On Fri, Dec 21, 2012 at 12:30:33PM +0100, James Findley wrote: > Hi > > What permission level is needed for the AD user when creating an AD trust? > Can a regular domain user account do it, or is a domain admin needed?
The account used here must be a member of the Domain Admins group. > > If write access to the AD server is needed, then could someone please tell me > what the command will actually change in the AD server? > 'ipa trust-add' will only use LSA calls on the AD server. The most important one is CreateTrustedDomainEx2 (http://msdn.microsoft.com/en-us/library/cc234380.aspx) to create the trust between the two domains. Additionally QueryTrustedDomainInfoByName (http://msdn.microsoft.com/en-us/library/cc234376.aspx) to check if the trust is already added and SetInformationTrustedDomain (http://msdn.microsoft.com/en-us/library/cc234385.aspx) to tell the AD server that the IPA server can handled AES encryption are used. HTH bye, Sumit > The windows team at my place of work will want to know exactly what the tool > will do before they grant permission. > > Thanks > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users