On ke, 05 huhti 2017, William Muriithi wrote:
Good evening,
I am looking through the IPA documentation and it looks like I will
need a password that don't expire on the active directory side.
No.
These are the two documented ways.
ipa trust-add --type=ad ad.example.com --admin Administrator –password
ipa trust-add --type=ad ad.example.com --trust-secret
I had initially used the first method, but we recently started
rotating the admin password. I suspect this has broken the trust and
looking on a more durable solution.
You need administrator's password once -- to establish trust. It is
*not* used for anything else once you established trust.
On closely reading through the trust secret section on the
documentation, it looks like it also involve using a password. I
thought I had read somewhere that trust can be done without a
permanent password, but this don't seem like the case now.
Is there a way of creating trust, without putting an none expire
exception on the active directory trust account?
Right now AD DCs trying to rotate password for trusted domain object
account will fail. We do not support this rotation on IPA side. So it
does not matter what AD tries to do -- as password cannot be set
remotely, it is not rotated.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
