#1341 Design a ipa-adtrust-install setup utility
Closed: Fixed None Opened 12 years ago by sbose.

To allow trust relationships with Active Directory domains samba services offering the RPC pipes netlogoin, samr and lsar must be running on the IPA server. The configuration should be created, if requested, while running ipa-server-install or with the help of a separate script for an active IPA server, similar to the handling of the DNS setup.


After a discussion with Simo we came up with the following tasks for this utility:
- the utility shall only prepare IPA to handle AD trust but not create any trust relationships to AD domains, this will be handled by a separate CLI/GUI tool
- ipa-dns-install can be used as a reference
- create samba configuration in /etc/ipa to start smbd with endpoint mapper and LSA daemon, but no nmbd or winbind
- create samba domain object in LDAP
- create a samba account to connect to LDAP
- samba shall use LDAPI to talk to LDAP
- add samba objectclasses to the list of default object classes for new users and groups
- add samba objectclasses to existing users and groups, this may be optional to give the IPA admin a better control about which users and groups will be visible in the AD domain but should be enabled by default, because this is the expected behavior when a trust is created
- configure DNA plugin to create SIDs for users and groups
- no LM passwords must be used, only NT hashes
- allow samba user to read NT hashes

The I would suggest it being renamed to something like ipa-adtrust-prepare.

Alternatively if we have ipa-adtrust-manage utility to manage trust relationships it might be fine. Does it make sense to have two separate utilities in this case or to combine them in one and have different flags?

IMO separate utilities are simpler to develop and test. Right?

I think we can stay with ipa-adtrust-install. It is the same with ipa-dns-install. This utility does all so the bind can use the data in LDAP. The actual data (except for the server itself) are created later via CLI/GUI.

It would be nice if trusts can be create with the ipa utility like 'ipa adtrust-add ...' and similar with the GUI, but we need to investigate if the apache user has sufficient privileges to run all operations. I'll open a separate ticket for this.

Metadata Update from @sbose:
- Issue assigned to sbose
- Issue set to the milestone: FreeIPA 3.0 Trust Effort - 2011/08

7 years ago

Login to comment on this ticket.

Metadata