IDM with Active Directory using Indirect cross-forest trust in this guide, we are about to walk through one of the most wanted guides in the real-time production environment.
The scenario as follows, your Active Directory server and DNS are running on a Windows 2012/2016 server. All your windows clients are good to get DNS resolution and user authentication, management from the AD. However, for Linux clients joining to AD have plenty of limitations, So we are setting up IDM server as an intermediator between AD and Linux clients.
By having an IDM server we will get many advantages such as account management, Password policy, Kerberos, RBAC, HBAC, OTP, 2FA, Sudo and much more. If you join a Linux machine to AD using “realm join” you won’t get these features.
In case you have not setup with IDM kindly refer
- Step by step installing an Identity Management server in Linux using IPA
- Creating DNS zones and DNS records in IPA Server
- Setup a Linux server as IDM client to authenticate with Active Directory
Our Current Server Setup
Firewall and Ports
By enabling the firewall and adding the service below are the ports required to setup with an AD trust.
# cat /usr/lib/firewalld/services/freeipa-trust.xml
[root@idmns ~]# cat /usr/lib/firewalld/services/freeipa-trust.xml <?xml version="1.0" encoding="utf-8"?> <service> <short>FreeIPA trust setup</short> <description>FreeIPA is an LDAP and Kerberos domain controller for Linux systems. Enable this option of you plan to deploy cross-forest trusts with FreeIPA and Active Directory.</description> <port protocol="tcp" port="135"/> <port protocol="tcp" port="138-139"/> <port protocol="udp" port="138-139"/> <port protocol="tcp" port="389"/> <port protocol="udp" port="389"/> <port protocol="tcp" port="445"/> <port protocol="udp" port="445"/> <port protocol="udp" port="1024-1300"/> <port protocol="tcp" port="3268"/> </service> [root@idmns ~]#
|S:NO:||TCP PORTS||UDP PORTS||USE OF PORT|
|5.||–||1024-1300||epmap listener range|
By running firewalld we are good with enabling ports.
# firewall-cmd --add-service=freeipa-trust # firewall-cmd --reload
Before starting with any changes first, we need to make sure both IDM server and AD running under the same timezone, syncing with proper date and time.
# systemctl enable chronyd
# systemctl start chronyd
# timedatectl status
Verify the timezone and date in AD as well.
Double check the DNS of IDM server
Make sure to use the DNS of IDM server with 127.0.0.1. Modify the interface configuration by adding DNS, By the following restart and verify the changes.
# nmcli connection modify ens33 ipv4.dns 127.0.0.1 # ifdown ens33 && ifup ens33 # cat /etc/resolv.conf
Now it should reflect the changes under the /etc/resolv.conf
[root@idmns ~]# nmcli connection modify ens33 ipv4.dns 127.0.0.1 [root@idmns ~]# [root@idmns ~]# ifdown ens33 && ifup ens33 Device 'ens33' successfully disconnected. Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2) [root@idmns ~]# [root@idmns ~]# cat /etc/resolv.conf Generated by NetworkManager search linuxsysadmins.local nameserver 127.0.0.1 [root@idmns ~]#
In case if you update the DNS it’s required to restart the following services krb5kdc, sssd, httpd to take effect.
# systemctl restart krb5kdc.service # systemctl restart sssd.service # systemctl restart httpd.service # ipactl status
Installing trust Packages
In Case, the ad-trust package is not installed its time to start with installing, else skip to next steps.
# yum install ipa-server-trust-ad -y
The version of IPA we are using is 4.6.4 some of the commands for lower versions differ from this guide.
[root@idmns ~]# ipa --version VERSION: 4.6.4, API_VERSION: 2.229 [root@idmns ~]#
Configure IDM for Cross-forest Trust
Before starting with running the further commands we need to know the current NetBIOS name. Navigate to IDM server GUI under IPA Server –> Trusts –> Global Trust Configuration
# ipa-adtrust-install --netbios-name=LINUXSYS -a redhat123
- ipa-server-install – Command to setup the AD trust.
- –netbios-name – Name of Netbios we used during IDM setup.
- -a – Admin Password
[root@idmns ~]# ipa-adtrust-install --netbios-name=LINUXSYSADMINS -a redhat123 The log file for this installation can be found in /var/log/ipaserver-install.log This program will setup components needed to establish trust to AD domains for the IPA Server. This includes: Configure Samba Add trust related objects to IPA LDAP server To accept the default shown in brackets, press the Enter key. IPA generated smb.conf detected. Overwrite smb.conf? [no]: yes Do you want to enable support for trusted domains in Schema Compatibility plugin? This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users. Enable trusted domains support in slapi-nis? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring CIFS [1/23]: validate server hostname [2/23]: stopping smbd [3/23]: creating samba domain object Samba domain object already exists [4/23]: creating samba config registry [5/23]: writing samba config file [6/23]: adding cifs Kerberos principal [7/23]: adding cifs and host Kerberos principals to the adtrust agents group [8/23]: check for cifs services defined on other replicas [9/23]: adding cifs principal to S4U2Proxy targets cifs principal already targeted, nothing to do. [10/23]: adding admin(group) SIDs Admin SID already set, nothing to do Admin group SID already set, nothing to do [11/23]: adding RID bases RID bases already set, nothing to do [12/23]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [13/23]: activating CLDAP plugin CLDAP plugin already configured, nothing to do [14/23]: activating sidgen task Sidgen task plugin already configured, nothing to do [15/23]: configuring smbd to start on boot [16/23]: adding special DNS service records [17/23]: enabling trusted domains support for older clients via Schema Compatibility plugin [18/23]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [19/23]: adding fallback group Fallback group already set, nothing to do [20/23]: adding Default Trust View Default Trust View already exists. [21/23]: setting SELinux booleans [22/23]: starting CIFS services [23/23]: restarting smbd Done configuring CIFS. ============================================================================= Setup complete You must make sure these network ports are open: TCP Ports: * 135: epmap * 138: netbios-dgm * 139: netbios-ssn * 445: microsoft-ds * 1024..1300: epmap listener range * 3268: msft-gc UDP Ports: * 138: netbios-dgm * 139: netbios-ssn * 389: (C)LDAP * 445: microsoft-ds See the ipa-adtrust-install(1) man page for more details ============================================================================= [root@idmns ~]#
Once we are done with setting up ad-trust you will get to know what are the ports need to be enabled in between AD and IDM. We can ignore this step because it’s already done in our firewall step.
DNS configuration for Active Directory (AD) and IDM
1. Creating DNS conditional forwarder on AD
Take a cmd prompt with Administrator privilege and run the below command to enable the conditional forwarders for IDM server under Active Directory.
dnscmd 127.0.0.1 /ZoneAdd linuxsysadmins.local /Forwarder 192.168.107.100
The above command will add a conditional forwarder under DNS Manager.
Service Manager –> DNS –> DNS Manager
2. Creating DNS forwarder on IDM
The DNS resolution from any Linux clients with IDM server should forward the request to Active Directory for that we need to add a DNS forwarder only policy in IDM by pointing to AD server’s IP address.
# ipa dnsforwardzone-add winlinuxsysadmins.local --forwarder=192.168.107.99 --forward-policy=only
[root@idmns ~]# ipa dnsforwardzone-add winlinuxsysadmins.local --forwarder=192.168.107.99 --forward-policy=only Server will check DNS forwarder(s). This may take some time, please wait … ipa: WARNING: DNS server 192.168.107.99: query 'winlinuxsysadmins.local. SOA': The DNS response does not contain an answer to the question: winlinuxsysadmins.local. IN SOA. Zone name: winlinuxsysadmins.local. Active zone: TRUE Zone forwarders: 192.168.107.99 Forward policy: only [root@idmns ~]#
To verify the same from GUI navigate under Network –> DNS –> DNS Forward Zones
Adding from GUI too easier. however, in a single command, we can create this entry.
Verifying DNS configuration on AD and IDM
Verify DNS on AD server
To verify the DNS configuration in AD launch a CMD prompt and start with looking for nslookup. Set the Service record (SRV) as the type and do a query. We should get the Answer section as expected to confirm DNS works perfectly.
nslookup > set type=srv > _ldap._tcp.winlinuxsysadmins.local > _ldap._tcp.linuxsysadmins.local exit
Check the DNS on IDM Server
# dig SRV _ldap._tcp.linuxsysadmins.local # dig SRV _ldap._tcp.winlinuxsysadmins.local
Disable DNS Validation
# vim /etc/named.conf # dnssec-validation no;
Click on right side NEXT to continue reading