Hi Alexander,
On 6 Jul 2017, at 4:55 pm, Alexander Bokovoy abokovoy@redhat.com wrote:
Can you show 'ipa trust-show staff.localdomain'? It should have list of additional name suffixes we derive from the AD forest trust. After releasing 4.4.x we found out that there are some deployments where people modify userPrincipalName directly in AD LDAP and thus these name suffixes aren't visible through the trust topology discovery requests.
Yes, I suspect we are in that category, as the affiliate domain is not visible through the trust:
# ipa trust-show staff.localdomain Realm name: staff.localdomain Domain NetBIOS name: STAFF Domain Security Identifier: S-1-5-21-2593845812-3993450118-3195856661 Trust direction: Trusting forest Trust type: Active Directory domain
In 4.5.x I added a way to expand that information manually with 'ipa trust-mod'. You can do that yourself with an LDAP modify of the trust object for ipantadditionalsuffixes attribute.
I see. So we can modify that attribute directly in 4.4.x as way forward with our current installation?
Regards,
Robert.