Integrate FreeIPA with Windows 2016 Active Directory
In this LAB we will setup Trust based integration between FreeIPA and Windows 2016 Active Directory Forest
Lab Information
- Windows 2016 Standard
- CentOS 7.5.1804
- FreeIPA 4.5.4
- Windows domain-win.poc.lab
- IPA domain-lin.poc.lab
- Kerberos realm names = WIN.POC.LAB ; LIN.POC.LAB
Required Firewall ports
- TCP ports: 80, 88, 443, 389, 636, 88, 464, 53, 135, 138, 139, 445, 1024-1300
- UDP ports: 88, 464, 53, 123, 138, 139, 389, 445
POC Deployment
1. Setup domain with Windows Server 2016 standard win.poc.lab and integrated DNS.
2. Setup CentOS 7 vm and install FreeIPA
enable ipv6 (current satellite images have it disabled in grub) Edit /etc/default/grub and change the value of kernel parameter ipv6.disable from 1 to 0 in line grub2-mkconfig -o /boot/grub2/grub.cfg shutdown -r now yum update -y yum install -y "*ipa-server" "*ipa-server-trust-ad" bind bind-dyndb-ldap ipa-server-install -a Password1 -p Password1 --domain=lin.poc.lab --realm=LIN.POC.LAB --setup-dns --no-forwarders –U ipa-adtrust-install --netbios-name=lin -a Password1
To obtain a ticket-granting ticket, run the following command:
# kinit admin # getent passwd admin # ipa-adtrust-install --netbios-name=lin.poc.lab -a Password1
3. DNS Configuration
on Windows DC
dnscmd 127.0.0.1 /ZoneAdd lin.poc.lab /Forwarder 10.196.180.192
on IPA-Linux system
kinit admin ipa dnsforwardzone-add win.poc.lab --forwarder=10.196.180.191 --forward-policy=only
in named.conf file set zone validation to no
dnssec-validation no;
systemctl restart named-pkcs11
Verify DNS Lookups
on windows C:\> nslookup > set type=srv > _ldap._tcp.win.poc.lab > _ldap._tcp.lin.poc.lab > quit on linux # dig SRV _ldap._tcp.lin.poc.lab # dig SRV _ldap._tcp.win.poc.lab
4. Establish and verify trust
kinit admin ipa trust-add --type=ad win.poc.lab --admin Administrator --password
Client system setup
Add host record to /etc/hosts
Configure resolve.conf to point to IDM server
Add client system to IPA DNS
In GUI Identity->Hosts->Add
yum install freeipa-client
ipa-client-install --mkhomedir # enter user and password (admin,Password1)
Edit /etc/krb5.conf
[realms]
IPA_DOMAIN = {
....
auth_to_local = RULE:[1:$1@$0](^.*@WIN.POC.LAB$)s/@WIN.POC.LAB/@win.poc.lab/
auth_to_local = DEFAULT
}
# service krb5kdc restart
# service sssd restart
Allow user access to resources
Create external group in IPA for trusted domain admins
ipa group-add --desc='ad_domain admins external map' ad_admins_external --external
Create POSIX group for external ad_admins_external group:
ipa group-add --desc='ad_domain admins' ad_admins
Add trusted domain users to the external group
ipa group-add-member ad_admins_external --external 'win.poc.lab\Domain Admins'
# enter enter when asked for credentials
Allow members of ad_admins_external group to be associated with ad_admins POSIX group:
ipa group-add-member ad_admins --groups ad_admins_external
Create sudo rule
ipa sudorule-add --cmdcat=all All
Add local host record to your system
10.196.180.192 sq5vdlidm001.lin.poc.lab
Useful nodes:
- Local POSIX group must include external group
- SUDO rights granted to local POSIX group
- EXTERNAL AD group added to local POSIX group
- Ad group from Active Directory can be added to external IPA group DOMAIN\group
- EXTERNAL users added to external ad groups
Useful commands
ipa sudorule-find all ipa host-del client1.lin.poc #delete A record ipa dnsrecord-add lin.poc client2 --a-rec 10.17.90.45 # Add dns record to IPA