On Thu, 23 Aug 2012, Petr Viktorin wrote:
On 08/17/2012 11:04 AM, Alexander Bokovoy wrote:
Hi,
The credentials of the admin user will be used to obtain Kerberos ticket
before configuring cross-realm trusts support and afterwards, to
ensure that the ticket contains MS-PAC information required to actually
add a trust with Active Directory domain via 'ipa trust-add --type=ad'
command.
We discussed few other approaches with Simo and decided to go for this
one as the simplest. By default Kerberos tickets issued in IPA install
are not renewable so it is not possible to use 'kinit -R' to renew
existing ticket. Another approach was to modify our KDB driver to attach
MS-PAC to selected service tickets rather than to TGT but this means we
are losing advantage of 'caching' MS-PAC creation (which may be costly
due to LDAP lookups for gathering group membership) as part of TGT
ticket.
In the end, adding two options to ipa-adtrust-install which is run only
once is simpler.
-A (--admin-name, defaults to 'admin') allows to specify admin user
-a (--admin-password) allows to specify admin user's password
If admin password is not specified, existing default ccache credentials
are used and warning message about need to re-kinit is shown at the end.
Unattended install is treated as if admin password was not specified.
http://fedorahosted.org/freeipa/ticket/2852
Looks good, ACK. Just put in spaces after the commas before you push:
+ admin_password = read_password(admin_name,confirm=False,validate=None)
Thanks. Fixed this and another place and pushed to master + 3.0.
--
/ Alexander Bokovoy
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
