When cross-realm trust is established, Windows allows to access Global Catalog service using Kerberos tickets from a trusted domain. These tickets must have MS-PAC in them.
Currently we generate MS-PAC only for users because we need to know SID to put to MS-PAC. We need to add MS-PAC to other principals as well but to do so we need to define default SID for them, for example, a SID per host which all principals owned by this host would be sharing.
This is part of trusted domains work for 3.3
Rename component.
Moving to next month bucket.
This is a 3.3 Trust effort sub-ticket - set rhbz to 0.
Committed to master:
cf97590
8d6d845
Metadata Update from @abbra: - Issue assigned to sbose - Issue set to the milestone: FreeIPA 3.3 - 2013/06
Login to comment on this ticket.