[Freeipa-devel] [PATCH] 0180-0190 oneway trust and other trust-related patches
Alexander Bokovoy
abokovoy at redhat.com
Tue Jul 7 11:53:54 UTC 2015
On Tue, 07 Jul 2015, Alexander Bokovoy wrote:
>From b7a3b206deb3257b3a78939f0d2a6a114e48b758 Mon Sep 17 00:00:00 2001
>From: Alexander Bokovoy <abokovoy at redhat.com>
>Date: Thu, 26 Mar 2015 14:34:06 +0200
>Subject: [PATCH 01/11] add one-way trust support to ipasam
>
>When trust is established, ipasam module creates a number of objects in LDAP
>to represent the trust information. Among them, for one-way trust we create
>a principal named IPA$@AD where IPA is a NetBIOS (flat) name of the IPA forest
>and AD is a realm of the trusted Active Directory forest root domain.
>
>This principal is then used by SSSD on IPA masters to authenticate against
>trusted Active Directory domain controllers and retrieve information about
>user and group identities.
>
>FreeIPA also uses this principal's credentials to retrieve domain topology.
>
>The access to the keys of the principal should be well-protected. We only
>allow to retrieve the keytab for it for members of cn=adtrust agents group.
>This group is populated with host/ and cifs/ principals from IPA masters.
>
>Starting with FreeIPA 4.2 the group will also have host/ principals of IPA masters
>where no ipa-adtrust-install was run. To add them, run ipa-adtrust-install
>on the master which will be configured to be a domain controller (e.g.
>run Samba with ipasam), and specify --add-agents option to trigger activation
>of the interactive mode to specify which IPA masters to enable.
>
>Fixes https://fedorahosted.org/freeipa/ticket/4962
>Part of fixes for https://fedorahosted.org/freeipa/ticket/4546
... and fixes ticket https://fedorahosted.org/freeipa/ticket/5005 too
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list