diff options
| author | Alexander Bokovoy <abokovoy@redhat.com> | 2012-10-31 19:52:12 +0000 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2012-11-01 15:46:58 -0400 |
| commit | fc3834ca46fa986694be6a94f0a51d74e9e532a8 (patch) | |
| tree | 0a830bc0a6a8041d535ce695b499cb3d34b719e9 /ipalib/plugins/trust.py | |
| parent | 57132797120bcd3f68380b6b74343af2d83e0657 (diff) | |
| download | freeipa-fc3834ca46fa986694be6a94f0a51d74e9e532a8.tar.gz freeipa-fc3834ca46fa986694be6a94f0a51d74e9e532a8.tar.xz freeipa-fc3834ca46fa986694be6a94f0a51d74e9e532a8.zip | |
Resolve external members from trusted domain via Global Catalog
A sequence is following:
1. Match external member against existing trusted domain
2. Find trusted domain's domain controller and preferred GC hosts
3. Fetch trusted domain account auth info
4. Set up ccache in /var/run/ipa_memcached/krb5cc_TD<domain> with principal ourdomain$@trusted.domain
5. Do LDAP SASL interactive bind using the ccache
6. Search for the member's SID
7. Decode SID
8. Replace external member name by SID
Diffstat (limited to 'ipalib/plugins/trust.py')
| -rw-r--r-- | ipalib/plugins/trust.py | 17 |
1 files changed, 8 insertions, 9 deletions
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 44679e7a2..ffff1e2fc 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -78,24 +78,23 @@ should be included into one of local POSIX groups. Example: -1. Make note of the trusted domain security identifier - - domainsid = `ipa trust-show <ad.domain> | grep Identifier | cut -d: -f2` - -2. Create group for the trusted domain admins' mapping and their local POSIX group: +1. Create group for the trusted domain admins' mapping and their local POSIX group: ipa group-add --desc='<ad.domain> admins external map' ad_admins_external --external ipa group-add --desc='<ad.domain> admins' ad_admins -3. Add security identifier of Domain Admins of the <ad.domain> to the ad_admins_external - group (security identifier of <ad.domain SID>-512 is Domain Admins group): +2. Add security identifier of Domain Admins of the <ad.domain> to the ad_admins_external + group: - ipa group-add-member ad_admins_external --external ${domainsid}-512 + ipa group-add-member ad_admins_external --external 'AD\\Domain Admins' -4. Allow members of ad_admins_external group to be associated with ad_admins POSIX group: +3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group: ipa group-add-member ad_admins --groups ad_admins_external +4. List members of external members of ad_admins_external group to see their SIDs: + + ipa group-show ad_admins_external """) trust_output_params = ( |