Ñò ìÿÒXc@s)ddkTddklZddklZlZlZlZlZl Z l Z l Z ddk l Z ddklZddklZddklZddklZydd kZeZWnej oZeZnXeiioIeiid4jo6ydd kZeZWq.ej o eZq.Xne d ƒZ ed de dƒƒedde dƒƒedde dƒƒedde dƒƒedde dƒƒfZ!he dƒd6e dƒd6e dƒd6Z"he dƒd6e dƒd6e d ƒd6Z#he d!ƒe6e d"ƒe6Z$e d#ƒZ%d$„Z&d%„Z'd&„Z(d'e)fd(„ƒYZ*d)„Z+d*e,fd+„ƒYZ-d,e.fd-„ƒYZ/d.e0fd/„ƒYZ1d0e2fd1„ƒYZ3d2e4fd3„ƒYZ5ei6e*ƒei6e-ƒei6e1ƒei6e/ƒei6e3ƒei6e5ƒd S(5iÿÿÿÿ(t*(tdns_container_exists(tapitStrtStrEnumtPasswordt DefaultFromt_tngettexttObject(tEnum(tCommand(terrors(tipautil(tutilNtlitetservers½ Cross-realm trusts Manage trust relationship between IPA and Active Directory domains. In order to allow users from a remote domain to access resources in IPA domain, trust relationship needs to be established. Currently IPA supports only trusts between IPA and Active Directory domains under control of Windows Server 2008 or later, with functional level 2008 or later. Please note that DNS on both IPA and Active Directory domain sides should be configured properly to discover each other. Trust relationship relies on ability to discover special resources in the other domain via DNS records. Examples: 1. Establish cross-realm trust with Active Directory using AD administrator credentials: ipa trust-add --type=ad --admin --password 2. List all existing trust relationships: ipa trust-find 3. Show details of the specific trust relationship: ipa trust-show 4. Delete existing trust relationship: ipa trust-del Once trust relationship is established, remote users will need to be mapped to local POSIX groups in order to actually use IPA resources. The mapping should be done via use of external membership of non-POSIX group and then this group should be included into one of local POSIX groups. Example: 1. Create group for the trusted domain admins' mapping and their local POSIX group: ipa group-add --desc=' admins external map' ad_admins_external --external ipa group-add --desc=' admins' ad_admins 2. Add security identifier of Domain Admins of the to the ad_admins_external group: ipa group-add-member ad_admins_external --external 'AD\Domain Admins' 3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group: ipa group-add-member ad_admins --groups ad_admins_external 4. List members of external members of ad_admins_external group to see their SIDs: ipa group-show ad_admins_external t ipantflatnametlabelsDomain NetBIOS nametipanttrusteddomainsidsDomain Security IdentifierttrustdirectionsTrust directiont trusttypes Trust typet truststatuss Trust statussNon-Active Directory domainisActive Directory domainis RFC4120-compliant Kerberos realmisTrusting forestsTrusted forests Two-way trustsEstablished and verifieds'Waiting for confirmation by remote sidetUnknowncCs"tit|ƒtƒ}t|ƒS(sä Returns a string representing a type of the trust. The original field is an enum: LSA_TRUST_TYPE_DOWNLEVEL = 0x00000001, LSA_TRUST_TYPE_UPLEVEL = 0x00000002, LSA_TRUST_TYPE_MIT = 0x00000003 (t_trust_type_dicttgettintt_trust_type_dict_unknowntunicode(tleveltstring((s8/usr/lib/python2.6/site-packages/ipalib/plugins/trust.pyttrust_type_string{scCs"tit|ƒtƒ}t|ƒS(sÙ Returns a string representing a direction of the trust. The original field is a bitmask taking two bits in use LSA_TRUST_DIRECTION_INBOUND = 0x00000001, LSA_TRUST_DIRECTION_OUTBOUND = 0x00000002 (t_trust_direction_dictRRRR(RR((s8/usr/lib/python2.6/site-packages/ipalib/plugins/trust.pyttrust_direction_string…scCsti|tƒ}t|ƒS(N(t_trust_status_dictRRR(RR((s8/usr/lib/python2.6/site-packages/ipalib/plugins/trust.pyttrust_status_stringŽsttrustc Bs¼eZdZdZeiiZedƒZ edƒZ dgZ dddd d d d d ddddg Z dddd gZ edƒZedƒZeddddedƒdeƒfZRS(s Trust object. tadtipaR$ttruststipaNTTrustedDomaintcnRRtipanttrusttypetipanttrustattributestipanttrustdirectiontipanttrustpartnertipantauthtrustoutgoingtipanttrustauthincomingtipanttrustforesttrustinfotipanttrustposixoffsettipantsupportedencryptiontypestTruststTrusttcli_nametrealmRs Realm namet primary_key(R%R&(t__name__t __module__t__doc__t trust_typesRtenvtcontainer_trustst container_dnRt object_nametobject_name_pluralt object_classtdefault_attributestsearch_display_attributesRtlabel_singularRtTruet takes_params(((s8/usr/lib/python2.6/site-packages/ipalib/plugins/trust.pyR$’s$             cCs[t|tƒpt‚|tijo0td|f|i|iƒ}t|d|ƒS|S(NR)i(t isinstancetDNtAssertionErrorR$R;R=tbasedn(R<t trust_typetdnR>((s8/usr/lib/python2.6/site-packages/ipalib/plugins/trust.pyt make_trust_dn­s t trust_addcBs<eZedƒZeieddddedƒdd"ddd eƒed dd ded ƒƒe d dddedƒde ƒeddddedƒƒe ddddedƒde ƒe ddddedƒƒe ddddedƒddd eƒfZedƒZ ei eZ d„Zd „Zd!„ZRS(#s Add new trust to use. This command establishes trust relationship to another domain which becomes 'trusted'. As result, users of the trusted domain may access resources of this domain. Only trusts to Active Directory domains are supported right now. The command can be safely run multiple times against the same domain, this will cause change to trust relationship credentials on both sides. RKR5ttypeRs-Trust type (ad for Active Directory, default)tvaluesuadtdefaulttautofills realm_admin?tadmins%Active Directory domain administrators realm_passwd?tpasswords0Active directory domain administrator's passwordtconfirms realm_server?Rs<Domain controller for the Active Directory domain (optional)s trust_secret?t trust_secretsShared secret for the trustsbase_id?tbase_ids;First Posix ID of the range reserved for the trusted domains range_size?t range_sizes4Size of the ID range reserved for the trusted domaini@ s2Added Active Directory trust for realm "%(value)s"cOsŒt o5d|jo(tidtdƒdtdƒƒ‚nd|joO|ddjo|i||Ž}q±tidtdƒdtd ƒƒ‚ntidtdƒƒ‚|i||Žd |d }|ii}|i d t t i i t i iƒd |ƒ\}}|dd|dsn :      9               Ô