[Freeipa-devel] [PATCH] [WIP] Cross-realm trusts with AD
Simo Sorce
simo at redhat.com
Tue Mar 13 13:35:47 UTC 2012
On Tue, 2012-03-13 at 13:26 +0200, Alexander Bokovoy wrote:
> Hi,
>
> at
> http://fedorapeople.org/gitweb?p=abbra/public_git/freeipa.git;a=shortlog;h=refs/heads/adwork
> one can find current state of AD trusts work.
>
> This tree introduces 'ipa trust-*' family of commands and
> freeipa-server-trust-ad package to pull-in additional dependencies
> after install in order to make 'ipa trust-add-ad' working.
>
> You'll need samba4-4.0.0-102alpha18 from ipa-devel repository to get
> trusts working. There are dragons, however, so beware of possible
> issues:
>
> 1. Make sure you have set up properly domain forwarder to your Active
> Directory DNS server so that SRV records resolving would work from IPA
> server side.
>
> One can do it with a simple configuration in BIND, for example:
> zone "ad.local" {
> type forward;
> forward only;
> forwarders { 192.168.111.207; };
> check-names ignore;
> };
>
> You'd need to do the same on Windows side as well.
>
> 2. samba4 4.0.0-102alpha18 has one minor bug in systemd service
> (https://fedorahosted.org/freeipa/ticket/2523), you'd need to add
>
> ExecStartPre=/bin/mkdir -p /run/samba
>
> before ExecStart= stanza to get it working with tmpfs-based /run in
> Fedora 17.
This is wrong.
Please add a file in /etc/tmpfiles.d/samba.conf
Contents should be:
d /var/run/samba 644 root root
(adjust permission and ownership accordingly).
This file needs to be added to the samba4 package (and the samba3
package as well ?)
> 3. Once everything is ready, one needs to run ipa-adtrust-install to
> set up our domain and Samba configuration.
>
> ipa-adtrust-install
>
> Answer its questions (defaults are fine) and after it has finished,
> there should be smbd processes running.
>
> 4. kinit again to re-generate your ticket with MS PAC included.
>
> 5. There is issue in MIT kerberos related to s4u2proxy handling of MS
> PAC data when comparing the principals. This issue essentially forbids
> using s4u2proxy functionality with IPA as soon as kerberos ticket
> contains MS PAC. To get around, one need to always specify --delegate
> option to 'ipa' command.
>
> 6. Run
>
> ipa trust-add-ad <domain for trust> --admin <Administrator> --password
>
> 'ipa trust-add-ad' will ask you for trusted domain's administrator's
> password and then will do discovery of domain controller using SRV
> records in trusted domain DNS, set up remote half of the trust and
> later will attempt to setup local part of the trust.
>
>
> Here is example of use:
> # ipa --delegate trust-add-ad ad.local --admin Administrator --password
> Password of the realm's administrator:
> -------------------------------------------------
> Added Active Directory trust for realm "ad.local"
> -------------------------------------------------
> # ipa --delegate trust-show ad.local
> Realm name: ad.local
> Domain NetBIOS name: AD
> Trust direction: Both directions
> Trust type: Cross-Forest
>
>
>
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list