diff options
author | Alexander Bokovoy <abokovoy@redhat.com> | 2012-10-18 21:46:35 +0300 |
---|---|---|
committer | Alexander Bokovoy <abokovoy@redhat.com> | 2012-10-31 22:28:53 +0200 |
commit | 09a4764112b9aa3e2e26e00f20fa23f42356b9b4 (patch) | |
tree | 3a2733f4383c1504468a4e31eb9fb36f49c79172 /ipalib/plugins/trust.py | |
parent | 381f7f583ca02835731aeb2ca8be31ee279504ef (diff) | |
download | freeipa-09a4764112b9aa3e2e26e00f20fa23f42356b9b4.tar.gz freeipa-09a4764112b9aa3e2e26e00f20fa23f42356b9b4.tar.xz freeipa-09a4764112b9aa3e2e26e00f20fa23f42356b9b4.zip |
Resolve external members from trusted domain via Global Catalog30gatepo
A sequence is following:
1. Match external member against existing trusted domain
2. Find trusted domain's domain controller and preferred GC hosts
3. Fetch trusted domain account auth info
4. Set up ccache in /var/run/ipa_memcached/krb5cc_TD<domain> with principal ourdomain$@trusted.domain
5. Do LDAP SASL interactive bind using the ccache
6. Search for the member's SID
7. Decode SID
8. Replace external member name by SID
Diffstat (limited to 'ipalib/plugins/trust.py')
-rw-r--r-- | ipalib/plugins/trust.py | 17 |
1 files changed, 8 insertions, 9 deletions
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 44679e7a2..ffff1e2fc 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -78,24 +78,23 @@ should be included into one of local POSIX groups. Example: -1. Make note of the trusted domain security identifier - - domainsid = `ipa trust-show <ad.domain> | grep Identifier | cut -d: -f2` - -2. Create group for the trusted domain admins' mapping and their local POSIX group: +1. Create group for the trusted domain admins' mapping and their local POSIX group: ipa group-add --desc='<ad.domain> admins external map' ad_admins_external --external ipa group-add --desc='<ad.domain> admins' ad_admins -3. Add security identifier of Domain Admins of the <ad.domain> to the ad_admins_external - group (security identifier of <ad.domain SID>-512 is Domain Admins group): +2. Add security identifier of Domain Admins of the <ad.domain> to the ad_admins_external + group: - ipa group-add-member ad_admins_external --external ${domainsid}-512 + ipa group-add-member ad_admins_external --external 'AD\\Domain Admins' -4. Allow members of ad_admins_external group to be associated with ad_admins POSIX group: +3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group: ipa group-add-member ad_admins --groups ad_admins_external +4. List members of external members of ad_admins_external group to see their SIDs: + + ipa group-show ad_admins_external """) trust_output_params = ( |