305.3 FreeIPA Active Directory Integration (weight: 2)

Tech Tutorial: 305.3 FreeIPA Active Directory Integration (weight: 2) #

Introduction #

In this tutorial, we will explore how to establish a cross-forest trust between a FreeIPA domain and an Active Directory (AD) domain. This is a crucial skill for system administrators who manage hybrid networks consisting of both Linux and Windows machines. Establishing a trust relationship allows users from one domain to access resources in the other domain seamlessly.

Key Knowledge Areas: #

  • Understanding of DNS and AD requirements for trusts
  • Installation and configuration of FreeIPA
  • Establishing trust relations between FreeIPA and AD
  • Managing permissions and access controls in a cross-forest environment

Utilities: #

  • ipa
  • realm
  • kinit
  • net ads

Step-by-Step Guide #

Step 1: Environment Setup #

Ensure that you have two servers available: one for FreeIPA and one for Active Directory. Both servers should be properly configured with static IP addresses, fully qualified domain names (FQDN), and correct DNS settings.

Example Setup: #

  • FreeIPA Server: ipa.example.com (IP: 192.168.1.10)
  • Active Directory Server: ad.example.com (IP: 192.168.1.20)

Step 2: Installing FreeIPA #

Install the FreeIPA server on a CentOS/RHEL system. Ensure the system is updated and has the required packages.

sudo yum update -y
sudo yum install ipa-server ipa-server-dns -y

Configure the FreeIPA server. During setup, specify DNS and the domain details.

sudo ipa-server-install --setup-dns --forwarder=8.8.8.8 --no-forwarders --realm=EXAMPLE.COM --domain=example.com --ds-password=password --admin-password=adminpass

Replace --forwarder, --realm, --domain, --ds-password, and --admin-password with appropriate values.

Step 3: Setting up Active Directory #

Set up an AD domain controller on a Windows Server. This guide assumes you have Windows Server installed and ready to configure.

  1. Open “Server Manager”.
  2. Add roles and features, install “Active Directory Domain Services”, and promote the server to a domain controller.

Step 4: Establishing Trust Relationship #

On the FreeIPA server, initialize Kerberos:

kinit admin

Create a Trust: #

Use the ipa command to establish a trust with the AD domain.

ipa trust-add --type=ad ad.example.com --admin Administrator --password

This command will prompt for the AD domain administrator’s password.

Step 5: Verify the Trust #

Check the trust status using:

ipa trust-show ad.example.com

Step 6: Access Control and Permissions #

Manage access controls and permissions from the FreeIPA web interface or CLI to allow specific AD users or groups to access resources in the IPA domain.

Step 7: Testing the Trust #

From an AD joined Windows machine, try accessing a resource on the IPA domain using an AD user credentials.

Conclusion #

Setting up a cross-forest trust between FreeIPA and Active Directory allows organizations to manage a mixed environment more effectively. By following the steps outlined in this tutorial, system administrators can ensure seamless access between Linux and Windows systems, enhancing productivity and security across the network. Regularly monitor and adjust permissions as required to maintain a secure and efficient integrated environment.