Product SiteDocumentation Site

8.4. Setting up Trust with FreeIPA and Active Directory in Different DNS Domains

  1. Stop the Windows firewall service.
  2. Stop iptables and ip6tables on the FreeIPA server.
    [root@ipaserver ]# service iptables stop
  3. Install the required trust packages, updated Samba4 packages, and LDAP-DNS packages for FreeIPA DNS management.
    [root@ipaserver ]# yum install ipa-server "*ipa-server-trust-ad" samba4-winbind-clients bind-dyndb-ldap samba4-client

    IMPORTANT

    The Samba4 packages conflict with the default Samba3 packages on the Red Hat Enterprise Linux system. There may be dependency issues with other applications as the Samba3 packages are removed.
    The cifs-utils package is removed when Samba3 is removed. This must be re-installed.
    [root@ipaserver ]# yum install cifs-utils
    It is recommended that you remove the samba4-winbind-krb5-locator package to improve Kerberos performance.
    [root@ipaserver ]# yum remove samba4-winbind-krb5-locator
  4. For a new FreeIPA server. Set up the FreeIPA server to use its own, integrated DNS services (--setup-dns), its own DNS domain (-n), and the Active Directory DNS server as a forwarder (--forwarder). For example:
    [root@ipaserver ]# ipa-server-install --setup-dns --forwarder=ad-dns.adserver.example.com -p secret -a secret -r IPAEXAMPLE -n ipaexample.com --hostname ipaserver.ipaexample.com -U
    ipa-server-install options are described in Section 2.3.1, “About ipa-server-install”.
    If the FreeIPA server was set up without using Active Directory as a forwarder. If a FreeIPA server was configured without using Active Directory as a forwarder, then the Active Directory server can be added as a confitional forwarder. This requires the IP address of the Active Directory DNS server.
    [root@ipaserver ]# ipa dnsconfig-mod --forwarder=255.255.255.255 --forward-policy=first
    Using a first policy means that queries are sent to the forwarder first and then to the local named process. Alternatively, this can be set to only, so that only the DNS forwarder is queried, never named.
  5. Add the FreeIPA server as a conditional forwarder in the Active Directory DNS configuration.
    1. Open the Administrative Tools menu, and select the DNS item.
    2. Right-click the Conditional Forwarders item in the left column of the window.
    3. Select the New Conditional Forwarder... button.
    4. Enter the DNS domain name of the FreeIPA domain and the IP address of the FreeIPA DNS server.
    5. Save the new forwarder.
    Alternatively, use the dnscmd command-line utility to add the forwarder entry:
    > dnscmd 127.0.0.1 /ZoneAdd IPAEXAMPLE.COM /Forwarder 255.255.255.0
  6. Check the SRV records for both domains from both servers.
    On the FreeIPA server, use the dig SRV command to list the records for the Active Directory domain and the FreeIPA domain.
    				[root@ipaserver ~]# dig SRV _ldap._tcp.adexample.com
    ;; ANSWER SECTION:
    _ldap._tcp.adexample.com. 600    IN    SRV    0 100 389 adserver.adexample.com.
    ;; ADDITIONAL SECTION:
    adserver.adexample.com.    3600    IN    A    192.168.2.161
    ;; ADDITIONAL SECTION:
    adserver.adexample.com.    3600    IN    A    192.168.2.161
    
    [root@ipaserver ~]# dig SRV _ldap._tcp.ipaexample.com
    ;; ANSWER SECTION:
    _ldap._tcp.ipaexample.com. 86400    IN    SRV    0 100 389 ipaserver.ipaexample.com.
    ;; AUTHORITY SECTION:
    ipaexample.com.        86400    IN    NS    ipaserver.ipaexample.com.
    ;; ADDITIONAL SECTION:
    ipaserver.ipaexample.com.    1200    IN    A    192.168.2.158
    On the Active Directory server, open the nslookup tool and check the corresponding SRV records.
    > nslookup
    > set type=srv
    > _ldap._tcp.adexample.com
    > _ldap._tcp.ipaexample.com
    > quit
  7. Enable DNS lookups in the Kerberos realm for the Kerberos client.
    1. Open the /etc/krb5.conf configuration file.
      [root@ipaserver ]# vim /etc/krb5.conf
    2. In the [libdefaults] section, add or set the dns_lookup_kdc value to true.
      [libdefaults]
      ....
      dns_lookup_kdc = true
  8. Configure the FreeIPA server to enable trust services. This requires the NetBIOS name of the FreeIPA server and the password of the FreeIPA administrator with the -a. Optionally, use the -U argument to run the script non-interactively.
    [root@ipaserver ]# ipa-adtrust-install --netbios-name=IPAEXAMPLE -a secret -U
  9. To verify the FreeIPA configuration at this point, use the Samba tools to check that the Windows-related services are running and accessible. The smbclient command shows whether the domain is in the Samba registry.
    [root@ipaserver ~]# smbclient -L ipaserver.ipaexample.com -k
    lp_load_ex: changing to config backend registry
    Domain=[IPAEXAMPLE] OS=[Unix] Server=[Samba 4.0.0rc4]
        Sharename       Type      Comment
        ---------       ----      -------
        IPC$            IPC       IPC Service (Samba 4.0.0rc4)
    Domain=[IPAEXAMPLE] OS=[Unix] Server=[Samba 4.0.0rc4]
        Server               Comment
        ---------            -------
        Workgroup            Master
        ---------            -------
    The wbinfo command shows whether the FreeIPA domain is online.
    [root@ipaserver ~]# wbinfo --online-status
    BUILTIN : online
    IPAEXAMPLE : online
    
  10. If there are existing FreeIPA users and groups. For existing FreeIPA users, it is required that all users and groups have an Active Directory-style security identifier (SID). A new ipaNTSecurityIdentifier containing a SID can be created automatically for each entry by running a special ipa-sidgen-task operation on the backend LDAP directory.
    If there are no existing FreeIPA users or groups, then this step can be skipped.
    [root@ipaserver ]# ldapmodify -x -H ldap://ipaserver.ipaexample.com:389 -D "cn=directory manager" -w Passwd -f
    
    dn: cn=sidgen,cn=ipa-sidgen-task,cn=tasks,cn=config
    changetype: add
    objectClass: top
    objectClass: extensibleObject
    cn: sidgen
    nsslapd-basedn: dc=ipadomain,dc=com
    delay: 0
    
    adding new entry "cn=sidgen,cn=ipa-sidgen-task,cn=tasks,cn=config"
    When the task completes successfully, there will be a message in the error logs that the SID generation task (Sidgen task) finished with a status of zero (0).
    [root@ipaserver ]# grep "sidgen_task_thread" /var/log/dirsrv/slapd-IPALAB-QE/errors
    [20/Jul/2012:18:17:16 +051800] sidgen_task_thread - [file ipa_sidgen_task.c, line 191]: Sidgen task starts ...
    [20/Jul/2012:18:17:16 +051800] sidgen_task_thread - [file ipa_sidgen_task.c, line 196]: Sidgen task finished [0].
  11. Create a trust agreement for the Active Directory domain and the FreeIPA domain. This command requires the Active Directory domain and the credentials of an administrative user to use to connect to the domain.
    ipa trust-add --type=type ad_domain_name --admin ad_admin_username --password
    For example:
    [root@ipaserver ~]# ipa trust-add --type=ad adexample.com --admin Administrator --password
    Active directory domain administrator's password: 
    ------------------------------------------------------
    Added Active Directory trust for realm "adexample.com"
    ------------------------------------------------------
      Realm name: adexample.com
      Domain NetBIOS name: ADEXAMPLE
      Domain Security Identifier: S-1-5-21-1689615952-3716327440-3249090444
      Trust direction: Two-way trust
      Trust type: Active Directory domain
      Trust status: Established and verified
  12. Request a ticket for a FreeIPA user to check the Kerberos configuration, and then check that that user can request service tickets.
    [root@ipaserver ~]# kinit jsmith
    First, request service tickets for services within the FreeIPA domain.
    [root@ipaserver ]# kvno host/ipaserver.ipaexample.com@IPA.DOMAIN
    Then, request service tickets for services within the Active Directory domain.
    [root@ipaserver ]# kvno cifs/adserver.adexample.com@AD.DOMAIN
    If the Active Directory service ticket is succcessfully granted, then there will be a cross-realm TGT listed with all of the other requested tickets. This will have the name krbtgt/AD.DOMAIN@IPA.DOMAIN.
    [root@ipaserver ]# klist
    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: jsmith@IPA.DOMAIN
    
    Valid starting     Expires            Service principal
    06/15/12 12:13:04  06/16/12 12:12:55  krbtgt/IPA.DOMAIN@IPA.DOMAIN
    06/15/12 12:13:13  06/16/12 12:12:55  host/ipaserver.ipaexample.com@IPA.DOMAIN
    06/15/12 12:13:23 06/16/12 12:12:55 krbtgt/AD.DOMAIN@IPA.DOMAIN
    06/15/12 12:14:58  06/15/12 22:14:58  cifs/adserver.adexample.com@AD.DOMAIN

    NOTE

    This ticket is requested as a FreeIPA user because Kerberos realm mappings are not yet configured to allow Active Directory users to use Kerberos authentication to the realm.
  13. Configure realm mapping in the Kerberos configuration. This allows Kerberos authentication for Active Directory users.
    1. Open the /etc/krb5.conf configuration file.
      [root@ipaserver ]# vim /etc/krb5.conf
    2. In the [libdefaults] section, enable DNS lookups in the Kerberos realm.
      [libdefaults]
      ....
      dns_lookup_kdc = true
    3. In the [realms] section, identify the FreeIPA realm by name, and then add two auth_to_local lines to define the Kerberos principal name mapping. One rule should have a value of DEFAULT, for standard Unix usernames, and the other should include a rule which maps different Active Directory username formats and the specific Active Directory domain. For example, this rule allows usernames in the format first.last@ADDOMAIN, username@ADDOMAIN[.something], or username@addomain[.something]; the last two expressions allow upper-case or lower-case domain names, since Kerberos is case-sensitive.
      [realms]
      IDM = {
      ....
      auth_to_local = RULE:[1:$1@$0](^.*@ADDOMAIN$)s/@ADDOMAIN/@addomain/
      auth_to_local = DEFAULT
      }
    4. Restart the KDC service.
      [root@ipaserver ~]# service krb5kdc restart
  14. Configure domain mapping in SSSD.
    1. Open the /etc/sssd/sssd.conf.
      [root@ipaserver ]# vim /etc/sssd/sssd.conf
    2. In the [sssd] section, add pac to the services list to enable the SSSD service to request and use Kerberos tickets with PAC data.
      [sssd]
      services = nss, pam, ssh, pac
      ....
    3. In the FreeIPA domain section, add the subdomains_provider parameter to explicitly enable SSSD to refer from the configured FreeIPA domain to any domains trusted by that domain.
      [domain/ipa.lan]
      cache_credentials = True
      krb5_store_password_if_offline = True
      ipa_domain = example2b.com
      id_provider = ipa
      auth_provider = ipa
      access_provider = ipa
      ipa_hostname = ipa2.example.com
      chpass_provider = ipa
      ipa_server = ipa2.example.com
      ldap_tls_cacert = /etc/ipa/ca.crt
      subdomains_provider = ipa
      The trusted Active Directory domain is not explicitly defined in the SSSD configuration. The FreeIPA domain is automatically created in the SSSD configuration when the client is installed; adding this line makes it possible to use the existing configuration.
      Subdomains and SSSD are described in more detail in the FreeIPA provider configuration examples in the SSSD chapter of the Deployment Guide.
    4. Save the changes to the sssd.conf file.
    5. Restart SSSD.
      [root@ipaserver ]# service sssd restart
  15. Restart the iptables and ip6tables services on the FreeIPA server.
    [root@ipaserver ]# service iptables start
  16. Restart the Windows firewall.