No edit summary |
(Updating page to remove wbinfo references and other outdated steps) |
||
(One intermediate revision by one other user not shown) | |||
Line 5: | Line 5: | ||
It should be noted that this is a simplified version of the following: | It should be noted that this is a simplified version of the following: | ||
[[QA:Testcase_freeipav3_ad_trust]] | [[QA:Testcase_freeipav3_ad_trust]] | ||
For more information on FreeIPA Trust support, see the official guide here: | |||
[http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup IPAv3_AD_trust_setup] | |||
|setup= | |setup= | ||
Line 19: | Line 22: | ||
1. On ipa1 and ipa2: Install FreeIPA AD Trust related software | 1. On ipa1 and ipa2: Install FreeIPA AD Trust related software | ||
# yum install freeipa-server-trust-ad | # yum install freeipa-server-trust-ad | ||
2. On ipa1: Setup IPA AD Trust with ipa-adtrust-install command | 2. On ipa1: Setup IPA AD Trust with ipa-adtrust-install command | ||
Line 25: | Line 28: | ||
Prompts should provide the auto-discovered values. Accept defaults. | Prompts should provide the auto-discovered values. Accept defaults. | ||
3. Wait until replication happens... Should take not more than few minutes. | |||
4. On ipa2: Setup IPA AD Trust with ipa-adtrust-install command | |||
# ipa-adtrust-install | # ipa-adtrust-install | ||
Prompts should provide the auto-discovered values. Accept defaults. | Prompts should provide the auto-discovered values. Accept defaults. | ||
5. On ipa1: Setup DNS forwarder for AD domain | |||
# ipa dnszone-add ad.lan --name-server=ad1.ad.lan --admin-email='hostmaster@ad.lan' \ | # ipa dnszone-add ad.lan --name-server=ad1.ad.lan --admin-email='hostmaster@ad.lan' \ | ||
--force --forwarder=$AD1_IP --forward-policy=only | --force --forwarder=$AD1_IP --forward-policy=only | ||
6. On ad1: Setup DNS Forwarder for IPA domain | |||
# dnscmd 127.0.0.1 /ZoneAdd ipa.lan /Forwarder $IPA1_IP | # dnscmd 127.0.0.1 /ZoneAdd ipa.lan /Forwarder $IPA1_IP | ||
? Do we need to run this for $IPA2_IP as well? or another command? | ? Do we need to run this for $IPA2_IP as well? or another command? | ||
7. On ipa1: Add cross-realm trust | 7. On ipa1: Add cross-realm trust | ||
Line 68: | Line 68: | ||
} | } | ||
# | # systemctl restart krb5kdc.service | ||
# systemctl restart sssd.service | |||
9. On ipa1 and ipa2: enable make homedir function with authconfig | 9. On ipa1 and ipa2: enable make homedir function with authconfig if --mkhomedir wasn't used with ipa-*-install commands | ||
# authconfig --enablemkhomedir -- | # authconfig --enablemkhomedir --update | ||
10. On ipa1: Create external POSIX groups for trusted domain users | |||
10 | |||
# ipa group-add --desc='ad.lan admins external map' ad_admins_external --external | # ipa group-add --desc='ad.lan admins external map' ad_admins_external --external | ||
# ipa group-add --desc='ad.lan admins' ad_admins | # ipa group-add --desc='ad.lan admins' ad_admins | ||
# ipa group-add-member adadmins_external --external 'AD\Domain Admins' | # ipa group-add-member adadmins_external --external 'AD\Domain Admins' | ||
Line 104: | Line 89: | ||
------------------------- | ------------------------- | ||
11. On ipa1: Add external group to POSIX group | |||
# ipa group-add-member ad_admins --groups ad_admins_external | # ipa group-add-member ad_admins --groups ad_admins_external | ||
12. On ipa1: SSH to ipa2 as external user | |||
# kinit Administrator@AD.LAN | # kinit Administrator@AD.LAN | ||
# ssh -k -l "Administrator@ad.lan" ipa2.ipa.lan | # ssh -k -l "Administrator@ad.lan" ipa2.ipa.lan | ||
13. On ipa2: SSH to ipa1 as external user | |||
# kinit Administrator@AD.LAN | # kinit Administrator@AD.LAN | ||
# ssh -l "Administrator@ad.lan" ipa1.ipa.lan | # ssh -l "Administrator@ad.lan" ipa1.ipa.lan | ||
14. On ad1: SSH to ipa1 as AD user | |||
* Install standard putty from here: | * Install standard putty from here: | ||
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html | http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html | ||
Line 126: | Line 111: | ||
|optional= | |optional= | ||
}} | }} | ||
[[Category:Active_Directory_Test_Cases]] [[Category:FreeIPA_Test_Cases]] |
Latest revision as of 19:06, 28 April 2014
Description
Configuring and testing cross-realm trust with Active Directory with multiple IPA servers
It should be noted that this is a simplified version of the following: QA:Testcase_freeipav3_ad_trust
For more information on FreeIPA Trust support, see the official guide here: IPAv3_AD_trust_setup
Setup
- Setup IPA Server per QA:Testcase_freeipav3_installation
- Setup IPA Replica per QA:Testcase_freeipav3_replication
- Setup AD Server per Setting_up_Active_Directory_domain_for_testing_purposes
- AD server: ad1.ad.lan
- AD Realm: AD.LAN
- IPA servers: ipa1.ipa.lan ipa2.ipa.lan
- IPA Realm: IPA.LAN
How to test
1. On ipa1 and ipa2: Install FreeIPA AD Trust related software
# yum install freeipa-server-trust-ad
2. On ipa1: Setup IPA AD Trust with ipa-adtrust-install command
# ipa-adtrust-install Prompts should provide the auto-discovered values. Accept defaults.
3. Wait until replication happens... Should take not more than few minutes.
4. On ipa2: Setup IPA AD Trust with ipa-adtrust-install command
# ipa-adtrust-install Prompts should provide the auto-discovered values. Accept defaults.
5. On ipa1: Setup DNS forwarder for AD domain
# ipa dnszone-add ad.lan --name-server=ad1.ad.lan --admin-email='hostmaster@ad.lan' \ --force --forwarder=$AD1_IP --forward-policy=only
6. On ad1: Setup DNS Forwarder for IPA domain
# dnscmd 127.0.0.1 /ZoneAdd ipa.lan /Forwarder $IPA1_IP ? Do we need to run this for $IPA2_IP as well? or another command?
7. On ipa1: Add cross-realm trust
# ipa trust-add --type=ad ad.lan --admin Administrator --password Active directory domain adminstrator's password: ------------------------------------------------- Added Active Directory trust for realm "ad.lan" ------------------------------------------------- Realm name: ad.lan Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-16904141-148189700-2149043814 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified
8. On ipa1 and ipa2: Configure realm and domain mapping
# vi /etc/krb5.conf [libdefaults] .... dns_lookup_kdc = true .... [realms] IPA.LAN = { .... auth_to_local = RULE:[1:$1@$0](^.*@AD.LAN$)s/@AD.LAN/@ad.lan/ auth_to_local = DEFAULT }
# systemctl restart krb5kdc.service # systemctl restart sssd.service
9. On ipa1 and ipa2: enable make homedir function with authconfig if --mkhomedir wasn't used with ipa-*-install commands
# authconfig --enablemkhomedir --update
10. On ipa1: Create external POSIX groups for trusted domain users
# ipa group-add --desc='ad.lan admins external map' ad_admins_external --external
# ipa group-add --desc='ad.lan admins' ad_admins
# ipa group-add-member adadmins_external --external 'AD\Domain Admins' [member user]: [member group]: Group name: ad_admins_external Description: AD.LAN admins external map External member: S-1-5-21-16904141-148189700-2149043814-512 ------------------------- Number of members added 1 -------------------------
11. On ipa1: Add external group to POSIX group
# ipa group-add-member ad_admins --groups ad_admins_external
12. On ipa1: SSH to ipa2 as external user
# kinit Administrator@AD.LAN # ssh -k -l "Administrator@ad.lan" ipa2.ipa.lan
13. On ipa2: SSH to ipa1 as external user
# kinit Administrator@AD.LAN # ssh -l "Administrator@ad.lan" ipa1.ipa.lan
14. On ad1: SSH to ipa1 as AD user
* Install standard putty from here: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html * SSH with putty to ipa1 using GSSAPI * When prompted for user use "Administrator@ad.lan"
Expected Results
All the test steps should end with the above specified results.