[Freeipa-devel] [PATCH] [WIP] Cross-realm trusts with AD

Tue Mar 13 12:48:09 UTC 2012

On 03/13/2012 07:26 AM, Alexander Bokovoy wrote:
> Hi,
>
> at 
> http://fedorapeople.org/gitweb?p=abbra/public_git/freeipa.git;a=shortlog;h=refs/heads/adwork 
> one can find current state of AD trusts work.
>
> This tree introduces 'ipa trust-*' family of commands and 
> freeipa-server-trust-ad package to pull-in additional dependencies 
> after install in order to make 'ipa trust-add-ad' working.
>
> You'll need samba4-4.0.0-102alpha18 from ipa-devel repository to get 
> trusts working. There are dragons, however, so beware of possible 
> issues:
>
> 1. Make sure you have set up properly domain forwarder to your Active 
> Directory DNS server so that SRV records resolving would work from IPA 
> server side.
>
> One can do it with a simple configuration in BIND, for example:
> zone "ad.local" {
> 	type forward;
> 	forward only;
> 	forwarders { 192.168.111.207; };
> 	check-names ignore;
> };
>
> You'd need to do the same on Windows side as well.
>
> 2. samba4 4.0.0-102alpha18 has one minor bug in systemd service 
> (https://fedorahosted.org/freeipa/ticket/2523), you'd need to add
>
> ExecStartPre=/bin/mkdir -p /run/samba
>
> before ExecStart= stanza to get it working with tmpfs-based /run in 
> Fedora 17.
>
> 3. Once everything is ready, one needs to run ipa-adtrust-install to 
> set up our domain and Samba configuration.
>
>    ipa-adtrust-install
>
> Answer its questions (defaults are fine) and after it has finished, 
> there should be smbd processes running.
>
> 4. kinit again to re-generate your ticket with MS PAC included.
>
> 5. There is issue in MIT kerberos related to s4u2proxy handling of MS 
> PAC data when comparing the principals. This issue essentially forbids 
> using s4u2proxy functionality with IPA as soon as kerberos ticket 
> contains MS PAC. To get around, one need to always specify --delegate 
> option to 'ipa' command.
>

What is our plan to address this issue?
The workaround does not seem to be good enough for a release.

> 6. Run
>
>    ipa trust-add-ad <domain for trust> --admin <Administrator> --password
>
> 'ipa trust-add-ad' will ask you for trusted domain's administrator's 
> password and then will do discovery of domain controller using SRV 
> records in trusted domain DNS, set up remote half of the trust and 
> later will attempt to setup local part of the trust.
>
>
> Here is example of use:
> # ipa --delegate trust-add-ad ad.local --admin Administrator --password 
> Password of the realm's administrator: 
> -------------------------------------------------
> Added Active Directory trust for realm "ad.local"
> -------------------------------------------------
> # ipa --delegate trust-show ad.local
>   Realm name: ad.local
>   Domain NetBIOS name: AD
>   Trust direction: Both directions
>   Trust type: Cross-Forest
>
>
>

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.

-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/