CentOS 7
Sponsored Link

FreeIPA : FreeIPA trust AD2018/08/09
 
Configure Cross Forest Trust between FreeIPA domain and Windows Active Directory domain.
This example is based on the environment like follows.
Domain Server : CentOS 7 Windows Server 2016
NetBIOS名 : IPA01 FD3S01
Domain Name : ipa.srv.world ad.srv.world
Hostname : dlp.ipa.srv.world fd3s.ad.srv.world 
+----------------------+          |           +----------------------+
| [ FreeIPA (CentOS) ] |10.0.0.30 | 10.0.0.100|  [ AD (Win 2016) ]   |
|  dlp.ipa.srv.world   +----------+-----------+  fd3s.ad.srv.world   |
|                      |                      |                      |
+----------------------+                      +----------------------+
[1] Install FreeIPA trust AD on existing FreeIPA Server.
[root@dlp ~]#
yum -y install ipa-server-trust-ad
[root@dlp ~]#
ipa-adtrust-install 

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to IPA LDAP server

To accept the default shown in brackets, press the Enter key.

Configuring cross-realm trusts for IPA server requires password for user 'admin'.
This user is a regular system account used for IPA server administration.

# FreeIPA admin password
admin password:

WARNING: The smb.conf already exists. Running ipa-adtrust-install will break your existing samba configuration.

Do you wish to continue? [no]: yes
Do you want to enable support for trusted domains in Schema Compatibility plugin?
This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.

# enable slapi-nis or not
Enable trusted domains support in slapi-nis? [no]:

Enter the NetBIOS name for the IPA domain.
Only up to 15 uppercase ASCII letters, digits and dashes are allowed.
Example: EXAMPLE.

# set NetBIOS name for FreeIPA domain
NetBIOS domain name [IPA]: IPA01

WARNING: 7 existing users or groups do not have a SID identifier assigned.
Installer can run a task to have ipa-sidgen Directory Server plugin generate
the SID identifier for all these users. Please note, in case of a high
number of users and groups, the operation might lead to high replication
traffic and performance degradation. Refer to ipa-adtrust-install(1) man page
for details.

# answer yes or not
Do you want to run the ipa-sidgen task? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring CIFS
  [1/23]: validate server hostname
  [2/23]: stopping smbd
  [3/23]: creating samba domain object

.....
.....

  [21/23]: starting CIFS services
  [22/23]: adding SIDs to existing users and groups
This step may take considerable amount of time, please wait..
  [23/23]: restarting smbd
Done configuring CIFS.

=============================================================================
Setup complete

You must make sure these network ports are open:
        TCP Ports:
          * 135: epmap
          * 138: netbios-dgm
          * 139: netbios-ssn
          * 445: microsoft-ds
          * 1024..1300: epmap listener range
          * 3268: msft-gc
        UDP Ports:
          * 138: netbios-dgm
          * 139: netbios-ssn
          * 389: (C)LDAP
          * 445: microsoft-ds

See the ipa-adtrust-install(1) man page for more details

=============================================================================
# if firewalld is running, set follows, too

[root@dlp ~]#
firewall-cmd --add-service=freeipa-trust --permanent

success
[root@dlp ~]#
firewall-cmd --reload

success
[2] Add DNS setting on FreeIPA Server.
# ipa dnsforwardzone-add [AD Domain Name] --forwarder=[AD IP Address] --forward-policy=only

[root@dlp ~]#
ipa dnsforwardzone-add ad.srv.world --forwarder=10.0.0.100 --forward-policy=only 

Server will check DNS forwarder(s).
This may take some time, please wait ...
  Zone name: ad.srv.world.
  Active zone: TRUE
  Zone forwarders: 10.0.0.100
  Forward policy: only
# ipa dnsrecord-add [IPA Domain Name] [AD Hostname].[ADのNetBIOS名] --a-ip-address=[AD IP Address]

# ipa dnsrecord-add [IPA Domain Name] [AD NetBIOS Name] --ns-hostname=[AD Hostname].[AD NetBIOS Name]

[root@dlp ~]#
ipa dnsrecord-add ipa.srv.world fd3s.FD3S01 --a-ip-address=10.0.0.100

[root@dlp ~]#
ipa dnsrecord-add ipa.srv.world FD3S01 --ns-hostname=fd3s.FD3S01
# ipa dnszone-mod [IPA Domain Name] --allow-transfer=[AD IP Address]

[root@dlp ~]#
ipa dnszone-mod ipa.srv.world --allow-transfer=10.0.0.100 

  Zone name: ipa.srv.world.
  Active zone: TRUE
  Authoritative nameserver: dlp.ipa.srv.world.
  Administrator e-mail address: hostmaster.ipa.srv.world.
  SOA serial: 1533791906
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Allow query: any;
  Allow transfer: 10.0.0.100;
[3] Add FreeIPA Domain to Zones on Windows Active Directory Server.
⇒ dnscmd 127.0.0.1 /ZoneAdd [IPA Domain Name] /Secondary [IPA IP Address]
[4] Make sure DNS resolver works normally and setup FreeIPA trust AD.
[root@dlp ~]#
dig SRV _ldap._tcp.ipa.srv.world 

; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> SRV _ldap._tcp.ipa.srv.world
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14793
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_ldap._tcp.ipa.srv.world.      IN      SRV

;; ANSWER SECTION:
_ldap._tcp.ipa.srv.world. 86400 IN      SRV     0 100 389 dlp.ipa.srv.world.

;; AUTHORITY SECTION:
ipa.srv.world.          86400   IN      NS      dlp.ipa.srv.world.

;; ADDITIONAL SECTION:
dlp.ipa.srv.world.      1200    IN      A       10.0.0.30

.....
.....
[root@dlp ~]#
dig SRV _ldap._tcp.ad.srv.world 

; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> SRV _ldap._tcp.ad.srv.world
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12195
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_ldap._tcp.ad.srv.world.       IN      SRV

;; ANSWER SECTION:
_ldap._tcp.ad.srv.world. 600    IN      SRV     0 100 389 FD3S.ad.srv.world.

.....
.....
# ipa trust-add --type=ad [ADのドメイン名] --admin Administrator --password

[root@dlp ~]#
ipa trust-add --type=ad ad.srv.world --admin Administrator --password 

Active Directory domain administrator's password:
-----------------------------------------------------
Added Active Directory trust for realm "ad.srv.world"
-----------------------------------------------------
  Realm name: ad.srv.world
  Domain NetBIOS name: FD3S01
  Domain Security Identifier: S-1-5-21-3929321687-412289865-1056573164
  Trust direction: Trusting forest
  Trust type: Active Directory domain
  Trust status: Established and verified
# make sure it's possible to get an AD user info or not

[root@dlp ~]#
id FD3S01\\Serverworld

uid=1890801000(serverworld@ad.srv.world) gid=1890801000(serverworld@ad.srv.world) groups=1890801000(serverworld@ad.srv.world),1890800513(domain users@ad.srv.world)
# make sure it's possible to switch to an AD user or not

[root@dlp ~]#
su - FD3S01\\Serverworld

Creating home directory for serverworld@ad.srv.world.
-sh-4.2$
Matched Content