On 12/21/2012 01:19 PM, Sumit Bose wrote:
On Fri, Dec 21, 2012 at 12:30:33PM +0100, James Findley wrote:

What permission level is needed for the AD user when creating an AD trust?  Can 
a regular domain user account do it, or is a domain admin needed?

The account used here must be a member of the Domain Admins group.

If write access to the AD server is needed, then could someone please tell me 
what the command will actually change in the AD server?

'ipa trust-add' will only use LSA calls on the AD server. The  most
important one is CreateTrustedDomainEx2
(http://msdn.microsoft.com/en-us/library/cc234380.aspx) to create the
trust between the two domains. Additionally QueryTrustedDomainInfoByName
(http://msdn.microsoft.com/en-us/library/cc234376.aspx) to check if the
trust is already added and SetInformationTrustedDomain
(http://msdn.microsoft.com/en-us/library/cc234385.aspx) to tell the AD
server that the IPA server can handled AES encryption are used.

Should we add this information to AD trusts documentation?

The windows team at my place of work will want to know exactly what the tool 
will do before they grant permission.

Petr^2 Spacek

Freeipa-users mailing list

Reply via email to