[Freeipa-devel] [PATCH] [WIP] Cross-realm trusts with AD

Alexander Bokovoy abokovoy at redhat.com
Tue Mar 13 11:26:56 UTC 2012 

Hi,

at 
http://fedorapeople.org/gitweb?p=abbra/public_git/freeipa.git;a=shortlog;h=refs/heads/adwork 
one can find current state of AD trusts work.

This tree introduces 'ipa trust-*' family of commands and 
freeipa-server-trust-ad package to pull-in additional dependencies 
after install in order to make 'ipa trust-add-ad' working.

You'll need samba4-4.0.0-102alpha18 from ipa-devel repository to get 
trusts working. There are dragons, however, so beware of possible 
issues:

1. Make sure you have set up properly domain forwarder to your Active 
Directory DNS server so that SRV records resolving would work from IPA 
server side.

One can do it with a simple configuration in BIND, for example:
zone "ad.local" {
	type forward;
	forward only;
	forwarders { 192.168.111.207; };
	check-names ignore;
};

You'd need to do the same on Windows side as well.

2. samba4 4.0.0-102alpha18 has one minor bug in systemd service 
(https://fedorahosted.org/freeipa/ticket/2523), you'd need to add

ExecStartPre=/bin/mkdir -p /run/samba

before ExecStart= stanza to get it working with tmpfs-based /run in 
Fedora 17.

3. Once everything is ready, one needs to run ipa-adtrust-install to 
set up our domain and Samba configuration.

   ipa-adtrust-install

Answer its questions (defaults are fine) and after it has finished, 
there should be smbd processes running.

4. kinit again to re-generate your ticket with MS PAC included.

5. There is issue in MIT kerberos related to s4u2proxy handling of MS 
PAC data when comparing the principals. This issue essentially forbids 
using s4u2proxy functionality with IPA as soon as kerberos ticket 
contains MS PAC. To get around, one need to always specify --delegate 
option to 'ipa' command.

6. Run

   ipa trust-add-ad <domain for trust> --admin <Administrator> --password

'ipa trust-add-ad' will ask you for trusted domain's administrator's 
password and then will do discovery of domain controller using SRV 
records in trusted domain DNS, set up remote half of the trust and 
later will attempt to setup local part of the trust.


Here is example of use:
# ipa --delegate trust-add-ad ad.local --admin Administrator --password 
Password of the realm's administrator: 
-------------------------------------------------
Added Active Directory trust for realm "ad.local"
-------------------------------------------------
# ipa --delegate trust-show ad.local
  Realm name: ad.local
  Domain NetBIOS name: AD
  Trust direction: Both directions
  Trust type: Cross-Forest



-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list