[Freeipa-devel] [PATCH] [WIP] Cross-realm trusts with AD
Alexander Bokovoy
abokovoy at redhat.com
Tue Mar 13 11:26:56 UTC 2012
Hi,
at
http://fedorapeople.org/gitweb?p=abbra/public_git/freeipa.git;a=shortlog;h=refs/heads/adwork
one can find current state of AD trusts work.
This tree introduces 'ipa trust-*' family of commands and
freeipa-server-trust-ad package to pull-in additional dependencies
after install in order to make 'ipa trust-add-ad' working.
You'll need samba4-4.0.0-102alpha18 from ipa-devel repository to get
trusts working. There are dragons, however, so beware of possible
issues:
1. Make sure you have set up properly domain forwarder to your Active
Directory DNS server so that SRV records resolving would work from IPA
server side.
One can do it with a simple configuration in BIND, for example:
zone "ad.local" {
type forward;
forward only;
forwarders { 192.168.111.207; };
check-names ignore;
};
You'd need to do the same on Windows side as well.
2. samba4 4.0.0-102alpha18 has one minor bug in systemd service
(https://fedorahosted.org/freeipa/ticket/2523), you'd need to add
ExecStartPre=/bin/mkdir -p /run/samba
before ExecStart= stanza to get it working with tmpfs-based /run in
Fedora 17.
3. Once everything is ready, one needs to run ipa-adtrust-install to
set up our domain and Samba configuration.
ipa-adtrust-install
Answer its questions (defaults are fine) and after it has finished,
there should be smbd processes running.
4. kinit again to re-generate your ticket with MS PAC included.
5. There is issue in MIT kerberos related to s4u2proxy handling of MS
PAC data when comparing the principals. This issue essentially forbids
using s4u2proxy functionality with IPA as soon as kerberos ticket
contains MS PAC. To get around, one need to always specify --delegate
option to 'ipa' command.
6. Run
ipa trust-add-ad <domain for trust> --admin <Administrator> --password
'ipa trust-add-ad' will ask you for trusted domain's administrator's
password and then will do discovery of domain controller using SRV
records in trusted domain DNS, set up remote half of the trust and
later will attempt to setup local part of the trust.
Here is example of use:
# ipa --delegate trust-add-ad ad.local --admin Administrator --password
Password of the realm's administrator:
-------------------------------------------------
Added Active Directory trust for realm "ad.local"
-------------------------------------------------
# ipa --delegate trust-show ad.local
Realm name: ad.local
Domain NetBIOS name: AD
Trust direction: Both directions
Trust type: Cross-Forest
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list