On Fri, 2013-01-11 at 10:52 +0100, Petr Spacek wrote:
> On 11.1.2013 10:19, Alexander Bokovoy wrote:
> > On Fri, 11 Jan 2013, David Juran wrote:
> >> On fre, 2013-01-04 at 19:04 +0100, Ana Krivokapic wrote:
> >>> On 01/03/2013 12:28 PM, Petr Spacek wrote:
> >>> > On 12/21/2012 01:19 PM, Sumit Bose wrote:
> >>> >> On Fri, Dec 21, 2012 at 12:30:33PM +0100, James Findley wrote:
> >>> >>> Hi
> >>> >>>
> >>> >>> What permission level is needed for the AD user when creating an AD
> >>> >>> trust?  Can a regular domain user account do it, or is a domain
> >>> >>> admin needed?
> >>> >>
> >>> >> The account used here must be a member of the Domain Admins group.
> >>> >>
> >>> >>>
> >>> >>> If write access to the AD server is needed, then could someone
> >>> >>> please tell me what the command will actually change in the AD server?
> >>> >>>
> >>> >>
> >>> >> 'ipa trust-add' will only use LSA calls on the AD server. The most
> >>> >> important one is CreateTrustedDomainEx2
> >>> >> (http://msdn.microsoft.com/en-us/library/cc234380.aspx) to create the
> >>> >> trust between the two domains. Additionally 
> >>> >> QueryTrustedDomainInfoByName
> >>> >> (http://msdn.microsoft.com/en-us/library/cc234376.aspx) to check if the
> >>> >> trust is already added and SetInformationTrustedDomain
> >>> >> (http://msdn.microsoft.com/en-us/library/cc234385.aspx) to tell the AD
> >>> >> server that the IPA server can handled AES encryption are used.
> >>> >
> >>> > Should we add this information to AD trusts documentation?
> >>> >
> >>> >>> The windows team at my place of work will want to know exactly what
> >>> >>> the tool will do before they grant permission.
> >>> >
> >>> I have added this information to the AD trusts wiki page:
> >>> http://www.freeipa.org/page/IPAv3_AD_trust_setup#Add_trust_with_AD_domain
> >>
> >> That link only gets me to an empty wiki page...
> > It is moved to HOWTOs:
> > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Add_trust_with_AD_domain
> 
> Should we create a redirection? At least for users digging in archives?

I actually explicitly removed it to avoid clutter in the root :)

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to