On Fri, 11 Jan 2013, Petr Spacek wrote:
On 11.1.2013 10:19, Alexander Bokovoy wrote:
On Fri, 11 Jan 2013, David Juran wrote:
On fre, 2013-01-04 at 19:04 +0100, Ana Krivokapic wrote:
On 01/03/2013 12:28 PM, Petr Spacek wrote:
On 12/21/2012 01:19 PM, Sumit Bose wrote:
On Fri, Dec 21, 2012 at 12:30:33PM +0100, James Findley wrote:

What permission level is needed for the AD user when creating an AD
trust?  Can a regular domain user account do it, or is a domain
admin needed?

The account used here must be a member of the Domain Admins group.

If write access to the AD server is needed, then could someone
please tell me what the command will actually change in the AD server?

'ipa trust-add' will only use LSA calls on the AD server. The most
important one is CreateTrustedDomainEx2
(http://msdn.microsoft.com/en-us/library/cc234380.aspx) to create the
trust between the two domains. Additionally QueryTrustedDomainInfoByName
(http://msdn.microsoft.com/en-us/library/cc234376.aspx) to check if the
trust is already added and SetInformationTrustedDomain
(http://msdn.microsoft.com/en-us/library/cc234385.aspx) to tell the AD
server that the IPA server can handled AES encryption are used.

Should we add this information to AD trusts documentation?

The windows team at my place of work will want to know exactly what
the tool will do before they grant permission.

I have added this information to the AD trusts wiki page:

That link only gets me to an empty wiki page...
It is moved to HOWTOs:

Should we create a redirection? At least for users digging in archives?
Yes, please do that.

/ Alexander Bokovoy

Freeipa-users mailing list

Reply via email to