The fact that host/ principals from IPA realm do not get MS-PAC prevents machines joined to IPA realm to update their DNS records in AD. (Of course, it can work only with bi-directional trusts. It is up to user to decide if it is worth.)
Last request for this feature is here: https://www.redhat.com/archives/freeipa-users/2015-July/msg00341.html https://www.redhat.com/archives/freeipa-users/2015-August/msg00322.html
This request popped up couple times already.
Changing Source to reflect request from idm-tech.
Source
notes: sbose: currently the PAC is only added for IPA server host principals. The dynamic DNS update looks like a valid use-case to me, I just wonder if we should add the PAC unconditionally to all IPA hosts principal or keep the current scheme as default and add an option to add the PAC to all principals?
pspacek: With introduction of one-way trust, I do not see a reason for adding arbitrary limit. If you do not want IPA entities to touch AD use one-way trust. ab: we have a way to enable MS-PAC per service (including hosts). If host has MS-PAC enabled and has a SID, it can get MS-PAC already. The only thing missing, is to allow to set PAC for hosts (we do it for service-mod but not for host-mod). We can force adding SID if hypothetical 'ipa host-mod foo.bar.idm --pac-type=MS-PAC' is executed.
Metadata Update from @pspacek: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
Login to comment on this ticket.