diff options
| author | Alexander Bokovoy <abokovoy@redhat.com> | 2015-03-26 14:34:06 +0200 |
|---|---|---|
| committer | Tomas Babej <tbabej@redhat.com> | 2015-07-08 01:56:52 +0200 |
| commit | 785f6593caf1817b84332397ca19752d3cf50c25 (patch) | |
| tree | ae1fc625ea7b1d2d8309172736ac1e65691ced59 /VERSION | |
| parent | d3ccfefaa4671776df0743285dd6c7d49f832813 (diff) | |
| download | freeipa-785f6593caf1817b84332397ca19752d3cf50c25.tar.gz freeipa-785f6593caf1817b84332397ca19752d3cf50c25.tar.xz freeipa-785f6593caf1817b84332397ca19752d3cf50c25.zip | |
add one-way trust support to ipasam
When trust is established, ipasam module creates a number of objects in LDAP
to represent the trust information. Among them, for one-way trust we create
a principal named IPA$@AD where IPA is a NetBIOS (flat) name of the IPA forest
and AD is a realm of the trusted Active Directory forest root domain.
This principal is then used by SSSD on IPA masters to authenticate against
trusted Active Directory domain controllers and retrieve information about
user and group identities.
FreeIPA also uses this principal's credentials to retrieve domain topology.
The access to the keys of the principal should be well-protected. We only
allow to retrieve the keytab for it for members of cn=adtrust agents group.
This group is populated with host/ and cifs/ principals from IPA masters.
Starting with FreeIPA 4.2 the group will also have host/ principals of IPA masters
where no ipa-adtrust-install was run. To add them, run ipa-adtrust-install
on the master which will be configured to be a domain controller (e.g.
run Samba with ipasam), and specify --add-agents option to trigger activation
of the interactive mode to specify which IPA masters to enable.
Fixes https://fedorahosted.org/freeipa/ticket/4962
Part of fixes for https://fedorahosted.org/freeipa/ticket/4546
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Diffstat (limited to 'VERSION')
0 files changed, 0 insertions, 0 deletions