Description
Configuring and testing cross-realm trust with Active Directory.
Setup
- Make sure your FreeIPA server is set up as in QA:Testcase_freeipav3_installation.
- You have to select name for the IPA realm different from Active Directory domain name.
- There are two types of installation for FreeIPA:
- without integrated DNS setup
- with integrated DNS setup
How to test
Planned configuration
Instructions below will assume following setup:
- There is Active Directory domain, set up under name AD.LAN. Domain controller for AD.LAN server is dc.ad.lan and has IP-address DC-AD.
- There is FreeIPA realm, set up under name IPA.LAN. FreeIPA server for the realm IPA.LAN is dc.ipa.lan and has IP-address DC-IPA.
FreeIPA realm will gain a short name used for NetBIOS communication, known as 'domain name' in SMB. Usually it is the same as leftmost component of the realm, i.e. IPA for IPA.LAN.
Installation
First, install the FreeIPA server as in QA:Testcase_freeipav3_installation.
Next, install following packages:
# yum install freeipa-server-trust-ad samba-winbind samba-winbind-clients samba-client
The last package, samba-winbind-clients, is not needed for actual work. It is only needed to verify that certain operations performed by Windows client are indeed trigger proper reaction from the FreeIPA setup.
With DNS controlled by FreeIPA server
Run ipa-adtrust-install without parameters
# ipa-adtrust-install
You'll be prompted to provide needed information which will be auto-discovered based FreeIPA setup. You'll be asked to enter your admin credentials for FreeIPA server. DNS configuration will be updated to include proper SRV records expected by the Active Directory clients.
Without DNS controlled by FreeIPA server
Run ipa-adtrust-install with --no-msdcs argument
# ipa-adtrust-install --no-msdcs
You'll be prompted to provide needed information which will be auto-discovered based FreeIPA setup. You'll be asked to enter your admin credentials for FreeIPA server. At the end of execution, ipa-adtrust-install will print list of SRV records that you should create at your DNS server in order to continue.
Configure DNS forwarder
Both Active Directory domain and FreeIPA realm will need to be able to find each other and discover information about each other's resources. In case there is no common uplink DNS server, appropriate domain name forwarders will need to be created from both sides.
DNS forwarder from FreeIPA side
# ipa dnszone-add ad.lan --name-server=dc.ad.lan --admin-email='hostmaster@ad.lan' --force --forwarder=DC-AD --forward-policy=only
DNS forwarder from Active Directory side
Open Start->Administrative Tools->DNS make a right-click on 'Conditional Forwarders' in the left column of the window select 'New Conditional Forwarder...' add the DNS domain name of your FreeIPA domain name and the IP adresses of one or more DNS servers of your FreeIPA domain
To test the new configuration you can try to ping your FreeIPA server again. It might be necessary to call 'ipconfig /flushdns' to removed any cached results.
Alternatively you can use command line utility dnscmd to configure the forwarder:
Open Start -> Command Prompt Enter: dnscmd 127.0.0.1 /ZoneAdd ipa.lan /Forwarder DC-IPA
The command should report that zone ipa.lan was successfully added.
Verify basics
Use wbinfo utility from samba4-winbind-clients to verify that ipa-adtrust-install has set up everything right:
# wbinfo --online-status BUILTIN : online IPA : online
Show AD configuration with trustconfig
TODO
Add cross-realm trust
Add cross-realm trust to Active Directory domain:
# ipa trust-add --type=ad ad.lan --admin Administrator --password Active directory domain adminstrator's password: ------------------------------------------------- Added Active Directory trust for realm "ad.lan" ------------------------------------------------- Realm name: ad.lan Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-16904141-148189700-2149043814 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified
Restart FreeIPA KDC
For time being, FreeIPA KDC has to be restarted before it would be able to recognize new cross-realm trust.
# systemctl restart krb5kdc.service
Configure realm and domain mapping
For time being one has to manually configure krb5.conf and sssd.conf on FreeIPA server to perform cross-realm-specific operations.
Look into /etc/krb5.conf and change/add following, replacing realm names appropriately:
[libdefaults]
....
dns_lookup_kdc = true
....
[realms]
IPA.LAN = {
....
auth_to_local = RULE:[1:$1@$0](^.*@AD.LAN$)s/@AD.LAN/@ad.lan/
auth_to_local = DEFAULT
}
Look into /etc/sssd/sssd.conf and add/change following, replacing domain name ipa.lan appropriately:
[domain/ipa.lan] ... subdomains_provider = ipa ... [sssd] services = nss, pam, ssh, pac
'subdomains_provider = ipa' ensures that sssd will be able to look up users in trusted domains. 'services = ..., pac' ensures that user membership information from PAC PAC (http://tools.ietf.org/html/draft-brezak-win2k-krb-authz-01) is evaluated as well.
Restart sssd service:
# systemctl restart sssd.service
Allow access for users from trusted domain to protected resources
Before users from trusted domain can access protected resources in FreeIPA realm, they have to be explicitly mapped to FreeIPA groups. The mapping is performed in two steps:
- Add users and groups from trusted domain to an external group in FreeIPA. External group serves as a container to reference trusted domain users and groups by their security identifiers.
- Map external group to an existing POSIX group in FreeIPA. This POSIX group will be assigned proper group id (gid) that will be used as default group for all incoming trusted domain users mapped to this group.
Create external and POSIX groups for trusted domain users
Create external group in FreeIPA for trusted domain admins:
# ipa group-add --desc='ad.lan admins external map' ad_admins_external --external
Create POSIX group for external ad_admins_external group:
# ipa group-add --desc='ad.lan admins' ad_admins
Add users and groups from trusted domain to an external group in FreeIPA
Add Domain Admins of the AD.LAN to the ad_admins_external group:
# ipa group-add-member ad_admins_external --external 'AD\Domain Admins' [member user]: [member group]: Group name: ad_admins_external Description: AD.LAN admins external map External member: S-1-5-21-16904141-148189700-2149043814-512 ------------------------- Number of members added 1 -------------------------
Add external group to POSIX group
Allow members of ad_admins_external group to be associated with ad_admins POSIX group:
# ipa group-add-member ad_admins --groups ad_admins_external
Starting from this point, FreeIPA server will be able to authenticate and recognize any trusted domain user that belongs to Domain Admins group of AD.LAN domain.
Using cross-realm trust
SSH
A GSSAPI aware Windows ssh client must be installed on the windows server. The putty version from Quest http://rc.quest.com/topics/putty/ should work, but recently GSSAPI support was also added to the "standard" putty http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html. If you now log on to the windows server as the test use abc and use putty to connect with GSSAPI to the FreeIPA server it should just work without asking for a password.
When asked by SSH for credentials, use <username>@<domain> instead of <domain>\<username>. Please note that <domain> should be specified in as in the auth_to_local stanza in krb5.conf, OpenSSH server is very sensitive to change of user name. Thus, Administrator@ad.lan, not administrator@AD.LAN, should be used wherever possible.
One needs to make sure home directory exists for users from trusted domains. By default sssd will define them as /home/<domain>/<user name>.
In order to access non-public CIFS share on FreeIPA server, one needs first to configure the share. FreeIPA Samba configuration is stored in the registry database, managed by 'net conf' command from Samba suite.
# net conf setparm 'share' 'comment' 'Trust test share' # net conf setparm 'share' 'read only' 'no' # net conf setparm 'share' 'valid users' 'S-1-5-21-16904141-148189700-2149043814-512' # net conf setparm 'share' 'path' '/path/to/share'
Make sure to change /path/to/share to proper location. Note that we are using Security Identifier of the Domain Admins group here to allow the access to the share.
Once configuration is updated, one can mount the share from Windows machine using 'net use * \\server\share' command or Windows Explorer application.
Accessing Windows resources with FreeIPA credentials
(TODO) In order to gain access to Windows resources, users of FreeIPA realm need to be allowed appropriate privileges by administrators of the trusted domain. This is currently not possible since Windows machines will try to consult FreeIPA domain controller for resolving names to SIDs (and back) via Global Catalog service. FreeIPA domain controller does not implement Global Catalog service yet.
Configuring allowed PAC types for services
Currently there is only kernel NFS that does not work with PAC in the kerberos ticket. This is due to kernerl-user space communication limits. Because of this FreeIPA 3.2 by default disables addition of PAC information to the NFS ticket.
Expected Results
All the test steps should end with the specified results.