Directory services refer to software applications or services that provide a centralized database of information about network resources, such as users, computers, printers, applications, and other network devices. There are several examples of directory services, including Microsoft Active Directory, Novell eDirectory, LDAP, Apple Open Directory, IBM Tivoli Directory Server, IPA etc
Active Directory (AD) is a directory service that is used to manage and store information about resources in a networked environment. It is a component of the Microsoft Windows server operating system and is used by organizations to manage users, computers, and other resources centrally. It provides a hierarchical structure to organize resources such as users, groups, computers, and other network devices and allows administrators to assign permissions and access rights to resources based on a user’s role or group membership.
IPA (Identity Policy and Audit) is a directory service that provides centralized authentication, authorization, and access control for Unix and Linux systems. It is an open-source solution based on the FreeIPA project, which combines several open-source technologies, including 389 Directory Server, MIT Kerberos, and Dogtag Certificate System. In addition to providing a directory service, IPA also includes other features such as centralized management of host-based access control, policy enforcement, and auditing.
IPA and AD can be integrated to work together. This involves creating trust between IPA and Active Directory by establishing a relationship between the two directory services that allow them to share user and group information, as well as to authenticate users across both systems.
This process typically involves configuring cross-realm trust between the two directory services. Cross-realm trust is a mechanism that allows users in one domain or realm to access resources in another domain or realm. In this case, the IPA and Active Directory domains would establish a cross-realm trust relationship, which would allow users in both domains to access resources in the other domain.
The benefits of establishing trust between an IPA (Identity, Policy, and Audit) and the Active Directory (AD) include the:
- Centralized management: With trust established, users and resources in both IPA and AD domains can be centrally managed, which reduces administrative overhead and simplifies access management.
- Seamless authentication: Trust enables users in one domain to access resources in the other domain without needing to enter separate login credentials. This seamless authentication improves user experience and eliminates the need to maintain separate user accounts in each domain.
- Improved security: Trust between IPA and AD can improve security by allowing for centralized management of access policies and user permissions. This ensures that access to resources is only granted to authorized users, and prevents unauthorized access.
- Flexible migration: If an organization is migrating from AD to IPA, trust can be established to allow for a seamless transition, minimizing disruption to users and reducing downtime.
- Interoperability: Trust between IPA and AD allows for the interoperability of services and applications between the two domains, enabling users to access services and resources on both domains seamlessly.
Establish Trust between IPA and Active Directory
Overall, establishing trust between IPA and AD improves efficiency, security, and user experience, and facilitates the management of resources and users across multiple domains.
For this testing, I have my environment set up as below:
IPA:
| IPA server IP address | IPA server hostname | IPA domain | IPA NetBIOS | IPA Kerberos realm |
| 192.168.205.12 | ipa.master.geeksforgeeks.org | master.geeksforgeeks.org | MASTER | MASTER.COMPUTINGFORGEEKS.COM |
AD:
| AD DC IP address | AD DC hostname | AD domain | AD NetBIOS | AD admins group SID |
| 192.168.205.20 | windows | ad.computingforgeks.com | GEEKS | ad_admins_sid (e.g. S-1-5-21-16904141-148189700-2149043814-512) |
1. Install and Configure the IPA Server
FreeIPA 3.3.3 or later is recommended for this guide. Before we begin, set the hostname for your system:
sudo hostnamectl set-hostname ipa.master.neveropen.techYou also need to disable the IPv6 stack for Samba on the IPA server. This can be done by creating/modifying the file below:
$ sudo vim /etc/sysctl.d/ipv6.conf
# Disable IPv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.<interface0>.disable_ipv6 = 1Replace the interface with your specialized interface. This will keep the IPv6 stack functional but will not assign IPv6 addresses to any of your network devices.
You can install the IPA server packages on Rhel-based systems using the command:
sudo yum install -y "*ipa-server" "*ipa-server-trust-ad" ipa-server-dns bind bind-dyndb-ldapWhen installing the IPA server, ensure that the ipa-server-trust-ad module is installed.
Now set up the IPA server with the below command:
sudo ipa-server-install --domain master.geeksforgeeks.org --realm MASTER.COMPUTINGFORGEEKS.COM \
--reverse-zone=205.168.192.in-addr.arpa. \
--no-forwarders \
--no-ntp \
--setup-dns \
--ds-password StrongDMPassw0rd \
--admin-password StrongDMPassw0rd \
--unattendedNow login as the admin user. First, obtain a ticket
kinit admin
Ensure the admin user is available on your system using the command:
$ id admin
uid=1634400000(admin) gid=1634400000(admins) groups=1634400000(admins)
$ getent passwd admin
admin:*:1634400000:1634400000:Administrator:/home/admin:/bin/bashYou can also follow the below guides for a detailed demonstration of setting up IPA.
- Install FreeIPA Server on Rocky Linux 9 / AlmaLinux 9
- Install and Configure FreeIPA Server on Rocky Linux 8
- How To Install FreeIPA Server on CentOS 7 / RHEL 7
- Install and Configure FreeIPA Server on Ubuntu
2. Install and Configure AD DS
You need Windows Server 2008 R2 or later with configured Active Directory DC and DNS installed locally on the DC. This can be achieved using the guides below:
- Install Active Directory Domain Services in Windows Server 2022
- Install Active Directory Domain Services in Windows Server 2019
3. Prepare AD and IPA for Cross-Forest Trust
When planning to access the AD users on the IPA clients, you need to configure the IPA server for cross-forest trusts. But before that, you need to ensure that:
- Date/time synchronization
You need to have both the IPA and AD have the timezone settings and date/time matching.
On IPA, set your timezone with the command:
sudo timedatectl set-timezone Africa/NairobiSample Output:
Also on AD, ensure a similar Timezone has been configured.
- Firewall configuration
It would help if you allowed the below ports through the firewall:
##TCP ports:
80, 88, 443, 389, 636, 464, 53, 135, 138, 139, 445, 1024-1300
##UDP ports:
88, 464, 53, 123, 138, 139, 389, 445All these ports can be allowed with the command:
sudo firewall-cmd --add-service={dns,http,https,ntp,freeipa-ldap,freeipa-ldaps,freeipa-trust} --permanent
sudo firewall-cmd --reload- DNS configuration
You also need to establish communication between the AD and IPA. Now add FreeIPA Domain to Zones on Windows Active Directory Server. The command for this has the below syntax:
On AD, run the below commands on CMD:
C:\> dnscmd 127.0.0.1 /ResetForwarders ipa_ip_address /Slave
C:\> dnscmd 127.0.0.1 /ZoneAdd ipa_domain /Secondary ipa_ip_addressFor example:
dnscmd 127.0.0.1 /ResetForwarders 192.168.205.12 /Slave
dnscmd 127.0.0.1 /ZoneAdd master.geeksforgeeks.org /Secondary 192.168.205.12Sample Output:
On IPA, use commands with the below syntax:
#IPA v3.x:
ipa dnszone-add ad_domain --name-server=ad_hostname.ad_domain --admin-email='hostmaster@ad_domain' --force --forwarder=ad_ip_address --forward-policy=only --ip-address=ad_ip_address
ipa dnszone-mod [IPA domain name] --allow-transfer=[AD IP address]
##IPA v4.x:
ipa dnsforwardzone-add ad_domain --forwarder=ad_ip_address --forward-policy=only
ipa dnszone-mod [IPA domain name] --allow-transfer=[AD IP address]For example:
sudo ipa dnsforwardzone-add ad.geeksforgeeks.org --forwarder=192.168.205.20 --forward-policy=only
ipa dnszone-mod master.geeksforgeeks.org --allow-transfer=192.168.205.20Sample Output:
To verify if the changes are effective, use the commands:
On AD:
C:\> nslookup
> set type=srv
> _ldap._tcp.ad_domain
> _ldap._tcp.ipa_domain
> quitSample Output:
On IPA:
dig SRV _ldap._tcp.ipa_domain
dig SRV _ldap._tcp.ad_domainSample Output 1:
Sample Output 2:
If you cannot receive any answer for the IPA server, you need to edit the /etc/resolve.conf file and add the AD IP as shown:
$ sudo vim /etc/resolv.conf
# Generated by NetworkManager
search master.geeksforgeeks.org
nameserver 192.168.205.20To make the changes permanent, modify the file:
$ sudo vim /etc/NetworkManager/NetworkManager.conf
[main]
#plugins=keyfile,ifcfg-rh
dns=none
rc-manager=unmanagedSave the file and test again.
4. Establish and Verify the Cross-Forest trust
If you want to access AD users to IPA clients, you need to ensure that you have run the ipa-adtrust-install command on the IPA master to which IPA clients will be connecting:
$ sudo ipa-adtrust-install --netbios-name=MASTER -a StrongDMPassw0rd
The log file for this installation can be found in /var/log/ipaserver-adtrust-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.
This includes:
* Configure Samba
* Add trust related objects to IPA LDAP server
To accept the default shown in brackets, press the Enter key.
WARNING: The smb.conf already exists. Running ipa-adtrust-install will break your existing samba configuration.
Do you wish to continue? [no]: yes
Do you want to enable support for trusted domains in Schema Compatibility plugin?
This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.
Enable trusted domains support in slapi-nis? [no]: yes
.......For this guide, we will set up a two-way cross-forest trust between the AD and IPA servers.
There are two ways of achieving this:
- With AD administrator credentials:
ipa trust-add --two-way=true --type=ad ad_domain --admin Administrator --passwordFor example:
ipa trust-add --two-way=true --type=ad ad.geeksforgeeks.org --admin Administrator --passwordSample Output:
In the command;
–admin option in the ipa trust-add command must be a member of the Domain Admins group.
At this point, IPA will create a two-way forest trust on the IPA side. For a one-way trust, one needs to omit the –two-way=true option. This will create one-way forest trust on the IPA side, and initiate validation of the trust from the AD side.
- AD administrator credentials aren’t available:
When you do not have the AD administrator credentials, you can use the command:
ipa trust-add --two-way=true --type=ad "ad_domain" --trust-secretHere, you need to enter the trust shared secret when prompted. This will create a two-way forest trust on IPA side. You are required to manually validate the trust on the AD side.
5. Configure Kerberos on IPA
Most of the applications ask Kerberos library to verify that Kerberos principal can be mapped to some POSIX account. Moreover, some apps perform additional checks by requesting the OS for the canonical name of the POSIX account returned by the Kerberos library. OpenSSH tries to compare the name of the principal unchanged but SSSD low-cases the realm part and therefore the actual user name is Administrator@realm, not administrator@realm, when trying to log on with Kerberos ticket over SSH.
We are therefore required to define the rules for mapping the Kerberos principals to system user names. We need to manually edit the /etc/krb5.conf on the IPA server to permit Kerberos authentication.
To do so, add the two lines below to any machine that is going to see AD users.
$ sudo vim /etc/krb5.conf
[realms]
IPA_DOMAIN = {
....
auth_to_local = RULE:[1:$1@$0](^.*@AD_DOMAIN$)s/@AD_DOMAIN/@ad_domain/
auth_to_local = DEFAULT
}Now restart the KDC and SSSD service:
service krb5kdc restart
service sssd restart6. Allow access for users from AD domain to protected resources
Now for the users to be able to access trusted resources, they need to be mapped to IPA groups. This can be done in two ways:
- Add users and groups from trusted domains to an external group in IPA. The external group serves as a container to reference trusted domain users and groups by their security identifiers.
- Map the external group to an existing POSIX group in IPA. This POSIX group will be assigned a proper group id (gid) that will be used as the default group for all incoming trusted domain users mapped to this group
To create an external POSIX group for the trusted domain users
ipa group-add --desc='AD users external map' ad_users_external --externalCreate a POSIX group for external ad_admins_external group:
ipa group-add --desc='AD users' ad_usersNow add the AD users to the POSIX group
ipa group-add-member ad_users_external --external "ad.geeksforgeeks.org\Domain_User"For example:
Add the external IdM group to the POSIX IdM group as a member.
ipa group-add-member ad_users --groups ad_users_externalNow the users should be available on the IPA console as shown:
7. Testing the cross-forest trust
Now we can test the cross-forest trust by connecting to an IPA client using any user in the AD. For this test, we have a user [email protected] on the AD server. We can use this user to log in to any server connected to IPA.
Verify if the user exists:
Test if you can log in with the user:
Verdict
That marks the end of this guide on how to establish trust between IPA and Active Directory. This integration will surely make it easier for you to manage users and resources across your organization. I hope this was significant to you.
Related guides:
- Join Windows System to FreeIPA Realm without Active Directory
- Active Directory Authentication for Kubernetes Kubectl CLI
- Integrate TrueNAS with LDAP / Active Directory for user Authentication
