On 01/03/2013 12:28 PM, Petr Spacek wrote:
On 12/21/2012 01:19 PM, Sumit Bose wrote:
On Fri, Dec 21, 2012 at 12:30:33PM +0100, James Findley wrote:
Hi
What permission level is needed for the AD user when creating an AD
trust? Can a regular domain user account do it, or is a domain
admin needed?
The account used here must be a member of the Domain Admins group.
If write access to the AD server is needed, then could someone
please tell me what the command will actually change in the AD server?
'ipa trust-add' will only use LSA calls on the AD server. The most
important one is CreateTrustedDomainEx2
(http://msdn.microsoft.com/en-us/library/cc234380.aspx) to create the
trust between the two domains. Additionally QueryTrustedDomainInfoByName
(http://msdn.microsoft.com/en-us/library/cc234376.aspx) to check if the
trust is already added and SetInformationTrustedDomain
(http://msdn.microsoft.com/en-us/library/cc234385.aspx) to tell the AD
server that the IPA server can handled AES encryption are used.
Should we add this information to AD trusts documentation?
The windows team at my place of work will want to know exactly what
the tool will do before they grant permission.
I have added this information to the AD trusts wiki page:
http://www.freeipa.org/page/IPAv3_AD_trust_setup#Add_trust_with_AD_domain
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
