From Fedora Project Wiki


Configuring and testing cross-realm trust with Active Directory with multiple IPA servers

It should be noted that this is a simplified version of the following: QA:Testcase_freeipav3_ad_trust

For more information on FreeIPA Trust support, see the official guide here: IPAv3_AD_trust_setup


  1. Setup IPA Server per QA:Testcase_freeipav3_installation
  2. Setup IPA Replica per QA:Testcase_freeipav3_replication
  3. Setup AD Server per Setting_up_Active_Directory_domain_for_testing_purposes
  4. AD server:
  5. AD Realm: AD.LAN
  6. IPA servers: ipa1.ipa.lan ipa2.ipa.lan
  7. IPA Realm: IPA.LAN

How to test

1. On ipa1 and ipa2: Install FreeIPA AD Trust related software

   # yum install freeipa-server-trust-ad

2. On ipa1: Setup IPA AD Trust with ipa-adtrust-install command

   # ipa-adtrust-install
   Prompts should provide the auto-discovered values.  Accept defaults.

3. Wait until replication happens... Should take not more than few minutes.

4. On ipa2: Setup IPA AD Trust with ipa-adtrust-install command

   # ipa-adtrust-install
   Prompts should provide the auto-discovered values. Accept defaults.

5. On ipa1: Setup DNS forwarder for AD domain

   # ipa dnszone-add ad.lan --admin-email='hostmaster@ad.lan' \
   --force --forwarder=$AD1_IP --forward-policy=only

6. On ad1: Setup DNS Forwarder for IPA domain

   # dnscmd /ZoneAdd ipa.lan /Forwarder $IPA1_IP
   ? Do we need to run this for $IPA2_IP as well? or another command?

7. On ipa1: Add cross-realm trust

   # ipa trust-add --type=ad ad.lan --admin Administrator --password
   Active directory domain adminstrator's password:
   Added Active Directory trust for realm "ad.lan"
     Realm name: ad.lan
     Domain NetBIOS name: AD
     Domain Security Identifier: S-1-5-21-16904141-148189700-2149043814
     Trust direction: Two-way trust
     Trust type: Active Directory domain
     Trust status: Established and verified

8. On ipa1 and ipa2: Configure realm and domain mapping

   # vi /etc/krb5.conf
    dns_lookup_kdc = true
   IPA.LAN = {
     auth_to_local = RULE:[1:$1@$0](^.*@AD.LAN$)s/@AD.LAN/@ad.lan/
     auth_to_local = DEFAULT
   # systemctl restart krb5kdc.service
   # systemctl restart sssd.service

9. On ipa1 and ipa2: enable make homedir function with authconfig if --mkhomedir wasn't used with ipa-*-install commands

   # authconfig --enablemkhomedir --update

10. On ipa1: Create external POSIX groups for trusted domain users

   # ipa group-add --desc='ad.lan admins external map' ad_admins_external --external
   # ipa group-add --desc='ad.lan admins' ad_admins
   # ipa group-add-member adadmins_external --external 'AD\Domain Admins'
    [member user]: 
    [member group]: 
     Group name: ad_admins_external
     Description: AD.LAN admins external map
     External member: S-1-5-21-16904141-148189700-2149043814-512
   Number of members added 1

11. On ipa1: Add external group to POSIX group

   # ipa group-add-member ad_admins --groups ad_admins_external

12. On ipa1: SSH to ipa2 as external user

   # kinit Administrator@AD.LAN
   # ssh -k -l "Administrator@ad.lan" ipa2.ipa.lan

13. On ipa2: SSH to ipa1 as external user

   # kinit Administrator@AD.LAN
   # ssh -l "Administrator@ad.lan" ipa1.ipa.lan

14. On ad1: SSH to ipa1 as AD user

   * Install standard putty from here:
   * SSH with putty to ipa1 using GSSAPI
   * When prompted for user use "Administrator@ad.lan"

Expected Results

All the test steps should end with the above specified results.