[Freeipa-users] AD permissions needed for setting up AD trusts
Petr Spacek
pspacek at redhat.com
Thu Jan 3 11:28:00 UTC 2013
On 12/21/2012 01:19 PM, Sumit Bose wrote:
> On Fri, Dec 21, 2012 at 12:30:33PM +0100, James Findley wrote:
>> Hi
>>
>> What permission level is needed for the AD user when creating an AD trust? Can a regular domain user account do it, or is a domain admin needed?
>
> The account used here must be a member of the Domain Admins group.
>
>>
>> If write access to the AD server is needed, then could someone please tell me what the command will actually change in the AD server?
>>
>
> 'ipa trust-add' will only use LSA calls on the AD server. The most
> important one is CreateTrustedDomainEx2
> (http://msdn.microsoft.com/en-us/library/cc234380.aspx) to create the
> trust between the two domains. Additionally QueryTrustedDomainInfoByName
> (http://msdn.microsoft.com/en-us/library/cc234376.aspx) to check if the
> trust is already added and SetInformationTrustedDomain
> (http://msdn.microsoft.com/en-us/library/cc234385.aspx) to tell the AD
> server that the IPA server can handled AES encryption are used.
Should we add this information to AD trusts documentation?
>> The windows team at my place of work will want to know exactly what the tool will do before they grant permission.
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list