Switch two-way trust creation in ipaserver/dcerpc.py to one-way by default.
The code needs to be changed to allow specifying either one- or two-way trust and should manipulate trust_direction property (by setting lsa.LSA_TRUST_DIRECTION_OUTBOUND or a combination of lsa.LSA_TRUST_DIRECTION_INBOUND and lsa.LSA_TRUST_DIRECTION_OUTBOUND) in TrustDomainInstance.establish_trust() method.
One-way trust can be created with full AD administrator credentials too, while shared secret method will rely on the AD administrator creating the remote part of it in AD.
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1145748 (Red Hat Enterprise Linux 7)
Alexander and team working on this item.
One-Way trust patch set was pushed, it fixes also this ticket.
master:[[BR]] 2dd5b46 trust: support retrieving POSIX IDs with one-way trust during trust-add[[BR]] 5025204 trusts: add ACIs to allow AD trust agents to fetch cross-realm keytabs[[BR]] a9570e8 ipa-pwd-extop: expand error message to tell what user is not allowed to fetch keytab[[BR]] d5aa1ee trusts: add support for one-way trust and switch to it by default[[BR]] 14992a0 ipa-adtrust-install: allow configuring of trust agents[[BR]] aa21600 ipa-sidgen: reduce log level to normal if domain SID is not available[[BR]] 47e1de7 trusts: pass AD DC hostname if specified explicitly[[BR]] 03c2d76 ipa-adtrust-install: add IPA master host principal to adtrust agents[[BR]] 785f659 add one-way trust support to ipasam[[BR]]
Metadata Update from @abbra: - Issue assigned to abbra - Issue set to the milestone: FreeIPA 4.2
Login to comment on this ticket.