Hi Alexander,
On 6 Jul 2017, at 4:55 pm, Alexander Bokovoy
<abokovoy(a)redhat.com> wrote:
Can you show 'ipa trust-show staff.localdomain'? It should have list of
additional name suffixes we derive from the AD forest trust. After
releasing 4.4.x we found out that there are some deployments where
people modify userPrincipalName directly in AD LDAP and thus these name
suffixes aren't visible through the trust topology discovery requests.
Yes, I suspect we are in that category, as the affiliate domain is not visible through the
trust:
# ipa trust-show staff.localdomain
Realm name: staff.localdomain
Domain NetBIOS name: STAFF
Domain Security Identifier: S-1-5-21-2593845812-3993450118-3195856661
Trust direction: Trusting forest
Trust type: Active Directory domain
In 4.5.x I added a way to expand that information manually with
'ipa
trust-mod'. You can do that yourself with an LDAP modify of the trust
object for ipantadditionalsuffixes attribute.
I see. So we can modify that attribute directly in 4.4.x as way forward with our current
installation?
Regards,
Robert.