freeipa/daemons
Alexander Bokovoy 785f6593ca add one-way trust support to ipasam
When trust is established, ipasam module creates a number of objects in LDAP
to represent the trust information. Among them, for one-way trust we create
a principal named IPA$@AD where IPA is a NetBIOS (flat) name of the IPA forest
and AD is a realm of the trusted Active Directory forest root domain.

This principal is then used by SSSD on IPA masters to authenticate against
trusted Active Directory domain controllers and retrieve information about
user and group identities.

FreeIPA also uses this principal's credentials to retrieve domain topology.

The access to the keys of the principal should be well-protected. We only
allow to retrieve the keytab for it for members of cn=adtrust agents group.
This group is populated with host/ and cifs/ principals from IPA masters.

Starting with FreeIPA 4.2 the group will also have host/ principals of IPA masters
where no ipa-adtrust-install was run. To add them, run ipa-adtrust-install
on the master which will be configured to be a domain controller (e.g.
run Samba with ipasam), and specify --add-agents option to trigger activation
of the interactive mode to specify which IPA masters to enable.

Fixes https://fedorahosted.org/freeipa/ticket/4962
Part of fixes for https://fedorahosted.org/freeipa/ticket/4546

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
..
dnssec ipalib: Load ipaserver plugins when api.env.in_server is True 2015-07-01 13:05:30 +00:00
ipa-kdb ipa-kdb: filter out group membership from MS-PAC for exact SID matches too 2015-07-08 01:56:52 +02:00
ipa-otpd Move ipa-otpd socket directory 2014-02-11 17:36:19 +01:00
ipa-sam add one-way trust support to ipasam 2015-07-08 01:56:52 +02:00
ipa-slapi-plugins allow deletion of segment if endpoint is not managed 2015-07-02 11:54:01 +02:00
configure.ac ds plugin - manage replication topology in the shared tree 2015-05-26 10:40:29 +02:00
ipa-version.h.in Fix typos 2011-09-07 13:20:42 +02:00
Makefile.am fix Makefile.am for daemons 2015-03-26 14:58:37 +01:00