Installing IPA on RHEL 7 and utilizing an Active Directory Trust
This document is dependent on the following assumptions:
- NetBIOS names of the IPA domain and AD domain must be different.
- In addtion, NetBIOS names of the IPA server and AD DC server must be different.
- Encoredev.local is the AD domain
- encoredev1.encoredev.local will host this domain and associated DNS
- Linux.local is the IPA domain
- ipa1.linux.local will host this domain and associated DNS records
- The /etc/hosts file is configured
- The servers hostname is configured correctly
- The server has firewalld disabled or the appropriate firewall ports have been opened.
- NS1/NS2 = 172.16.40.2/172.16.40.3
- DEVNS1/DEVNS2 = 172.16.104.2/172.16.105.3
- Windows Domain = encoredev.local
- IPA domain = linux.local
- Active Directory Linux Admins Group = LinuxAdmins
- NFS Server = nfs.linux.local
- nfs.linux.local has been added as an IPA Client
Installing IPA
Install the IPA packages via Yum:
yum install -y "*ipa-server" "*ipa-server-trust-ad" bind bind-dyndb-ldap
Install and configure IPA:
ipa-server-install -a password1 -p password1 --domain=linux.local --realm=linux.local --setup-dns --no-forwarders -U
Login as admin (using password1):
kinit admin
DNS Configuration
Allow Zone Transfers to NS1/NS2 and DEVNS1/DEVNS2:
ipa dnszone-mod linux.local --allow-transfer="172.16.40.2;172.16.40.3;172.16.104.2;172.16.105.3"
Configure the Windows domain in DNS:
ipa dnsforwardzone-add encoredev.local --forwarder=172.16.105.3 --forwarder=172.16.104.2 --forward-policy=only
Add the IPA domain to the AD DNS server:
dnscmd 127 0.0.1 /ZoneAdd linux.local /Secondary 172.16.100.6
On a Domain Controller, add the following DNS forwarder:
dnscmd 127.0.0.1 /ZoneAdd ipadomain.example.com /Forwarder 10.16.78.61
Add A and NS records for the IPA Domain
dnscmd 127.0.0.1 /RecordAdd encoredev.local ipa1.linux.local A 172.16.100.6 dnscmd 127.0.0.1 /RecordAdd encoredev.local linux.local NS ipa1.linux.local
Trust Configuration
Set up the server to enable Trusts:
yum install ipa-server "*ipa-server-trust-ad" samba samba-client
Execute the following:
ipa-adtrust-install
Configure the IPA server to accept LDAP Trusts:
ipa-adtrust-install --netbios-name=LINUX -A admin -a password1
Disable DNSSEC in /etc/named.conf
options { dnssec-validation no; }
Restart IPA:
service ipa restart
Create AD trust:
ipa trust-add --type=ad encoredev.local --admin Administrator --password
Successful Trust:
[root@ipa1 ~]# ipa trust-add --type=ad encoredev.local --admin Administrator --password Active directory domain administrator's password: -------------------------------------------------------- Added Active Directory trust for realm "encoredev.local" -------------------------------------------------------- Realm name: encoredev.local Domain NetBIOS name: ENCOREDEV Domain Security Identifier: S-1-5-21-24662956-178086740-2805159175 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified
Allow Access From Active Directory User Groups
Before users from trusted domain can access protected resources in the IPA realm, they have to be explicitly mapped to the IPA groups. The mapping is performed in two steps:
- Add users and groups from trusted domain to an external group in IPA. External group serves as a container to reference trusted domain users and groups by their security identifiers
- Map external group to an existing POSIX group in IPA. This POSIX group will be assigned proper group id (gid) that will be used as default group for all incoming trusted domain users mapped to this group
Create external group in IPA for trusted domain admins:
ipa group-add --desc='ENCOREDEV LinuxAdmins' linux_admins_external --external
Create POSIX group for external ad_admins_external
group:
ipa group-add --desc='ENCOREDEV LinuxAdmins' linux_admins
Add trusted domain users to the external group
ipa group-add-member linux_admins_external --external 'encoredev\LinuxAdmins'
When asked for member user and member group, just leave it blank and hit Enter.
Add external group to POSIX group
Allow members of linux_admins_external
group to be associated with linux_admins
POSIX group:
ipa group-add-member linux_admins --groups linux_admins_external
Home Directory Mapping
Create the auto.home key map:
ipa automountmap-add default auto.home
Add the mapping info to the key map:
ipa automountkey-add default auto.home --key="*" --info="-fstype=nfs nfs.linux.local:/srv/nfs/homes/&"
Add the automount key to default.master:
ipa automountkey-add default auto.master --key=/home --info=auto.home
Run automount installer:
ipa-client-automount
Now you should be able to SSH in as either a encoredev.local or linux.local user and have your /home directory auto mounted for you.