[Freeipa-users] AD permissions needed for setting up AD trusts

Fri Jan 11 09:14:09 UTC 2013

On fre, 2013-01-04 at 19:04 +0100, Ana Krivokapic wrote:
> On 01/03/2013 12:28 PM, Petr Spacek wrote:
> > On 12/21/2012 01:19 PM, Sumit Bose wrote:
> >> On Fri, Dec 21, 2012 at 12:30:33PM +0100, James Findley wrote:
> >>> Hi
> >>>
> >>> What permission level is needed for the AD user when creating an AD 
> >>> trust?  Can a regular domain user account do it, or is a domain 
> >>> admin needed?
> >>
> >> The account used here must be a member of the Domain Admins group.
> >>
> >>>
> >>> If write access to the AD server is needed, then could someone 
> >>> please tell me what the command will actually change in the AD server?
> >>>
> >>
> >> 'ipa trust-add' will only use LSA calls on the AD server. The most
> >> important one is CreateTrustedDomainEx2
> >> (http://msdn.microsoft.com/en-us/library/cc234380.aspx) to create the
> >> trust between the two domains. Additionally QueryTrustedDomainInfoByName
> >> (http://msdn.microsoft.com/en-us/library/cc234376.aspx) to check if the
> >> trust is already added and SetInformationTrustedDomain
> >> (http://msdn.microsoft.com/en-us/library/cc234385.aspx) to tell the AD
> >> server that the IPA server can handled AES encryption are used.
> >
> > Should we add this information to AD trusts documentation?
> >
> >>> The windows team at my place of work will want to know exactly what 
> >>> the tool will do before they grant permission.
> >
> I have added this information to the AD trusts wiki page:
> http://www.freeipa.org/page/IPAv3_AD_trust_setup#Add_trust_with_AD_domain

That link only gets me to an empty wiki page...

-- 
David Juran
Sr. Consultant
Red Hat
+46-725-345801
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130111/259ec25a/attachment.sig>