From Fedora Project Wiki

No edit summary
(Updating page to remove wbinfo references and other outdated steps)
 
(4 intermediate revisions by 3 users not shown)
Line 5: Line 5:
It should be noted that this is a simplified version of the following:
It should be noted that this is a simplified version of the following:
[[QA:Testcase_freeipav3_ad_trust]]
[[QA:Testcase_freeipav3_ad_trust]]
For more information on FreeIPA Trust support, see the official guide here:
[http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup IPAv3_AD_trust_setup]


|setup=
|setup=
# Setup IPA Server per [[QA:Testcase_freeipav3_installation]]
# Setup IPA Server per [[QA:Testcase_freeipav3_installation]]
# Setup IPA Replica per [[QA:Testcase_freeipav3_replication]]
# Setup IPA Replica per [[QA:Testcase_freeipav3_replication]]
# Setup AD Server per NEED LINK
# Setup AD Server per [http://www.freeipa.org/page/Setting_up_Active_Directory_domain_for_testing_purposes Setting_up_Active_Directory_domain_for_testing_purposes]
# AD server:  ad1.ad.lan
# AD server:  ad1.ad.lan
# AD Realm:    AD.LAN
# AD Realm:    AD.LAN
Line 19: Line 22:


1. On ipa1 and ipa2: Install FreeIPA AD Trust related software
1. On ipa1 and ipa2: Install FreeIPA AD Trust related software
     # yum install freeipa-server-trust-ad samba-winbind samba-winbind-clients samba-client
     # yum install freeipa-server-trust-ad


2. On ipa1: Setup IPA AD Trust with ipa-adtrust-install command
2. On ipa1: Setup IPA AD Trust with ipa-adtrust-install command
Line 25: Line 28:
     Prompts should provide the auto-discovered values.  Accept defaults.
     Prompts should provide the auto-discovered values.  Accept defaults.


3. On ipa2:  Setup IPA AD Trust with ipa-adtrust-install command
3. Wait until replication happens... Should take not more than few minutes.
     ? We still have to run ipa-adtrust-install here right?
 
4. On ipa2:  Setup IPA AD Trust with ipa-adtrust-install command
     # ipa-adtrust-install
    Prompts should provide the auto-discovered values. Accept defaults.


4. On ipa1: Setup DNS forwarder for AD domain
5. On ipa1: Setup DNS forwarder for AD domain
     # ipa dnszone-add ad.lan --name-server=ad1.ad.lan --admin-email='hostmaster@ad.lan' \
     # ipa dnszone-add ad.lan --name-server=ad1.ad.lan --admin-email='hostmaster@ad.lan' \
     --force --forwarder=$AD1_IP --forward-policy=only
     --force --forwarder=$AD1_IP --forward-policy=only


5. On ad1: Setup DNS Forwarder for IPA domain
6. On ad1: Setup DNS Forwarder for IPA domain
     # dnscmd 127.0.0.1 /ZoneAdd ipa.lan /Forwarder $IPA1_IP
     # dnscmd 127.0.0.1 /ZoneAdd ipa.lan /Forwarder $IPA1_IP
     ? Do we need to run this for $IPA2_IP as well? or another command?
     ? Do we need to run this for $IPA2_IP as well? or another command?
6. On ipa1 and ipa2: verify IPA realm setup
    # wbinfo -online-status


7. On ipa1: Add cross-realm trust
7. On ipa1: Add cross-realm trust
Line 51: Line 54:
       Trust type: Active Directory domain
       Trust type: Active Directory domain
       Trust status: Established and verified
       Trust status: Established and verified
    Note Security Identifier of the trusted domain as AD_DOM_SID
    ? This isn't necessary on ipa2 is it?
8. On ipa1 and ipa2: Restart FreeIPA KDC
    # systemctl restart krb5kdc.service
    ? Is this still necessary?


9. On ipa1 and ipa2: Configure realm and domain mapping
8. On ipa1 and ipa2: Configure realm and domain mapping
     # vi /etc/krb5.conf
     # vi /etc/krb5.conf
     [libdefaults]
     [libdefaults]
Line 71: Line 68:
     }
     }


     # vi /etc/sssd/sssd.conf
     # systemctl restart krb5kdc.service
     [domain/ipa.lan]
     # systemctl restart sssd.service
    ...
 
    subdomains_provider = ipa
9. On  ipa1 and ipa2: enable make homedir function with authconfig if --mkhomedir wasn't used with ipa-*-install commands
     ...
     # authconfig --enablemkhomedir --update
    [sssd]
    services = nss, pam, ssh, pac
    ? Is this one still necessary?  No right?


10. On ipa1 and ipa2: Restart SSSD service
10. On ipa1: Create external POSIX groups for trusted domain users
    # systemctl restart sssd.service</pre>
   
11. On ipa1: Create external POSIX groups for trusted domain users
     # ipa group-add --desc='ad.lan admins external map' ad_admins_external --external
     # ipa group-add --desc='ad.lan admins external map' ad_admins_external --external


     # ipa group-add --desc='ad.lan admins' ad_admins
     # ipa group-add --desc='ad.lan admins' ad_admins


    # wbinfo -n 'AD\Domain Admins'
     # ipa group-add-member adadmins_external --external 'AD\Domain Admins'
    S-1-5-21-16904141-148189700-2149043814-512 SID_DOM_GROUP (2)
 
     # ipa group-add-member adadmins_external --external \
    S-1-5-21-16904141-148189700-2149043814-512
     [member user]:  
     [member user]:  
     [member group]:  
     [member group]:  
Line 102: Line 89:
     -------------------------
     -------------------------


12. On ipa1: Add external group to POSIX group
11. On ipa1: Add external group to POSIX group
     # ipa group-add-member ad_admins --groups ad_admins_external
     # ipa group-add-member ad_admins --groups ad_admins_external


13. On  ipa1 and ipa2: enable make homedir function with authconfig
12. On ipa1: SSH to ipa2 as external user
    # authconfig --enablemkhomedir --updateall
    # kinit Administrator@AD.LAN
    # systemctl restart sssd.service
     # ssh -k -l "Administrator@ad.lan" ipa2.ipa.lan
    # systemctl restart sshd.service
   
14. On ipa1: SSH to ipa2 as external user
     # ssh -l "Administrator@ad.lan" ipa2.ipa.lan


15. On ipa2: SSH to ipa1 as external user
13. On ipa2: SSH to ipa1 as external user
    # kinit Administrator@AD.LAN
     # ssh -l "Administrator@ad.lan" ipa1.ipa.lan
     # ssh -l "Administrator@ad.lan" ipa1.ipa.lan


16. On ad1:  SSH to ipa1 as AD user
14. On ad1:  SSH to ipa1 as AD user
     * Install standard putty from [http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html here]
     * Install standard putty from here:
      http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
     * SSH with putty to ipa1 using GSSAPI
     * SSH with putty to ipa1 using GSSAPI
     * When prompted for user use "Administrator@ad.lan"
     * When prompted for user use "Administrator@ad.lan"
Line 126: Line 111:
|optional=
|optional=
}}
}}
[[Category:Active_Directory_Test_Cases]] [[Category:FreeIPA_Test_Cases]]

Latest revision as of 19:06, 28 April 2014

Description

Configuring and testing cross-realm trust with Active Directory with multiple IPA servers

It should be noted that this is a simplified version of the following: QA:Testcase_freeipav3_ad_trust

For more information on FreeIPA Trust support, see the official guide here: IPAv3_AD_trust_setup

Setup

  1. Setup IPA Server per QA:Testcase_freeipav3_installation
  2. Setup IPA Replica per QA:Testcase_freeipav3_replication
  3. Setup AD Server per Setting_up_Active_Directory_domain_for_testing_purposes
  4. AD server: ad1.ad.lan
  5. AD Realm: AD.LAN
  6. IPA servers: ipa1.ipa.lan ipa2.ipa.lan
  7. IPA Realm: IPA.LAN

How to test

1. On ipa1 and ipa2: Install FreeIPA AD Trust related software

   # yum install freeipa-server-trust-ad

2. On ipa1: Setup IPA AD Trust with ipa-adtrust-install command

   # ipa-adtrust-install
   Prompts should provide the auto-discovered values.  Accept defaults.

3. Wait until replication happens... Should take not more than few minutes.

4. On ipa2: Setup IPA AD Trust with ipa-adtrust-install command

   # ipa-adtrust-install
   Prompts should provide the auto-discovered values. Accept defaults.

5. On ipa1: Setup DNS forwarder for AD domain

   # ipa dnszone-add ad.lan --name-server=ad1.ad.lan --admin-email='hostmaster@ad.lan' \
   --force --forwarder=$AD1_IP --forward-policy=only

6. On ad1: Setup DNS Forwarder for IPA domain

   # dnscmd 127.0.0.1 /ZoneAdd ipa.lan /Forwarder $IPA1_IP
   ? Do we need to run this for $IPA2_IP as well? or another command?

7. On ipa1: Add cross-realm trust

   # ipa trust-add --type=ad ad.lan --admin Administrator --password
   Active directory domain adminstrator's password:
   -------------------------------------------------
   Added Active Directory trust for realm "ad.lan"
   -------------------------------------------------
     Realm name: ad.lan
     Domain NetBIOS name: AD
     Domain Security Identifier: S-1-5-21-16904141-148189700-2149043814
     Trust direction: Two-way trust
     Trust type: Active Directory domain
     Trust status: Established and verified

8. On ipa1 and ipa2: Configure realm and domain mapping

   # vi /etc/krb5.conf
   [libdefaults]
   ....
    dns_lookup_kdc = true
   ....
   [realms]
   IPA.LAN = {
   ....
     auth_to_local = RULE:[1:$1@$0](^.*@AD.LAN$)s/@AD.LAN/@ad.lan/
     auth_to_local = DEFAULT
   }
   # systemctl restart krb5kdc.service
   # systemctl restart sssd.service

9. On ipa1 and ipa2: enable make homedir function with authconfig if --mkhomedir wasn't used with ipa-*-install commands

   # authconfig --enablemkhomedir --update

10. On ipa1: Create external POSIX groups for trusted domain users

   # ipa group-add --desc='ad.lan admins external map' ad_admins_external --external
   # ipa group-add --desc='ad.lan admins' ad_admins
   # ipa group-add-member adadmins_external --external 'AD\Domain Admins'
    [member user]: 
    [member group]: 
     Group name: ad_admins_external
     Description: AD.LAN admins external map
     External member: S-1-5-21-16904141-148189700-2149043814-512
   -------------------------
   Number of members added 1
   -------------------------

11. On ipa1: Add external group to POSIX group

   # ipa group-add-member ad_admins --groups ad_admins_external

12. On ipa1: SSH to ipa2 as external user

   # kinit Administrator@AD.LAN
   # ssh -k -l "Administrator@ad.lan" ipa2.ipa.lan

13. On ipa2: SSH to ipa1 as external user

   # kinit Administrator@AD.LAN
   # ssh -l "Administrator@ad.lan" ipa1.ipa.lan

14. On ad1: SSH to ipa1 as AD user

   * Install standard putty from here:
     http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
   * SSH with putty to ipa1 using GSSAPI
   * When prompted for user use "Administrator@ad.lan"

Expected Results

All the test steps should end with the above specified results.