Creating a Domain Trust with Red Hat IdM/FreeIPA and Active Directory

This is something I wrote quite some time ago, and some how it was never published. Apologies for the late release.

What is a Domain Trust and why would I want one?

A Domain Trust, in the traditional sense, is a feature that would allow one “Domain” (Typical a Windows Active Directory Domain), to be set up to trust another “Domain”.

In the Active Directory world, trusts are generally used for large organisations who wish to join one organisations infrastructure to another.
For example, Company A has just purchased Company B, and as an interim step of consolidation, they would join them together in order to allow Company A staff to access resources of Company B and visa versa.

With the release of FreeIPA 3.0, setting up a trust with Active Directory is now a supported feature.

Background

Many people might be asking right now “But why would I want a trust between FreeIPA and Active Directory?”

Before I answer that, lets establish a brief background.

Lets say for example, I have a very large Windows estate which is controlled and managed by Active Directory, but my organisation also has a very large Linux estate.

This situation creates several predicaments.

  1. I need everything centralised but they aren’t all of the same vendor
  2. All my users are in Active Directory and need access to resources on Linux servers
  3. Why can’t I just add everything to Active Directory?
  4. If I add Linux systems to Active Directory, how to I control access to them?

 

The short answer here is, its up to you. You don’t have to have a domain trust. You could always tap your Linux systems directly into Active Directory (in fact, I have an article on how to do that very thing here), however the important things to remember is:

  1. Active Directory was never designed to manage Linux
  2. FreeIPA has been designed for this very purpose

The way I look at this is, by keeping your Windows estate managed by Active Directory, you still maintain 100% control through your existing means. Group Policies, Security Groups, etc. They are still your friend. However, to keep things neat and organised, by having a separate FreeIPA domain, you maintain that same level of control over your Linux estate.

No matter how you look at this, you have Windows being managed in the right way, as well as having Linux managed in the right way. Setting up a Domain Trust between the two, is simply the next step of maintaining that same level of centralised control, however this gives you the ability to manage everything centrally.

E.g. You’re windows users can access Linux based File/Print/Proxy/Web servers as well as still maintaining Sign Sign On capabilities if you chose to use them. The end user experience from my clients can be completely seemless if you set things up properly. At the end of the day, that keeps everyone happy.

Prerequisites

So that is definitely enough rambling from me. Lets crack on with implementing a domain trust.

In this example, I will be using the below details.

FreeIPA Domain
Directory Server Name:     ds01.example.com
Directory Server IP:       10.0.1.11
Domain Name:               example.com
Realm:                     EXAMPLE.COM
NetBIOS Name:              EXAMPLE
Client Computer Name:      client01.example.com
Client Computer OS:        Fedora 18
FreeIPA User:              ipauser1

Windows Domain
Domain Controller Name:    dc01.nt.example.com
Domain Controller IP:      10.0.2.11 
Domain Name:               nt.example.com
Realm:                     NT.EXAMPLE.COM
NetBIOS Name:              NT
Client Computer Name:      windows01.nt.example.com
Client Computer OS:        Windows 7 x86_64
Active Directory User:     aduser1

I am assuming that you already have existing FreeIPA and Windows Domains, as this article is only designed to walk through establishing the trust relationship.
If you are looking for information on setting up a FreeIPA Domain, you can find an article here

You’ll notice that in the above details, I am setting up my Windows Domain as a child of my IPA Domain.

You should keep in mind that when it comes to Domain trusts, there is no such thing as a child. Each domain is just a name with resources associated to it. As long as you have DNS resolution of both domains from each other, you won’t have any problems at all.

 

Installation

Step 1. DNS Resolution

When it comes to trusts, DNS is crucial. You will already have working DNS infrastructure within both your FreeIPA and Windows domains, so now its just a brief step to get them pointing to each other.

I would recommend you read the official FreeIPA documentation surrounding DNS as it explains all details of different environments. You can find it here http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#DNS_configuration

As I am setting up a child domain in the DNS sense, I only have to do the following.

On the IPA server:
Add a pointer record for IPA to forward all “nt” queries of the “example.com” domain to the Windows Domain Controller.

[root@ds01 ~]# ipa dnsrecord-add example.com dc01.nt --a-ip-address=10.0.2.11
  Record name: dc01.nt
  A record: 10.0.2.11
[root@ds01 ~]# ipa dnsrecord-add example.com nt --ns-hostname=dc01.nt
  Record name: nt
  NS record: dc01.nt
[root@ds01 ~]#

On the Windows server:
Add a conditional forwarder to point all queries to “example.com” to the FreeIPA Directory Server

C:\Users\Administrator> dnscmd /zoneadd example.com /dsforwarder 10.0.1.11

Verify your details by pinging  “ds01.example.com”. If you get a response, the forwarder is working.

 

Step 2. Install necessary packages on FreeIPA Directory Server

You will need to install the trust packages in order to set up a domain trust.

For RHEL based IPA servers run:

[root@ds01 ~]# yum install -y ipa-server-trust-ad

For Fedora based IPA servers run:

[root@ds01 ~]# yum install -y freeipa-server-trust-ad

 

Step 3. Prepare your FreeIPA server for the new trust

Next, we need to run “ipa-adtrust-install”.
Below I have included all the ouput so you know exactly what to expect.

[root@ds01 ~]# ipa-adtrust-install

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the FreeIPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to FreeIPA LDAP server

To accept the default shown in brackets, press the Enter key.

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring cross-realm trusts for IPA server requires password for user 'admin'.
This user is a regular system account used for IPA server administration.

admin password: 

Enter the NetBIOS name for the IPA domain.
Only up to 15 uppercase ASCII letters and digits are allowed.
Example: EXAMPLE.

NetBIOS domain name [EXAMPLE]:

Configuring CIFS
  [1/18]: stopping smbd
  [2/18]: creating samba domain object
  [3/18]: creating samba config registry
  [4/18]: writing samba config file
  [5/18]: adding cifs Kerberos principal
  [6/18]: adding cifs principal to S4U2Proxy targets
  [7/18]: adding admin(group) SIDs
  [8/18]: adding RID bases
  [9/18]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
  [10/18]: activating CLDAP plugin
  [11/18]: activating sidgen plugin and task
  [12/18]: activating extdom plugin
  [13/18]: configuring smbd to start on boot
  [14/18]: adding special DNS service records
  [15/18]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
  [16/18]: adding fallback group
  [17/18]: setting SELinux booleans
  [18/18]: starting CIFS services
Done configuring CIFS.

=============================================================================
Setup complete

You must make sure these network ports are open:
    TCP Ports:
      * 138: netbios-dgm
      * 139: netbios-ssn
      * 445: microsoft-ds
    UDP Ports:
      * 138: netbios-dgm
      * 139: netbios-ssn
      * 389: (C)LDAP
      * 445: microsoft-ds

Additionally you have to make sure the FreeIPA LDAP server is not reachable
by any domain controller in the Active Directory domain by closing down
the following ports for these servers:
    TCP Ports:
      * 389, 636: LDAP/LDAPS

You may want to choose to REJECT the network packets instead of DROPing
them to avoid timeouts on the AD domain controllers.

=============================================================================

[root@ds01 ~]#

Step 4. Open required ports in IPTables

Run the following to allow and deny the ports mentioned in the output of the previous step.

[root@ds01 ~]# for x in 138 139 445 ; do iptables -I INPUT -p tcp --dport $x -j ACCEPT ; done
[root@ds01 ~]# for x in 138 139 389 445 ; do iptables -I INPUT -p udp --dport $x -j ACCEPT ; done
[root@ds01 ~]# for x in 389 636 ; do iptables -I INPUT -p tcp -s 10.0.2.11 --dport $x -j REJECT ; done
[root@ds01 ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[root@ds01 ~]#

Step 5. Establish the trust

Now its time to pull it all together. Create your trust from your FreeIPA server.

Note: Unlike normal Windows Domain trusts where you have to validate the trust agreement on the other end, this process is completed in the one process.

[root@ds01 ~]# ipa trust-add --type=ad nt.example.com --admin Administrator --password
Active directory domain administrator's password: 
-------------------------------------------------------
Added Active Directory trust for realm "nt.example.com"
-------------------------------------------------------
  Realm name: nt.example.com
  Domain NetBIOS name: NT
  Domain Security Identifier: S-1-5-21-195870719-1427277748-2096390971
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified
[root@ds01 ~]#

 

Step 6. Access Control

Now that we have the trust in place, we need to grant users or groups from Active Directory, into an IPA based group.

This type of scenario is great for locking down services. For example allowing a specific Active Directory Group SSH access to a specific set of Linux servers.

To map the “Domain Admins” group from Active Directory into IPA, run the following.

Create the mapping with:

[root@ds01 ~]# ipa group-add –desc=’Active Directory Domain Admins external map’ domain_admins_map –external
——————————-
Added group “domain_admins_map”
——————————-
Group name: domain_admins_map
Description: Active Directory Domain Admins external map
[root@ds01 ~]#

[root@ds01 ~]# ipa group-add-member domain_admins_map –external ‘NT\Domain Admins’
[member user]:
[member group]:
Group name: domain_admins_map
Description: Active Directory Domain Admins external map
External member: S-1-5-21-195870719-1427277748-2096390971-512
————————-
Number of members added 1
————————-
[root@ds01 ~]#
Next we need to create a normal IPA based group to to apply the above Active Directory group to.

[root@ds01 ~]# ipa group-add –desc=’Active Directory Domain Admins’ active_directory_domain_admins
——————————————–
Added group “active_directory_domain_admins”
——————————————–
Group name: active_directory_domain_admins
Description: Active Directory Domain Admins
GID: 1660200005
[root@ds01 ~]#

Now, lets add the Active Directory group mapping to the new IPA based group.

[root@ds01 ~]# ipa group-add-member active_directory_domain_admins –groups domain_admins_map
Group name: active_directory_domain_admins
Description: Active Directory Domain Admins
GID: 1660200005
Member groups: domain_admins_map
————————-
Number of members added 1
————————-
[root@ds01 ~]#

 

 

One comment on “Creating a Domain Trust with Red Hat IdM/FreeIPA and Active Directory

  1. fran March 20, 2014 05:59

    I tested in accordance with your paper,I have a difficult,can you help me ,thank you very much!!
    login as: Administrator ADEXAMPLE COM
    > Administrator ADEXAMPLE COM@192.168.227.201‘s password:
    > Last login: Wed Feb 12 14:39:49 2014 from 192.168.227.1
    > Could not chdir to home directory /home/adexample.com/administrator: No
    > such file or directory
    > /usr/bin/xauth: error in locking authority file /home/
    > adexample.com/administrator/.Xauthority
    > -sh-4.1$
    >
    > *But still not able to login with other AD accounts:*
    >
    > [root ipaserver1 sbin]# su Genadi ADEXAMPLE COM
    > su: user Genadi ADEXAMPLE COM does not exist
    >
    > After reading the other threads, ill try and provide as much information as
    > i can:
    >
    > *wbinfo -u does not return values.*
    > [root ipaserver1 sbin]# wbinfo -u
    > [root ipaserver1 sbin]#
    >
    > *wbinfo -u output:*
    > [root ipaserver1 sbin]# wbinfo -g
    > admins
    > editors
    > default smb group
    > ad_users
    >
    > *wbinfo –online-status shows ADEXAMPLE is offline*
    > [root ipaserver1 ~]# wbinfo –online-status
    > BUILTIN : online
    > LINUX : online
    > ADEXAMPLE : offline

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>