Integrate FreeIPA with Windows 2016 Active Directory

In this LAB we will setup Trust based integration between FreeIPA and Windows 2016 Active Directory Forest

Lab Information

  • Windows 2016 Standard
  • CentOS 7.5.1804
  • FreeIPA 4.5.4
  • Windows domain-win.poc.lab
  • IPA domain-lin.poc.lab
  • Kerberos realm names = WIN.POC.LAB ; LIN.POC.LAB

Required Firewall ports

  • TCP ports: 80, 88, 443, 389, 636, 88, 464, 53, 135, 138, 139, 445, 1024-1300
  • UDP ports: 88, 464, 53, 123, 138, 139, 389, 445

Freeipa with AD 2016 integration

POC Deployment

1. Setup domain with Windows Server 2016 standard win.poc.lab and integrated DNS.

2. Setup CentOS 7 vm and install FreeIPA

enable ipv6 (current satellite images have it disabled in grub)
Edit /etc/default/grub and change the value of kernel parameter ipv6.disable from 1 to 0 in line
grub2-mkconfig -o /boot/grub2/grub.cfg
shutdown -r now
yum update -y
yum install -y "*ipa-server" "*ipa-server-trust-ad" bind bind-dyndb-ldap
ipa-server-install -a Password1 -p Password1 --domain=lin.poc.lab --realm=LIN.POC.LAB --setup-dns --no-forwarders –U
ipa-adtrust-install --netbios-name=lin -a Password1

To obtain a ticket-granting ticket, run the following command:

# kinit admin
# getent passwd admin
# ipa-adtrust-install --netbios-name=lin.poc.lab -a Password1

3. DNS Configuration
on Windows DC

dnscmd 127.0.0.1 /ZoneAdd lin.poc.lab /Forwarder 10.196.180.192

on IPA-Linux system

kinit admin
ipa dnsforwardzone-add win.poc.lab --forwarder=10.196.180.191 --forward-policy=only

in named.conf file set zone validation to no
dnssec-validation no;
systemctl restart named-pkcs11

Verify DNS Lookups

on windows 
C:\> nslookup
> set type=srv
> _ldap._tcp.win.poc.lab
> _ldap._tcp.lin.poc.lab
> quit
on linux
# dig SRV _ldap._tcp.lin.poc.lab
# dig SRV _ldap._tcp.win.poc.lab

4. Establish and verify trust

kinit admin
ipa trust-add --type=ad win.poc.lab --admin Administrator --password

Client system setup

Add host record to /etc/hosts
Configure resolve.conf to point to IDM server

Add client system to IPA DNS
In GUI Identity->Hosts->Add

yum install freeipa-client
ipa-client-install --mkhomedir  # enter user and password (admin,Password1)
Edit /etc/krb5.conf
[realms]
IPA_DOMAIN = {
....
  auth_to_local = RULE:[1:$1@$0](^.*@WIN.POC.LAB$)s/@WIN.POC.LAB/@win.poc.lab/
  auth_to_local = DEFAULT
}
# service krb5kdc restart
# service sssd restart

Allow user access to resources

Create external group in IPA for trusted domain admins

ipa group-add --desc='ad_domain admins external map' ad_admins_external --external

Create POSIX group for external ad_admins_external group:

ipa group-add --desc='ad_domain admins' ad_admins

Add trusted domain users to the external group

ipa group-add-member ad_admins_external --external 'win.poc.lab\Domain Admins'

# enter enter when asked for credentials

Allow members of ad_admins_external group to be associated with ad_admins POSIX group:

ipa group-add-member ad_admins --groups ad_admins_external

Create sudo rule

ipa sudorule-add --cmdcat=all All 

Add local host record to your system
10.196.180.192 sq5vdlidm001.lin.poc.lab

Useful nodes:

  • Local POSIX group must include external group
  • SUDO rights granted to local POSIX group
  • EXTERNAL AD group added to local POSIX group
  • Ad group from Active Directory can be added to external IPA group DOMAIN\group
  • EXTERNAL users added to external ad groups

Useful commands

ipa sudorule-find all
ipa host-del client1.lin.poc #delete A record
ipa dnsrecord-add lin.poc client2 --a-rec 10.17.90.45 # Add dns record to IPA