Description
Configuring and testing cross-realm trust with Active Directory with multiple IPA servers
It should be noted that this is a simplified version of the following: QA:Testcase_freeipav3_ad_trust
Setup
- Setup IPA Server per QA:Testcase_freeipav3_installation
- Setup IPA Replica per QA:Testcase_freeipav3_replication
- Setup AD Server per NEED LINK
- AD server: ad1.ad.lan
- AD Realm: AD.LAN
- IPA servers: ipa1.ipa.lan ipa2.ipa.lan
- IPA Realm: IPA.LAN
How to test
1. On ipa1 and ipa2: Install FreeIPA AD Trust related software
# yum install freeipa-server-trust-ad samba-winbind samba-winbind-clients samba-client
2. On ipa1: Setup IPA AD Trust with ipa-adtrust-install command
# ipa-adtrust-install Prompts should provide the auto-discovered values. Accept defaults.
3. On ipa2: Setup IPA AD Trust with ipa-adtrust-install command
? We still have to run ipa-adtrust-install here right?
4. On ipa1: Setup DNS forwarder for AD domain
# ipa dnszone-add ad.lan --name-server=ad1.ad.lan --admin-email='hostmaster@ad.lan' \ --force --forwarder=$AD1_IP --forward-policy=only
5. On ad1: Setup DNS Forwarder for IPA domain
# dnscmd 127.0.0.1 /ZoneAdd ipa.lan /Forwarder $IPA1_IP ? Do we need to run this for $IPA2_IP as well? or another command?
6. On ipa1 and ipa2: verify IPA realm setup
# wbinfo -online-status
7. On ipa1: Add cross-realm trust
# ipa trust-add --type=ad ad.lan --admin Administrator --password
Active directory domain adminstrator's password:
-------------------------------------------------
Added Active Directory trust for realm "ad.lan"
-------------------------------------------------
Realm name: ad.lan
Domain NetBIOS name: AD
Domain Security Identifier: S-1-5-21-16904141-148189700-2149043814
Trust direction: Two-way trust
Trust type: Active Directory domain
Trust status: Established and verified
Note Security Identifier of the trusted domain as AD_DOM_SID
? This isn't necessary on ipa2 is it?
8. On ipa1 and ipa2: Restart FreeIPA KDC
# systemctl restart krb5kdc.service ? Is this still necessary?
9. On ipa1 and ipa2: Configure realm and domain mapping
# vi /etc/krb5.conf
[libdefaults]
....
dns_lookup_kdc = true
....
[realms]
IPA.LAN = {
....
auth_to_local = RULE:[1:$1@$0](^.*@AD.LAN$)s/@AD.LAN/@ad.lan/
auth_to_local = DEFAULT
}
# vi /etc/sssd/sssd.conf [domain/ipa.lan] ... subdomains_provider = ipa ... [sssd] services = nss, pam, ssh, pac ? Is this one still necessary? No right?
10. On ipa1 and ipa2: Restart SSSD service
# systemctl restart sssd.service
11. On ipa1: Create external POSIX groups for trusted domain users
# ipa group-add --desc='ad.lan admins external map' ad_admins_external --external
# ipa group-add --desc='ad.lan admins' ad_admins
# wbinfo -n 'AD\Domain Admins' S-1-5-21-16904141-148189700-2149043814-512 SID_DOM_GROUP (2)
# ipa group-add-member adadmins_external --external \
S-1-5-21-16904141-148189700-2149043814-512
[member user]:
[member group]:
Group name: ad_admins_external
Description: AD.LAN admins external map
External member: S-1-5-21-16904141-148189700-2149043814-512
-------------------------
Number of members added 1
-------------------------
12. On ipa1: Add external group to POSIX group
# ipa group-add-member ad_admins --groups ad_admins_external
13. On ipa1 and ipa2: enable make homedir function with authconfig
# authconfig --enablemkhomedir --updateall # systemctl restart sssd.service # systemctl restart sshd.service
14. On ipa1: SSH to ipa2 as external user
# ssh -l "Administrator@ad.lan" ipa2.ipa.lan
15. On ipa2: SSH to ipa1 as external user
# ssh -l "Administrator@ad.lan" ipa1.ipa.lan
16. On ad1: SSH to ipa1 as AD user
* Install standard putty from here * SSH with putty to ipa1 using GSSAPI * When prompted for user use "Administrator@ad.lan"
Expected Results
All the test steps should end with the above specified results.