[Freeipa-devel] [PATCH] [WIP] Cross-realm trusts with AD

Simo Sorce simo at redhat.com
Tue Mar 13 13:35:47 UTC 2012 

On Tue, 2012-03-13 at 13:26 +0200, Alexander Bokovoy wrote:
> Hi,
> 
> at 
> http://fedorapeople.org/gitweb?p=abbra/public_git/freeipa.git;a=shortlog;h=refs/heads/adwork 
> one can find current state of AD trusts work.
> 
> This tree introduces 'ipa trust-*' family of commands and 
> freeipa-server-trust-ad package to pull-in additional dependencies 
> after install in order to make 'ipa trust-add-ad' working.
> 
> You'll need samba4-4.0.0-102alpha18 from ipa-devel repository to get 
> trusts working. There are dragons, however, so beware of possible 
> issues:
> 
> 1. Make sure you have set up properly domain forwarder to your Active 
> Directory DNS server so that SRV records resolving would work from IPA 
> server side.
> 
> One can do it with a simple configuration in BIND, for example:
> zone "ad.local" {
> 	type forward;
> 	forward only;
> 	forwarders { 192.168.111.207; };
> 	check-names ignore;
> };
> 
> You'd need to do the same on Windows side as well.
> 
> 2. samba4 4.0.0-102alpha18 has one minor bug in systemd service 
> (https://fedorahosted.org/freeipa/ticket/2523), you'd need to add
> 
> ExecStartPre=/bin/mkdir -p /run/samba
> 
> before ExecStart= stanza to get it working with tmpfs-based /run in 
> Fedora 17.

This is wrong.
Please add a file in /etc/tmpfiles.d/samba.conf

Contents should be:
d /var/run/samba  644 root root


(adjust permission and ownership accordingly).

This file needs to be added to the samba4 package (and the samba3
package as well ?)

> 3. Once everything is ready, one needs to run ipa-adtrust-install to 
> set up our domain and Samba configuration.
> 
>    ipa-adtrust-install
> 
> Answer its questions (defaults are fine) and after it has finished, 
> there should be smbd processes running.
> 
> 4. kinit again to re-generate your ticket with MS PAC included.
> 
> 5. There is issue in MIT kerberos related to s4u2proxy handling of MS 
> PAC data when comparing the principals. This issue essentially forbids 
> using s4u2proxy functionality with IPA as soon as kerberos ticket 
> contains MS PAC. To get around, one need to always specify --delegate 
> option to 'ipa' command.
> 
> 6. Run
> 
>    ipa trust-add-ad <domain for trust> --admin <Administrator> --password
> 
> 'ipa trust-add-ad' will ask you for trusted domain's administrator's 
> password and then will do discovery of domain controller using SRV 
> records in trusted domain DNS, set up remote half of the trust and 
> later will attempt to setup local part of the trust.
> 
> 
> Here is example of use:
> # ipa --delegate trust-add-ad ad.local --admin Administrator --password 
> Password of the realm's administrator: 
> -------------------------------------------------
> Added Active Directory trust for realm "ad.local"
> -------------------------------------------------
> # ipa --delegate trust-show ad.local
>   Realm name: ad.local
>   Domain NetBIOS name: AD
>   Trust direction: Both directions
>   Trust type: Cross-Forest
> 
> 
> 


-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list