Product SiteDocumentation Site

8.2. Environment and Machine Requirements to Set Up Trusts

Make sure that both the Active Directory and FreeIPA servers, machines, and environments meet the requirements and settings in this section before configuring a trust agreement.

8.2.1. Domain and Realm Names

The FreeIPA DNS domain name and Kerberos realm name must be different than the Active Directory DNS domain name and Kerberos realm name.

8.2.2. NetBIOS Names

The NetBIOS name is the far-left component of the domain name. For example, if the domain is linux.example.com, the NetBIOS name is linux, while if the domain name is simply example.com, it is example. The NetBIOS name is critical for identifying the Active Directory domain and, if the FreeIPA domain is within a subdomain of Active Directory DNS, for identifying the FreeIPA domain and services.
The FreeIPA domain and Active Directory domain must have different NetBIOS names.

8.2.3. Integrated DNS

Both the Active Directory server and the FreeIPA server must be configured to run their own respective DNS services.

8.2.4. Firewalls and Ports

Required Ports
For a trust relationship, the Active Directory server and FreeIPA server must have almost all of the required system ports open that are required for a FreeIPA server installation, with the exception of the LDAP ports.
Table 8.3. FreeIPA Ports
Service Ports Type
HTTP/HTTPS
80
443
TCP
Kerberos
88
464
TCP and UDP
DNS 53 TCP and UDP
NTP 123 UDP

IMPORTANT

The FreeIPA backend LDAP server must not be reachable by the Active Directory domain controller. The associated ports — 389 and 636 — on the FreeIPA server host must be shut down for the Active Directory domain controller.
Starting iptables at Boot Time
Configure the iptables service to start when the system boots:
[root@ipaserver ]# chkconfig iptables on
Setting iptables Configuration
The iptables configuration needs to allow access to the required FreeIPA ports and reject access to the FreeIPA LDAP ports. The order of the rules is important. Active Directory-based requests to LDAP ports must be blocked first (based on the Active Directory server IP address), then there must be connections allowed to all FreeIPA TCP adn UDP ports.
  1. Open the iptables configuration file.
    [root@ipaserver ~]# vim /etc/sysconfig/iptables
  2. Add the rule to restrict access to LDAP ports for the Active Directory host.
    -A INPUT -s ad_ip_address -p tcp -m multiport --dports 389,636 -m state --state NEW,ESTABLISHED -j REJECT
  3. Make sure that there lines to allow access to the TCP and UDP ports required by FreeIPA.
    -A INPUT -p tcp -m multiport --dports 80,443,389,636,88,464,53,138,139,445 -m state --state NEW,ESTABLISHED -j ACCEPT
    						-A INPUT -p udp -m multiport --dports 88,464,53,123,138,139,389,445 -m state --state NEW,ESTABLISHED -j ACCEPT
  4. Save the file.
  5. Restart the iptables service:
    [root@ipaserver ]# service iptables restart
Example 8.1. Example iptables Configuration File
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s ad_ip_address -p tcp -m multiport --dports 389,636 -m state --state NEW,ESTABLISHED -j REJECT
-A INPUT -p tcp -m multiport --dports 80,443,389,636,88,464,53,138,139,445 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m multiport --dports 88,464,53,123,138,139,389,445 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -j REJECT
-A INPUT -p tcp -j REJECT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

8.2.5. Clock Settings

Both the Active Directory server and the FreeIPA server must have their clocks in sync.

8.2.6. Supported Username Formats

Username mapping is performed in the local SSSD client. A Python regular expression is used by SSSD to identify the username and the domain to which it belongs.
By default in SSSD, the username format is defined in the form name@domain. This uses the regular expression:
re_expression = (?P<name>[^@]+)@?(?P<domain>[^@]*$)
Active Directory can support several different kinds of name formats, however, so the re_expression parameter in the SSSD configuration file for FreeIPA backends or Active Directory backends uses a more complex expression:
re_expression = (((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))
This supports usernames in multiple formats:
  • username
  • username@domain.name
  • DOMAIN\username

TIP

An additional SSSD parameter, default_domain_suffix, can be used to supply a default domain value for usernames. For example, if all users are in a trusted Active Directory domain of adexample.com and the identity backend is the FreeIPA domain of ipa.example.com, the default_domain_suffix parameter can be set with the value adexample.com. All users are automatically assumed to belong to that user domain unless the domain value is explicitly given with the username.
This is explained in more detail in the SSSD chapter of the Deployment Guide.

8.2.7. Trust Can Only Be Configured Once

WARNING

The ipa-ad-trust-install command can only be run once. If any information is entered incorrectly — particularly the NetBIOS name for the FreeIPA server, but also the administrative credentials or other settings — then the trust services and all FreeIPA packages must be uninstalled and then reinstalled and rerun.
It is not possible to rerun the ipa-ad-trust-install command to change the settings.