[Freeipa-users] AD permissions needed for setting up AD trusts
Ana Krivokapic
akrivoka at redhat.com
Fri Jan 4 18:04:24 UTC 2013
On 01/03/2013 12:28 PM, Petr Spacek wrote:
> On 12/21/2012 01:19 PM, Sumit Bose wrote:
>> On Fri, Dec 21, 2012 at 12:30:33PM +0100, James Findley wrote:
>>> Hi
>>>
>>> What permission level is needed for the AD user when creating an AD
>>> trust? Can a regular domain user account do it, or is a domain
>>> admin needed?
>>
>> The account used here must be a member of the Domain Admins group.
>>
>>>
>>> If write access to the AD server is needed, then could someone
>>> please tell me what the command will actually change in the AD server?
>>>
>>
>> 'ipa trust-add' will only use LSA calls on the AD server. The most
>> important one is CreateTrustedDomainEx2
>> (http://msdn.microsoft.com/en-us/library/cc234380.aspx) to create the
>> trust between the two domains. Additionally QueryTrustedDomainInfoByName
>> (http://msdn.microsoft.com/en-us/library/cc234376.aspx) to check if the
>> trust is already added and SetInformationTrustedDomain
>> (http://msdn.microsoft.com/en-us/library/cc234385.aspx) to tell the AD
>> server that the IPA server can handled AES encryption are used.
>
> Should we add this information to AD trusts documentation?
>
>>> The windows team at my place of work will want to know exactly what
>>> the tool will do before they grant permission.
>
I have added this information to the AD trusts wiki page:
http://www.freeipa.org/page/IPAv3_AD_trust_setup#Add_trust_with_AD_domain
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
More information about the Freeipa-users
mailing list