Hi all,

What purpose does this package serve?  The way I’ve done Kerberos between 
Active Directory and AD, the trust was always one way (outgoing): the MIT realm 
is authoritative and AD “shadow accounts” were mapped to ‘real’ principals via 
the alternateSecurityID attribute.  Looking at what freeipa-server-trust-ad 
installs, it appears the dependencies installed are around letting someone a 
bidirectional trust (or at least let the AD users be authoritative).  If one 
wants to setup his trust in the way I described, all he really needs to do in 
MIT land is create 

krbtgt/AD.REALM@MIT.REALM

in the MIT Realm.  

Is there a ‘supported’ way to do something similar with FreeIPA? Time to break 
out kadmin.local -x ipa-setup-override-restrictions? Or would that not drop the 
principal in the right place in the LDAP tree?



--
Coy Hile
coy.h...@coyhile.com


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to