after the change.
/ Alexander Bokovoy
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to