Since the trust password is needed to access resources on the other domain is it basically stored in plain text. It should be protected by ACIs and maybe even encrypted if some safe key material is available.
An ACI on ipaNTTrustAuthOutgoing and ipaNTTrustAuthIncoming so that only the samba user can read and write them should be sufficient.
Is handled as part of the major enhancements in #2189.
Done, will be submitted together with 1821.
https://www.redhat.com/archives/freeipa-devel/2012-April/msg00019.html
Waiting for MIT Kerberos support in samba to have principal to whom the ACIs can be assigned.
Done
master: bd0d858
Metadata Update from @sbose: - Issue assigned to abbra - Issue set to the milestone: FreeIPA 3.0 Trust Effort - 2012/05
Login to comment on this ticket.