From Fedora Project Wiki

Description

Configuring and testing cross-realm trust with Active Directory.

Setup

  1. Make sure your FreeIPA server is set up as in QA:Testcase_freeipa_trust_server_installation.
  2. You have to select name for the IPA realm different from Active Directory domain name.
  3. There are two types of installation for FreeIPA:
    1. without integrated DNS setup
    2. with integrated DNS setup
    Since cross-realm trusts require working DNS autodiscovery, in both cases one need to ensure properly working DNS resolution of SRV records corresponding to Kerberos, LDAP, and other services. If DNS is handled by FreeIPA, the entries will be created when running 'ipa-adtrust-install' tool. If DNS is not managed by FreeIPA, running 'ipa-adtrust-install' with '--no-msdcs' will print all entries that need to be created. Create them at your DNS server before proceeding further after 'ipa-adtrust-install' step.

How to test

Planned configuration

Instructions below will assume following setup:

  • There is an Active Directory domain, set up under name AD.EXAMPLE.ORG. Domain controller for AD.EXAMPLE.ORG server is dc.ad.example.org and has IP-address DC-AD-IPaddr.
  • There is a FreeIPA realm, set up under name IPA.EXAMPLE.ORG. FreeIPA server for the realm IPA.EXAMPLE.ORG is srv.ipa.example.org and has IP-address DC-IPA-IPaddr.

FreeIPA realm will gain a short name used for NetBIOS communication, known as 'domain name' in SMB. Usually it is the same as leftmost component of the realm, i.e. IPA for IPA.EXAMPLE.ORG.

Installation

First, install the FreeIPA server as in QA:Testcase_freeipa_trust_server_installation.

Next, install following packages:

# yum install freeipa-server-trust-ad samba-winbind samba-winbind-clients samba-client

The last package, samba-winbind-clients, is not needed for actual work. It is only needed to verify that certain operations performed by Windows client are indeed trigger proper reaction from the FreeIPA setup.

If the installation aborts with a multilib error similar to this one:

Error: Protected multilib versions: 2:libwbclient-4.0.7-1.fc19.i686 != 2:libwbclient-4.0.7-2.fc19.x86_64
Error: Protected multilib versions: 2:samba-libs-4.0.7-1.fc19.i686 != 2:samba-libs-4.0.7-2.fc19.x86_64
Error: Protected multilib versions: 1:cups-libs-1.6.3-1.fc19.i686 != 1:cups-libs-1.6.3-3.fc19.x86_64

Try enabling updates-testing to make sure all the correct dependencies are pulled in. As of today (07-24) the packages are being pushed from testing to stable.

With DNS controlled by FreeIPA server

Run ipa-adtrust-install without parameters

# ipa-adtrust-install

You'll be prompted to provide needed information which will be auto-discovered based FreeIPA setup. You'll be asked to enter your admin credentials for FreeIPA server. DNS configuration will be updated to include proper SRV records expected by the Active Directory clients. In order to support legacy clients, you need to answer "yes" when asked whether to enable trusted domains support in slapi-nis:

Enable trusted domains support in slapi-nis? [no]: yes

Alternatively, you can pass --enable-compat to ipa-adtrust-install.

Without DNS controlled by FreeIPA server

Run ipa-adtrust-install with --no-msdcs argument

# ipa-adtrust-install --no-msdcs

You'll be prompted to provide needed information which will be auto-discovered based FreeIPA setup. You'll be asked to enter your admin credentials for FreeIPA server. At the end of execution, ipa-adtrust-install will print list of SRV records that you should create at your DNS server in order to continue.

Configure DNS forwarder

Both Active Directory domain and FreeIPA realm will need to be able to find each other and discover information about each other's resources. In case there is no common uplink DNS server, appropriate domain name forwarders will need to be created from both sides.

DNS forwarder from FreeIPA side

# ipa dnszone-add ad.example.org --name-server=dc.ad.example.org --admin-email='hostmaster@ad.example.com' --force --forwarder=DC-AD-IPaddr --forward-policy=only --ip-address=192.168.122.217

DNS forwarder from Active Directory side

   Open Start->Administrative Tools->DNS
   make a right-click on 'Conditional Forwarders' in the left column of the window
   select 'New Conditional Forwarder...'
   add the DNS domain name of your FreeIPA domain name and the IP adresses of one or more DNS servers of your FreeIPA domain 

To test the new configuration you can try to ping your FreeIPA server again. It might be necessary to call 'ipconfig /flushdns' to removed any cached results.

Alternatively you can use command line utility dnscmd to configure the forwarder:

   Open Start -> Command Prompt
   Enter: dnscmd 127.0.0.1 /ZoneAdd ipa.example.org /Forwarder <IP_ADDRESS_OF_IPA_SERVER>

The command should report that zone ipa.example.org was successfully added.

Verify DNS configuration

To make sure both AD and IPA servers can see each other, check if SRV records are being properly resolved.

On AD DC:

C:\> nslookup
> set type=srv
> _ldap._tcp.ad.example.org
> _ldap._tcp.ipa.example.org
> quit

On IPA server:

# dig SRV _ldap._tcp.ipa.example.org
# dig SRV _ldap._tcp.ad.example.org

In case of DNS issues, please refer to the following guide http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup , part DNS configuration.

Verify basics

Use wbinfo utility from samba-winbind-clients to verify that ipa-adtrust-install has set up everything right:

# wbinfo --online-status
BUILTIN : online
IPA : online

Configure realm and domain mapping

For time being one has to manually configure krb5.conf on FreeIPA server to perform cross-realm-specific operations.

Look into /etc/krb5.conf and change/add following, replacing realm names appropriately:

[realms]
IPA.EXAMPLE.ORG = {
....
  auth_to_local = RULE:[1:$1@$0](^.*@AD.EXAMPLE.ORG$)s/@AD.EXAMPLE.ORG/@ad.example.org/
  auth_to_local = DEFAULT
}

Expected Results

All the test steps should end with the specified results.