[Freeipa-users] AD permissions needed for setting up AD trusts
Sumit Bose
sbose at redhat.com
Fri Dec 21 12:19:28 UTC 2012
On Fri, Dec 21, 2012 at 12:30:33PM +0100, James Findley wrote:
> Hi
>
> What permission level is needed for the AD user when creating an AD trust? Can a regular domain user account do it, or is a domain admin needed?
The account used here must be a member of the Domain Admins group.
>
> If write access to the AD server is needed, then could someone please tell me what the command will actually change in the AD server?
>
'ipa trust-add' will only use LSA calls on the AD server. The most
important one is CreateTrustedDomainEx2
(http://msdn.microsoft.com/en-us/library/cc234380.aspx) to create the
trust between the two domains. Additionally QueryTrustedDomainInfoByName
(http://msdn.microsoft.com/en-us/library/cc234376.aspx) to check if the
trust is already added and SetInformationTrustedDomain
(http://msdn.microsoft.com/en-us/library/cc234385.aspx) to tell the AD
server that the IPA server can handled AES encryption are used.
HTH
bye,
Sumit
> The windows team at my place of work will want to know exactly what the tool will do before they grant permission.
>
> Thanks
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list