[Freeipa-users] AD permissions needed for setting up AD trusts
Alexander Bokovoy
abokovoy at redhat.com
Fri Jan 11 10:03:04 UTC 2013
On Fri, 11 Jan 2013, Petr Spacek wrote:
>On 11.1.2013 10:19, Alexander Bokovoy wrote:
>>On Fri, 11 Jan 2013, David Juran wrote:
>>>On fre, 2013-01-04 at 19:04 +0100, Ana Krivokapic wrote:
>>>>On 01/03/2013 12:28 PM, Petr Spacek wrote:
>>>>> On 12/21/2012 01:19 PM, Sumit Bose wrote:
>>>>>> On Fri, Dec 21, 2012 at 12:30:33PM +0100, James Findley wrote:
>>>>>>> Hi
>>>>>>>
>>>>>>> What permission level is needed for the AD user when creating an AD
>>>>>>> trust? Can a regular domain user account do it, or is a domain
>>>>>>> admin needed?
>>>>>>
>>>>>> The account used here must be a member of the Domain Admins group.
>>>>>>
>>>>>>>
>>>>>>> If write access to the AD server is needed, then could someone
>>>>>>> please tell me what the command will actually change in the AD server?
>>>>>>>
>>>>>>
>>>>>> 'ipa trust-add' will only use LSA calls on the AD server. The most
>>>>>> important one is CreateTrustedDomainEx2
>>>>>> (http://msdn.microsoft.com/en-us/library/cc234380.aspx) to create the
>>>>>> trust between the two domains. Additionally QueryTrustedDomainInfoByName
>>>>>> (http://msdn.microsoft.com/en-us/library/cc234376.aspx) to check if the
>>>>>> trust is already added and SetInformationTrustedDomain
>>>>>> (http://msdn.microsoft.com/en-us/library/cc234385.aspx) to tell the AD
>>>>>> server that the IPA server can handled AES encryption are used.
>>>>>
>>>>> Should we add this information to AD trusts documentation?
>>>>>
>>>>>>> The windows team at my place of work will want to know exactly what
>>>>>>> the tool will do before they grant permission.
>>>>>
>>>>I have added this information to the AD trusts wiki page:
>>>>http://www.freeipa.org/page/IPAv3_AD_trust_setup#Add_trust_with_AD_domain
>>>
>>>That link only gets me to an empty wiki page...
>>It is moved to HOWTOs:
>>http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Add_trust_with_AD_domain
>
>Should we create a redirection? At least for users digging in archives?
Yes, please do that.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list