Description
Configuring and testing cross-realm trust with Active Directory with multiple IPA servers
It should be noted that this is a simplified version of the following: QA:Testcase_freeipav3_ad_trust
For more information on FreeIPA Trust support, see the official guide here: IPAv3_AD_trust_setup
Setup
- Setup IPA Server per QA:Testcase_freeipav3_installation
- Setup IPA Replica per QA:Testcase_freeipav3_replication
- Setup AD Server per Setting_up_Active_Directory_domain_for_testing_purposes
- AD server: ad1.ad.lan
- AD Realm: AD.LAN
- IPA servers: ipa1.ipa.lan ipa2.ipa.lan
- IPA Realm: IPA.LAN
How to test
1. On ipa1 and ipa2: Install FreeIPA AD Trust related software
# yum install freeipa-server-trust-ad
2. On ipa1: Setup IPA AD Trust with ipa-adtrust-install command
# ipa-adtrust-install Prompts should provide the auto-discovered values. Accept defaults.
3. Wait until replication happens... Should take not more than few minutes.
4. On ipa2: Setup IPA AD Trust with ipa-adtrust-install command
# ipa-adtrust-install Prompts should provide the auto-discovered values. Accept defaults.
5. On ipa1: Setup DNS forwarder for AD domain
# ipa dnszone-add ad.lan --name-server=ad1.ad.lan --admin-email='hostmaster@ad.lan' \ --force --forwarder=$AD1_IP --forward-policy=only
6. On ad1: Setup DNS Forwarder for IPA domain
# dnscmd 127.0.0.1 /ZoneAdd ipa.lan /Forwarder $IPA1_IP ? Do we need to run this for $IPA2_IP as well? or another command?
7. On ipa1: Add cross-realm trust
# ipa trust-add --type=ad ad.lan --admin Administrator --password
Active directory domain adminstrator's password:
-------------------------------------------------
Added Active Directory trust for realm "ad.lan"
-------------------------------------------------
Realm name: ad.lan
Domain NetBIOS name: AD
Domain Security Identifier: S-1-5-21-16904141-148189700-2149043814
Trust direction: Two-way trust
Trust type: Active Directory domain
Trust status: Established and verified
8. On ipa1 and ipa2: Configure realm and domain mapping
# vi /etc/krb5.conf
[libdefaults]
....
dns_lookup_kdc = true
....
[realms]
IPA.LAN = {
....
auth_to_local = RULE:[1:$1@$0](^.*@AD.LAN$)s/@AD.LAN/@ad.lan/
auth_to_local = DEFAULT
}
# systemctl restart krb5kdc.service # systemctl restart sssd.service
9. On ipa1 and ipa2: enable make homedir function with authconfig if --mkhomedir wasn't used with ipa-*-install commands
# authconfig --enablemkhomedir --update
10. On ipa1: Create external POSIX groups for trusted domain users
# ipa group-add --desc='ad.lan admins external map' ad_admins_external --external
# ipa group-add --desc='ad.lan admins' ad_admins
# ipa group-add-member adadmins_external --external 'AD\Domain Admins'
[member user]:
[member group]:
Group name: ad_admins_external
Description: AD.LAN admins external map
External member: S-1-5-21-16904141-148189700-2149043814-512
-------------------------
Number of members added 1
-------------------------
11. On ipa1: Add external group to POSIX group
# ipa group-add-member ad_admins --groups ad_admins_external
12. On ipa1: SSH to ipa2 as external user
# kinit Administrator@AD.LAN # ssh -k -l "Administrator@ad.lan" ipa2.ipa.lan
13. On ipa2: SSH to ipa1 as external user
# kinit Administrator@AD.LAN # ssh -l "Administrator@ad.lan" ipa1.ipa.lan
14. On ad1: SSH to ipa1 as AD user
* Install standard putty from here:
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
* SSH with putty to ipa1 using GSSAPI
* When prompted for user use "Administrator@ad.lan"
Expected Results
All the test steps should end with the above specified results.