On ti, 22 elo 2017, bogusmaster--- via FreeIPA-users wrote:
Hi All,
I am setting up a one-way trust from FreeIPA server to AD domain with a pre-shared key.
This is currently not working due to chicken/egg problem: in order to turn trust into an active one, you need to validate it. We do not have code in Samba-IPA integration that makes validation _from_ Windows side working, thus we can only validate it from Linux side. However, to do that, we should have *some* administrative account on AD side because our trusted domain object is not active yet.
There are two ways to get around it today: - use administrative credentials to establish one-way trust - establish two-way trust