Alexander Bokovoy wrote:
On Tue, 18 Sep 2012, Petr Vobornik wrote:
On 09/18/2012 05:33 PM, Alexander Bokovoy wrote:
On Tue, 18 Sep 2012, Petr Vobornik wrote:
On 09/18/2012 03:22 PM, Alexander Bokovoy wrote:
On Tue, 18 Sep 2012, Petr Vobornik wrote:
On 09/18/2012 02:15 PM, Sumit Bose wrote:
On Tue, Sep 18, 2012 at 12:42:49PM +0200, Sumit Bose wrote:
On Mon, Sep 17, 2012 at 06:44:36PM +0300, Alexander Bokovoy wrote:
Hi,
Following patch adds trust verification sequence to the case
when we
establish trust with knowledge of AD administrative credentials.
As we found out, in order to validate/verify trust, one has to
have
administrative credentials for the trusted domain, since there are
few RPCs that should be performed against trusted domain's DC's
LSA
and NetLogon pipes and these are protected by administrative
credentials.
Thus, when we know admin credentials for the remote domain, we can
perform the trust validation.
https://fedorahosted.org/freeipa/ticket/2763
Just a short feedback. The patch is working as expected, for a
newly
created trust Windows will send a TGS request to the IPA KDC
without
explicit validation on the windows side. Currently I have some
issues
in my test setup so that I can not give a full ACK atm.
ok, ACK.
Nevertheless it would be nice if Petr can check for any
implications to
the web UI with respect to the status of the trust.
It shouldn't break Web UI but Web UI won't use it. In add command Web
UI uses only the command state (success/error). If the truststatus
text would be a part of command summary text, it can be displayed in
notification message (which fades after 3s) when comment 8 of
https://fedorahosted.org/freeipa/ticket/2977#comment:8 is
implemented.
It is displayed as part of the output, truststatus property:
# ipa trust-add --type=ad --admin Administrator@ad.local --password
ad.local
Active directory domain adminstrator's password:
-------------------------------------------------
Added Active Directory trust for realm "ad.local"
-------------------------------------------------
Realm name: ad.local
Domain NetBIOS name: AD
Domain Security Identifier: S-1-5-21-16904141-148189700-2149043814
Trust direction: Two-way trust
Trust type: Active Directory domain
Trust status: Established and verified
Would be good if you could take it in use.
I created a patch which uses it. See attached screenshots. It may be
useful but, as I wrote, the message is displayed only for 3s, so some
users might not have time to read it whole - message is too long.
Well, as we don't have other means to show this information right now,
that's good too. Maybe notification message timer could be possible to
tune per instance? Then we could have, say, 5 seconds timeout here and
keep 3 seconds as default one...
I tuned it. Updated patch attached.
ACK. Worked fine for me.
Pushed 073 and 215.1 to ipa-3-0 and master
rob
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
