When cross-realm trust is established, Windows allows to access Global Catalog service using Kerberos tickets from a trusted domain. These tickets must have MS-PAC in them.
Currently we generate MS-PAC only for users because we need to know SID to put to MS-PAC. We need to add MS-PAC to other principals as well but to do so we need to define default SID for them, for example, a SID per host which all principals owned by this host would be sharing.
This is part of trusted domains work for 3.3
Moving to next month bucket.
This is a 3.3 Trust effort sub-ticket - set rhbz to 0.
Committed to master:
Metadata Update from @abbra:
- Issue assigned to sbose
- Issue set to the milestone: FreeIPA 3.3 - 2013/06
to comment on this ticket.