[Freeipa-users] Creating trust relationship that survive password rotation

[Alexander Bokovoy]

On ke, 05 huhti 2017, William Muriithi wrote:
>Good evening,
>
>I am looking through the IPA documentation and it looks like I will
>need a password that don't expire on the active directory side.
No.

>
>These are the two documented ways.
>
>ipa trust-add --type=ad ad.example.com --admin Administrator –password
>ipa trust-add --type=ad ad.example.com --trust-secret
>
>I had initially used the first method, but we recently started
>rotating the admin password.  I suspect this has broken the trust and
>looking on a more durable solution.
You need administrator's password once -- to establish trust. It is
*not* used for anything else once you established trust.

>On closely reading through the trust secret section on the
>documentation, it looks like it also involve using a password. I
>thought I had read somewhere that trust can be done without a
>permanent password, but this don't seem like the case now.
>
>Is there a way of creating trust, without putting an none expire
>exception on the active directory trust account?
Right now AD DCs trying to rotate password for trusted domain object
account will fail. We do not support this rotation on IPA side. So it
does not matter what AD tries to do -- as password cannot be set
remotely, it is not rotated.

-- 
/ Alexander Bokovoy