[Freeipa-devel] [PATCH] 0070 Ask for admin password in ipa-adtrust-install
Sumit Bose
sbose at redhat.com
Wed Aug 22 19:15:47 UTC 2012
On Fri, Aug 17, 2012 at 06:04:51PM +0300, Alexander Bokovoy wrote:
> Hi,
>
> The credentials of the admin user will be used to obtain Kerberos ticket
> before configuring cross-realm trusts support and afterwards, to
> ensure that the ticket contains MS-PAC information required to actually
> add a trust with Active Directory domain via 'ipa trust-add --type=ad'
> command.
>
> We discussed few other approaches with Simo and decided to go for this
> one as the simplest. By default Kerberos tickets issued in IPA install
> are not renewable so it is not possible to use 'kinit -R' to renew
> existing ticket. Another approach was to modify our KDB driver to attach
> MS-PAC to selected service tickets rather than to TGT but this means we
> are losing advantage of 'caching' MS-PAC creation (which may be costly
> due to LDAP lookups for gathering group membership) as part of TGT
> ticket.
>
> In the end, adding two options to ipa-adtrust-install which is run only
> once is simpler.
>
> -A (--admin-name, defaults to 'admin') allows to specify admin user
> -a (--admin-password) allows to specify admin user's password
>
> If admin password is not specified, existing default ccache credentials
> are used and warning message about need to re-kinit is shown at the end.
>
> Unattended install is treated as if admin password was not specified.
>
> http://fedorahosted.org/freeipa/ticket/2852
>
> --
> / Alexander Bokovoy
Working as described and expected, ACK.
bye,
Sumit
More information about the Freeipa-devel
mailing list