Integrating IDM with AD (Active directory) using indirect cross-forest trust

0 0
0 0
Read Time:14 Minute

Introduction to Integrating IDM with AD

Integrating IDM with AD (Active Directory) using Indirect cross-forest trust in this guide, we are about to walk through one of the most wanted guides in the real-time production environment.

The scenario as follows, your Active Directory server and DNS are running on a Windows 2012/2016 server. All your windows clients are good to get DNS resolution and user authentication, management from the AD. However, for Linux clients joining to AD have plenty of limitations, So we are setting up IDM server as an intermediator between AD and Linux clients.

By having an IDM server we will get many advantages such as account management, Password policy, Kerberos, RBAC, HBAC, OTP, 2FA, Sudo and much more. If you join a Linux machine to AD using “realm join” you won’t get these features.

In case you have not set up with IDM kindly refer

Our Current Server Setup

Active Directory192.168.107.99addns.winlinuxsysadmins.local
IDM Server192.168.107.100idmns.linuxsysadmins.local

Firewall and Ports

By enabling the firewall and adding the service below are the ports required to set up with an AD trust.

# cat /usr/lib/firewalld/services/freeipa-trust.xml
[root@idmns ~]# cat /usr/lib/firewalld/services/freeipa-trust.xml
<?xml version="1.0" encoding="utf-8"?>
  <short>FreeIPA trust setup</short>
  <description>FreeIPA is an LDAP and Kerberos domain controller for Linux systems. Enable this option of you plan to deploy cross-forest trusts with FreeIPA and Active Directory.</description>
  <port protocol="tcp" port="135"/>
  <port protocol="tcp" port="138-139"/>
  <port protocol="udp" port="138-139"/>
  <port protocol="tcp" port="389"/>
  <port protocol="udp" port="389"/>
  <port protocol="tcp" port="445"/>
  <port protocol="udp" port="445"/>
  <port protocol="udp" port="1024-1300"/>
  <port protocol="tcp" port="3268"/>
[root@idmns ~]#
5.1024-1300epmap listener range

By running firewalld we are good with enabling ports.

# firewall-cmd --add-service=freeipa-trust
# firewall-cmd --reload

Time Configuration

Before starting with any changes first, we need to make sure both IDM server and AD running under the same timezone, syncing with proper date and time.

# systemctl enable chronyd
# systemctl start chronyd
# timedatectl status

Verify the timezone and date in AD as well.

Double-check the DNS of IDM server

Make sure to use the DNS of IDM server with Modify the interface configuration by adding DNS, By the following restart and verify the changes.

# nmcli connection modify ens33 ipv4.dns
# ifdown ens33 && ifup ens33
# cat /etc/resolv.conf

Now it should reflect the changes under the /etc/resolv.conf

[root@idmns ~]# nmcli connection modify ens33 ipv4.dns
 [root@idmns ~]# 
 [root@idmns ~]# ifdown ens33 && ifup ens33
 Device 'ens33' successfully disconnected.
 Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)
 [root@idmns ~]# 
 [root@idmns ~]# cat /etc/resolv.conf 
 Generated by NetworkManager
 search linuxsysadmins.local
 [root@idmns ~]#

In case if you update the DNS it’s required to restart the following services krb5kdc, sssd, httpd to take effect.

# systemctl restart krb5kdc.service
# systemctl restart sssd.service
# systemctl restart httpd.service
# ipactl status

Installing trust Packages

In Case, the ad-trust package is not installed its time to start with installing, else skip to next steps.

# yum install ipa-server-trust-ad -y

The version of IPA we are using is 4.6.4 some of the commands for lower versions differ from this guide.

[root@idmns ~]# ipa --version
VERSION: 4.6.4, API_VERSION: 2.229
[root@idmns ~]#

Configure IDM for Cross-forest Trust

Before starting with running the further commands we need to know the current NetBIOS name. Navigate to IDM server GUI under IPA Server –> Trusts –> Global Trust Configuration

# ipa-adtrust-install --netbios-name=LINUXSYS -a redhat123
  • ipa-server-install – Command to set up the AD trust.
  • –netbios-name – Name of Netbios we used during IDM setup.
  • -a – Admin Password
[root@idmns ~]# ipa-adtrust-install --netbios-name=LINUXSYSADMINS -a redhat123
 The log file for this installation can be found in /var/log/ipaserver-install.log
 This program will setup components needed to establish trust to AD domains for
 the IPA Server.
 This includes:
 Configure Samba
 Add trust related objects to IPA LDAP server 
 To accept the default shown in brackets, press the Enter key.
 IPA generated smb.conf detected.
 Overwrite smb.conf? [no]: yes
 Do you want to enable support for trusted domains in Schema Compatibility plugin?
 This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.
 Enable trusted domains support in slapi-nis? [no]: yes
 The following operations may take some minutes to complete.
 Please wait until the prompt is returned.
 Configuring CIFS
   [1/23]: validate server hostname
   [2/23]: stopping smbd
   [3/23]: creating samba domain object
 Samba domain object already exists
   [4/23]: creating samba config registry
   [5/23]: writing samba config file
   [6/23]: adding cifs Kerberos principal
   [7/23]: adding cifs and host Kerberos principals to the adtrust agents group
   [8/23]: check for cifs services defined on other replicas
   [9/23]: adding cifs principal to S4U2Proxy targets
 cifs principal already targeted, nothing to do.
   [10/23]: adding admin(group) SIDs
 Admin SID already set, nothing to do
 Admin group SID already set, nothing to do
   [11/23]: adding RID bases
 RID bases already set, nothing to do
   [12/23]: updating Kerberos config
 'dns_lookup_kdc' already set to 'true', nothing to do.
   [13/23]: activating CLDAP plugin
 CLDAP plugin already configured, nothing to do
   [14/23]: activating sidgen task
 Sidgen task plugin already configured, nothing to do
   [15/23]: configuring smbd to start on boot
   [16/23]: adding special DNS service records
   [17/23]: enabling trusted domains support for older clients via Schema Compatibility plugin
   [18/23]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
   [19/23]: adding fallback group
 Fallback group already set, nothing to do
   [20/23]: adding Default Trust View
 Default Trust View already exists.
   [21/23]: setting SELinux booleans
   [22/23]: starting CIFS services
   [23/23]: restarting smbd
 Done configuring CIFS.
 Setup complete
 You must make sure these network ports are open:
   TCP Ports:
     * 135: epmap
     * 138: netbios-dgm
     * 139: netbios-ssn
     * 445: microsoft-ds
     * 1024..1300: epmap listener range
     * 3268: msft-gc
   UDP Ports:
     * 138: netbios-dgm
     * 139: netbios-ssn
     * 389: (C)LDAP
     * 445: microsoft-ds
 See the ipa-adtrust-install(1) man page for more details
 [root@idmns ~]# 

Once we are done with setting up ad-trust you will get to know what are the ports need to be enabled in between AD and IDM. We can ignore this step because it’s already done in our firewall step.

DNS configuration for Active Directory (AD) and IDM

1. Creating DNS conditional forwarder on AD

Take a cmd prompt with Administrator privilege and run the below command to enable the conditional forwarders for IDM server under Active Directory.

dnscmd /ZoneAdd linuxsysadmins.local /Forwarder
Adding conditional forwarders on AD
Adding conditional forwarders on AD

The above command will add a conditional forwarder under DNS Manager.

Service Manager –> DNS –> DNS Manager

Added Conditional forwarder for Integrating IDM with AD
Added Conditional forwarder on AD

2. Creating DNS forwarder on IDM

The DNS resolution from any Linux clients with IDM server should forward the request to Active Directory for that we need to add a DNS forwarder only policy in IDM by pointing to AD server’s IP address.

# ipa dnsforwardzone-add winlinuxsysadmins.local --forwarder= --forward-policy=only
[root@idmns ~]# ipa dnsforwardzone-add winlinuxsysadmins.local --forwarder= --forward-policy=only
 Server will check DNS forwarder(s).
 This may take some time, please wait …
 ipa: WARNING: DNS server query 'winlinuxsysadmins.local. SOA': The DNS response does not contain an answer to the question: winlinuxsysadmins.local. IN SOA.
   Zone name: winlinuxsysadmins.local.
   Active zone: TRUE
   Zone forwarders:
   Forward policy: only
 [root@idmns ~]#

To verify the same from GUI navigate under Network –> DNS –> DNS Forward Zones

Added forwarder in IDM
Added forwarder in IDM

Adding from GUI too easier. however, in a single command, we can create this entry.

Verifying DNS configuration on AD and IDM

Verify DNS on the AD server

To verify the DNS configuration in AD launch a CMD prompt and start with looking for nslookup. Set the Service record (SRV) as the type and do a query. We should get the Answer section as expected to confirm DNS works perfectly.

 > set type=srv
 > _ldap._tcp.winlinuxsysadmins.local
 > _ldap._tcp.linuxsysadmins.local
Verify DNS config in AD
Verify DNS config in AD

Check the DNS on IDM Server

# dig SRV _ldap._tcp.linuxsysadmins.local
# dig SRV _ldap._tcp.winlinuxsysadmins.local
Verify DNS config in IDM
Verify DNS config in IDM

Disable DNS Validation

# vim /etc/named.conf
# dnssec-validation no;

Click on right side NEXT to continue reading

Integrating IDM with AD (Active directory) using indirect cross-forest trust 1

About Author

Babin Lonston

Overall 14+ Years of experience in the IT field, currently working as a Senior Linux administration with Virtualization & Cloud. Being numismatist for a long time.
100 %
0 %
0 %
0 %
0 %
0 %

6 thoughts on “Integrating IDM with AD (Active directory) using indirect cross-forest trust”

  1. Hi,

    To the point post but does not address another nonSSO case using SSH only.
    That is a client with hostname under the winlinuxsysadmins.local domain (let us call it c1.winlinuxsysadmins.local) to which the AD users would like to log into.

    SSO is out of mind (as the kdc is not within the idm realm), but ssh should still work.

    So `ssh ad-user1@winlinuxsysadmins.local@c1.winlinuxsysadmins.local) theoretically would request PAM authentication using sssd from IdM.

    However in practice this is not the case.

    Any feedback?

    Best regaerds

  2. Hi Babin,

    Our requirement is Active Directory groups are not supposed to be displayed on the IDM clients.
    Three external groups are created in Redhat IDM(3000,4000,5000). Trust is established between with Active Directory to Redhat IDM with these external groups. Mapping UserID and Group Membership as in IDM View and AD Membership .We have issues seeing all the group memberships in AD on the client-side. We need to restrict ONLY the Unix Groups to be visible to the clients..please guide us

    please guide us.

  3. Hi Babin

    Can you please help me understand the below regarding the below commands:

    # ipa group-add –desc=’WINLINUXSYSADMINS.local admins external map’ winlinuxsysadmins.local_external –external
    # ipa group-add –desc=’WINLINUXSYSADMINS.local admins’ winlinuxsysadmins.local

    1. Should the group “winlinuxsysadmins.local” have Administrator permissions in AD? Is it a problem if the group has non-Administrator permissions?
    2. Is the group “winlinuxsysadmins.local” used for managing AD users in IDM?

    Kind regards


Leave a Comment

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

We promise not to spam you, and we don't usually send more than one email a week.

You have Successfully Subscribed!