From Fedora Project Wiki

Revision as of 18:21, 3 April 2013 by Spoore (talk | contribs)


Configuring and testing cross-realm trust with Active Directory with multiple IPA servers

It should be noted that this is a simplified version of the following: QA:Testcase_freeipav3_ad_trust


  1. Setup IPA Server per QA:Testcase_freeipav3_installation
  2. Setup IPA Replica per QA:Testcase_freeipav3_replication
  3. Setup AD Server per Setting_up_Active_Directory_domain_for_testing_purposes
  4. AD server:
  5. AD Realm: AD.LAN
  6. IPA servers: ipa1.ipa.lan ipa2.ipa.lan
  7. IPA Realm: IPA.LAN

How to test

1. On ipa1 and ipa2: Install FreeIPA AD Trust related software

   # yum install freeipa-server-trust-ad samba-winbind samba-winbind-clients samba-client

2. On ipa1: Setup IPA AD Trust with ipa-adtrust-install command

   # ipa-adtrust-install
   Prompts should provide the auto-discovered values.  Accept defaults.

3. On ipa2: Setup IPA AD Trust with ipa-adtrust-install command

   ? We still have to run ipa-adtrust-install here right?

4. On ipa1: Setup DNS forwarder for AD domain

   # ipa dnszone-add ad.lan --admin-email='hostmaster@ad.lan' \
   --force --forwarder=$AD1_IP --forward-policy=only

5. On ad1: Setup DNS Forwarder for IPA domain

   # dnscmd /ZoneAdd ipa.lan /Forwarder $IPA1_IP
   ? Do we need to run this for $IPA2_IP as well? or another command?

6. On ipa1 and ipa2: verify IPA realm setup

   # wbinfo -online-status

7. On ipa1: Add cross-realm trust

   # ipa trust-add --type=ad ad.lan --admin Administrator --password
   Active directory domain adminstrator's password:
   Added Active Directory trust for realm "ad.lan"
     Realm name: ad.lan
     Domain NetBIOS name: AD
     Domain Security Identifier: S-1-5-21-16904141-148189700-2149043814
     Trust direction: Two-way trust
     Trust type: Active Directory domain
     Trust status: Established and verified
   Note Security Identifier of the trusted domain as AD_DOM_SID
   ? This isn't necessary on ipa2 is it?

8. On ipa1 and ipa2: Restart FreeIPA KDC

   # systemctl restart krb5kdc.service
   ? Is this still necessary?

9. On ipa1 and ipa2: Configure realm and domain mapping

   # vi /etc/krb5.conf
    dns_lookup_kdc = true
   IPA.LAN = {
     auth_to_local = RULE:[1:$1@$0](^.*@AD.LAN$)s/@AD.LAN/@ad.lan/
     auth_to_local = DEFAULT
   # vi /etc/sssd/sssd.conf
   subdomains_provider = ipa
   services = nss, pam, ssh, pac
   ? Is this one still necessary?  No right?

10. On ipa1 and ipa2: Restart SSSD service

# systemctl restart sssd.service

11. On ipa1: Create external POSIX groups for trusted domain users

   # ipa group-add --desc='ad.lan admins external map' ad_admins_external --external
   # ipa group-add --desc='ad.lan admins' ad_admins
   # wbinfo -n 'AD\Domain Admins'
   S-1-5-21-16904141-148189700-2149043814-512 SID_DOM_GROUP (2)
   # ipa group-add-member adadmins_external --external \
    [member user]: 
    [member group]: 
     Group name: ad_admins_external
     Description: AD.LAN admins external map
     External member: S-1-5-21-16904141-148189700-2149043814-512
   Number of members added 1

12. On ipa1: Add external group to POSIX group

   # ipa group-add-member ad_admins --groups ad_admins_external

13. On ipa1 and ipa2: enable make homedir function with authconfig

   # authconfig --enablemkhomedir --updateall
   # systemctl restart sssd.service
   # systemctl restart sshd.service

14. On ipa1: SSH to ipa2 as external user

   # ssh -l "Administrator@ad.lan" ipa2.ipa.lan

15. On ipa2: SSH to ipa1 as external user

   # ssh -l "Administrator@ad.lan" ipa1.ipa.lan

16. On ad1: SSH to ipa1 as AD user

   * Install standard putty from here:
   * SSH with putty to ipa1 using GSSAPI
   * When prompted for user use "Administrator@ad.lan"

Expected Results

All the test steps should end with the above specified results.