From Fedora Project Wiki

mNo edit summary
(Updating page to remove wbinfo references and other outdated steps)
 
Line 5: Line 5:
It should be noted that this is a simplified version of the following:
It should be noted that this is a simplified version of the following:
[[QA:Testcase_freeipav3_ad_trust]]
[[QA:Testcase_freeipav3_ad_trust]]
For more information on FreeIPA Trust support, see the official guide here:
[http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup IPAv3_AD_trust_setup]


|setup=
|setup=
Line 19: Line 22:


1. On ipa1 and ipa2: Install FreeIPA AD Trust related software
1. On ipa1 and ipa2: Install FreeIPA AD Trust related software
     # yum install freeipa-server-trust-ad samba-winbind samba-winbind-clients samba-client
     # yum install freeipa-server-trust-ad


2. On ipa1: Setup IPA AD Trust with ipa-adtrust-install command
2. On ipa1: Setup IPA AD Trust with ipa-adtrust-install command
Line 25: Line 28:
     Prompts should provide the auto-discovered values.  Accept defaults.
     Prompts should provide the auto-discovered values.  Accept defaults.


2.5. Wait until replication happens... Should take not more than few minutes.
3. Wait until replication happens... Should take not more than few minutes.


3. On ipa2:  Setup IPA AD Trust with ipa-adtrust-install command
4. On ipa2:  Setup IPA AD Trust with ipa-adtrust-install command
     # ipa-adtrust-install
     # ipa-adtrust-install
     Prompts should provide the auto-discovered values. Accept defaults.
     Prompts should provide the auto-discovered values. Accept defaults.


4. On ipa1: Setup DNS forwarder for AD domain
5. On ipa1: Setup DNS forwarder for AD domain
     # ipa dnszone-add ad.lan --name-server=ad1.ad.lan --admin-email='hostmaster@ad.lan' \
     # ipa dnszone-add ad.lan --name-server=ad1.ad.lan --admin-email='hostmaster@ad.lan' \
     --force --forwarder=$AD1_IP --forward-policy=only
     --force --forwarder=$AD1_IP --forward-policy=only


5. On ad1: Setup DNS Forwarder for IPA domain
6. On ad1: Setup DNS Forwarder for IPA domain
     # dnscmd 127.0.0.1 /ZoneAdd ipa.lan /Forwarder $IPA1_IP
     # dnscmd 127.0.0.1 /ZoneAdd ipa.lan /Forwarder $IPA1_IP
     ? Do we need to run this for $IPA2_IP as well? or another command?
     ? Do we need to run this for $IPA2_IP as well? or another command?
6. On ipa1 and ipa2: verify IPA realm setup
    # wbinfo -online-status


7. On ipa1: Add cross-realm trust
7. On ipa1: Add cross-realm trust
Line 68: Line 68:
     }
     }


     # vi /etc/sssd/sssd.conf
     # systemctl restart krb5kdc.service
     [domain/ipa.lan]
     # systemctl restart sssd.service
    ...
 
    subdomains_provider = ipa
9. On  ipa1 and ipa2: enable make homedir function with authconfig if --mkhomedir wasn't used with ipa-*-install commands
     ...
     # authconfig --enablemkhomedir --update
    [sssd]
    services = nss, pam, ssh, pac
    ? Is this one still necessary?  No right?


9. On  ipa1 and ipa2: enable make homedir function with authconfig
10. On ipa1: Create external POSIX groups for trusted domain users
    # authconfig --enablemkhomedir --updateall
    # systemctl restart sssd.service
    # systemctl restart sshd.service
   
10. On ipa1 and ipa2: Restart FreeIPA KDC and SSSD services
    # systemctl restart krb5kdc.service
    # systemctl restart sssd.service</pre>
   
11. On ipa1: Create external POSIX groups for trusted domain users
     # ipa group-add --desc='ad.lan admins external map' ad_admins_external --external
     # ipa group-add --desc='ad.lan admins external map' ad_admins_external --external


     # ipa group-add --desc='ad.lan admins' ad_admins
     # ipa group-add --desc='ad.lan admins' ad_admins
    # wbinfo -n 'AD\Domain Admins'
    S-1-5-21-16904141-148189700-2149043814-512 SID_DOM_GROUP (2)


     # ipa group-add-member adadmins_external --external 'AD\Domain Admins'
     # ipa group-add-member adadmins_external --external 'AD\Domain Admins'
Line 104: Line 89:
     -------------------------
     -------------------------


12. On ipa1: Add external group to POSIX group
11. On ipa1: Add external group to POSIX group
     # ipa group-add-member ad_admins --groups ad_admins_external
     # ipa group-add-member ad_admins --groups ad_admins_external


13. On ipa1: SSH to ipa2 as external user
12. On ipa1: SSH to ipa2 as external user
     # kinit Administrator@AD.LAN
     # kinit Administrator@AD.LAN
     # ssh -k -l "Administrator@ad.lan" ipa2.ipa.lan
     # ssh -k -l "Administrator@ad.lan" ipa2.ipa.lan


14. On ipa2: SSH to ipa1 as external user
13. On ipa2: SSH to ipa1 as external user
     # kinit Administrator@AD.LAN
     # kinit Administrator@AD.LAN
     # ssh -l "Administrator@ad.lan" ipa1.ipa.lan
     # ssh -l "Administrator@ad.lan" ipa1.ipa.lan


15. On ad1:  SSH to ipa1 as AD user
14. On ad1:  SSH to ipa1 as AD user
     * Install standard putty from here:
     * Install standard putty from here:
       http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
       http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

Latest revision as of 19:06, 28 April 2014

Description

Configuring and testing cross-realm trust with Active Directory with multiple IPA servers

It should be noted that this is a simplified version of the following: QA:Testcase_freeipav3_ad_trust

For more information on FreeIPA Trust support, see the official guide here: IPAv3_AD_trust_setup

Setup

  1. Setup IPA Server per QA:Testcase_freeipav3_installation
  2. Setup IPA Replica per QA:Testcase_freeipav3_replication
  3. Setup AD Server per Setting_up_Active_Directory_domain_for_testing_purposes
  4. AD server: ad1.ad.lan
  5. AD Realm: AD.LAN
  6. IPA servers: ipa1.ipa.lan ipa2.ipa.lan
  7. IPA Realm: IPA.LAN

How to test

1. On ipa1 and ipa2: Install FreeIPA AD Trust related software

   # yum install freeipa-server-trust-ad

2. On ipa1: Setup IPA AD Trust with ipa-adtrust-install command

   # ipa-adtrust-install
   Prompts should provide the auto-discovered values.  Accept defaults.

3. Wait until replication happens... Should take not more than few minutes.

4. On ipa2: Setup IPA AD Trust with ipa-adtrust-install command

   # ipa-adtrust-install
   Prompts should provide the auto-discovered values. Accept defaults.

5. On ipa1: Setup DNS forwarder for AD domain

   # ipa dnszone-add ad.lan --name-server=ad1.ad.lan --admin-email='hostmaster@ad.lan' \
   --force --forwarder=$AD1_IP --forward-policy=only

6. On ad1: Setup DNS Forwarder for IPA domain

   # dnscmd 127.0.0.1 /ZoneAdd ipa.lan /Forwarder $IPA1_IP
   ? Do we need to run this for $IPA2_IP as well? or another command?

7. On ipa1: Add cross-realm trust

   # ipa trust-add --type=ad ad.lan --admin Administrator --password
   Active directory domain adminstrator's password:
   -------------------------------------------------
   Added Active Directory trust for realm "ad.lan"
   -------------------------------------------------
     Realm name: ad.lan
     Domain NetBIOS name: AD
     Domain Security Identifier: S-1-5-21-16904141-148189700-2149043814
     Trust direction: Two-way trust
     Trust type: Active Directory domain
     Trust status: Established and verified

8. On ipa1 and ipa2: Configure realm and domain mapping

   # vi /etc/krb5.conf
   [libdefaults]
   ....
    dns_lookup_kdc = true
   ....
   [realms]
   IPA.LAN = {
   ....
     auth_to_local = RULE:[1:$1@$0](^.*@AD.LAN$)s/@AD.LAN/@ad.lan/
     auth_to_local = DEFAULT
   }
   # systemctl restart krb5kdc.service
   # systemctl restart sssd.service

9. On ipa1 and ipa2: enable make homedir function with authconfig if --mkhomedir wasn't used with ipa-*-install commands

   # authconfig --enablemkhomedir --update

10. On ipa1: Create external POSIX groups for trusted domain users

   # ipa group-add --desc='ad.lan admins external map' ad_admins_external --external
   # ipa group-add --desc='ad.lan admins' ad_admins
   # ipa group-add-member adadmins_external --external 'AD\Domain Admins'
    [member user]: 
    [member group]: 
     Group name: ad_admins_external
     Description: AD.LAN admins external map
     External member: S-1-5-21-16904141-148189700-2149043814-512
   -------------------------
   Number of members added 1
   -------------------------

11. On ipa1: Add external group to POSIX group

   # ipa group-add-member ad_admins --groups ad_admins_external

12. On ipa1: SSH to ipa2 as external user

   # kinit Administrator@AD.LAN
   # ssh -k -l "Administrator@ad.lan" ipa2.ipa.lan

13. On ipa2: SSH to ipa1 as external user

   # kinit Administrator@AD.LAN
   # ssh -l "Administrator@ad.lan" ipa1.ipa.lan

14. On ad1: SSH to ipa1 as AD user

   * Install standard putty from here:
     http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
   * SSH with putty to ipa1 using GSSAPI
   * When prompted for user use "Administrator@ad.lan"

Expected Results

All the test steps should end with the above specified results.