[Freeipa-devel] [PATCH] 0062 support various forms of user account when establishing trusts
Rob Crittenden
rcritten at redhat.com
Tue Jul 17 15:48:06 UTC 2012
Alexander Bokovoy wrote:
> Hi,
>
> Realm administrator account may be specified using different form:
> Administrator, DOM\Administrator, Administrator at DOMAIN
>
> This patch introduces handling of the second two forms:
> - In DOM\Administrator only user name is used, short domain name
> is then taken from a discovered record from the AD DC
> - In Administrator at DOMAIN first DOMAIN is verified to be the same
> as the domain we are establishing trust to, and then user name
> is taken, together with short domain name taken from a discovered
> record from the AD DC
>
> Note that we do not support using to-be-trusted domain's trusted
> domains' accounts to establish trust as there is basically zero chance
> to verify that things will work with them. In addition, in order to
> establish trust one needs to belong to Enterprise Admins group in AD or
> have specially delegated permissions. These permissions are unlikely
> delegated to the ones in already trusted domain.
>
> https://fedorahosted.org/freeipa/ticket/2864
>
ACK
More information about the Freeipa-devel
mailing list