This document is dependent on the following assumptions:

  • NetBIOS names of the IPA domain and AD domain must be different.
    • In addtion, NetBIOS names of the IPA server and AD DC server must be different.
  • Encoredev.local is the AD domain
    • encoredev1.encoredev.local will host this domain and associated DNS
  • Linux.local is the IPA domain
    • ipa1.linux.local will host this domain and associated DNS records
  • The /etc/hosts file is configured
  • The servers hostname is configured correctly
  • The server has firewalld disabled or the appropriate firewall ports have been opened.
  • NS1/NS2 = 172.16.40.2/172.16.40.3
  • DEVNS1/DEVNS2 = 172.16.104.2/172.16.105.3
  • Windows Domain = encoredev.local
  • IPA domain = linux.local
  • Active Directory Linux Admins Group = LinuxAdmins
  • NFS Server = nfs.linux.local
    • nfs.linux.local has been added as an IPA Client

Installing IPA

Install the IPA packages via Yum:

Install and configure IPA:

Login as admin (using password1):

DNS Configuration

Allow Zone Transfers to NS1/NS2 and DEVNS1/DEVNS2:

Configure the Windows domain in DNS:

Add the IPA domain to the AD DNS server:

On a Domain Controller, add the following DNS forwarder:

Add A and NS records for the IPA Domain

Trust Configuration

Set up the server to enable Trusts:

Execute the following:

Configure the IPA server to accept LDAP Trusts:

Disable DNSSEC in /etc/named.conf

Restart IPA:

Create AD trust:

Successful Trust:

Allow Access From Active Directory User Groups

Before users from trusted domain can access protected resources in the IPA realm, they have to be explicitly mapped to the IPA groups. The mapping is performed in two steps:

  • Add users and groups from trusted domain to an external group in IPA. External group serves as a container to reference trusted domain users and groups by their security identifiers
  • Map external group to an existing POSIX group in IPA. This POSIX group will be assigned proper group id (gid) that will be used as default group for all incoming trusted domain users mapped to this group

Create external group in IPA for trusted domain admins:

Create POSIX group for external ad_admins_external group:

Add trusted domain users to the external group

When asked for member user and member group, just leave it blank and hit Enter.

Add external group to POSIX group

Allow members of linux_admins_external group to be associated with linux_admins POSIX group:

Home Directory Mapping

Create the auto.home key map:

Add the mapping info to the key map:

Add the automount key to default.master:

Run automount installer:

Now you should be able to SSH in as either a encoredev.local or linux.local user and have your /home directory auto mounted for you.

The following two tabs change content below.

Eric Sarakaitis

Virtualization Engineer at CBTS
I'm Eric, I love to cook, sing, garden and enjoy cold beverages!

Leave a Reply

Your email address will not be published. Required fields are marked *