#4962 Change ipasam to create TDO shadow objects for the trusted domains
Closed: Fixed None Opened 9 years ago by abbra.

Change ipasam to create additional principal named IPA$@AD.REALM form when creating TDO object for AD.REALM forest trust. This principal has to be disabled so that KDC cannot use it to issue tickets.

The primary reason to have it maintained is to allow ipa-getkeytab to fetch existing key for it.


One-Way trust patch set was pushed, it fixes also this ticket.

master:[[BR]]
2dd5b46 trust: support retrieving POSIX IDs with one-way trust during trust-add[[BR]]
5025204 trusts: add ACIs to allow AD trust agents to fetch cross-realm keytabs[[BR]]
a9570e8 ipa-pwd-extop: expand error message to tell what user is not allowed to fetch keytab[[BR]]
d5aa1ee trusts: add support for one-way trust and switch to it by default[[BR]]
14992a0 ipa-adtrust-install: allow configuring of trust agents[[BR]]
aa21600 ipa-sidgen: reduce log level to normal if domain SID is not available[[BR]]
47e1de7 trusts: pass AD DC hostname if specified explicitly[[BR]]
03c2d76 ipa-adtrust-install: add IPA master host principal to adtrust agents[[BR]]
785f659 add one-way trust support to ipasam[[BR]]

Metadata Update from @abbra:
- Issue assigned to abbra
- Issue set to the milestone: FreeIPA 4.2

7 years ago

Login to comment on this ticket.

Metadata