Installing IPA on RHEL 7 and utilizing an Active Directory Trust

This document is dependent on the following assumptions:

  • NetBIOS names of the IPA domain and AD domain must be different.
    • In addtion, NetBIOS names of the IPA server and AD DC server must be different.
  • Encoredev.local is the AD domain
    • encoredev1.encoredev.local will host this domain and associated DNS
  • Linux.local is the IPA domain
    • ipa1.linux.local will host this domain and associated DNS records
  • The /etc/hosts file is configured
  • The servers hostname is configured correctly
  • The server has firewalld disabled or the appropriate firewall ports have been opened.
  • NS1/NS2 = 172.16.40.2/172.16.40.3
  • DEVNS1/DEVNS2 = 172.16.104.2/172.16.105.3
  • Windows Domain = encoredev.local
  • IPA domain = linux.local
  • Active Directory Linux Admins Group = LinuxAdmins
  • NFS Server = nfs.linux.local
    • nfs.linux.local has been added as an IPA Client

Installing IPA

Install the IPA packages via Yum:

yum install -y "*ipa-server" "*ipa-server-trust-ad" bind bind-dyndb-ldap

Install and configure IPA:

ipa-server-install -a password1 -p password1 --domain=linux.local --realm=linux.local --setup-dns --no-forwarders -U

Login as admin (using password1):

kinit admin

DNS Configuration

Allow Zone Transfers to NS1/NS2 and DEVNS1/DEVNS2:

ipa dnszone-mod linux.local --allow-transfer="172.16.40.2;172.16.40.3;172.16.104.2;172.16.105.3"

Configure the Windows domain in DNS:

ipa dnsforwardzone-add encoredev.local --forwarder=172.16.105.3 --forwarder=172.16.104.2 --forward-policy=only

Add the IPA domain to the AD DNS server:

dnscmd 127 0.0.1 /ZoneAdd linux.local /Secondary 172.16.100.6

On a Domain Controller, add the following DNS forwarder:

dnscmd 127.0.0.1 /ZoneAdd ipadomain.example.com /Forwarder 10.16.78.61

Add A and NS records for the IPA Domain

dnscmd 127.0.0.1 /RecordAdd encoredev.local ipa1.linux.local A 172.16.100.6
dnscmd 127.0.0.1 /RecordAdd encoredev.local linux.local NS ipa1.linux.local

Trust Configuration

Set up the server to enable Trusts:

yum install ipa-server "*ipa-server-trust-ad" samba samba-client

Execute the following:

ipa-adtrust-install

Configure the IPA server to accept LDAP Trusts:

ipa-adtrust-install --netbios-name=LINUX -A admin -a password1

Disable DNSSEC in /etc/named.conf

options {
    dnssec-validation no;
}

Restart IPA:

service ipa restart

Create AD trust:

ipa trust-add --type=ad encoredev.local --admin Administrator --password

Successful Trust:

[root@ipa1 ~]# ipa trust-add --type=ad encoredev.local --admin Administrator --password
Active directory domain administrator's password:
--------------------------------------------------------
Added Active Directory trust for realm "encoredev.local"
--------------------------------------------------------
 Realm name: encoredev.local
 Domain NetBIOS name: ENCOREDEV
 Domain Security Identifier: S-1-5-21-24662956-178086740-2805159175
 Trust direction: Two-way trust
 Trust type: Active Directory domain
 Trust status: Established and verified

Allow Access From Active Directory User Groups

Before users from trusted domain can access protected resources in the IPA realm, they have to be explicitly mapped to the IPA groups. The mapping is performed in two steps:

  • Add users and groups from trusted domain to an external group in IPA. External group serves as a container to reference trusted domain users and groups by their security identifiers
  • Map external group to an existing POSIX group in IPA. This POSIX group will be assigned proper group id (gid) that will be used as default group for all incoming trusted domain users mapped to this group

Create external group in IPA for trusted domain admins:

ipa group-add --desc='ENCOREDEV LinuxAdmins' linux_admins_external --external

Create POSIX group for external ad_admins_external group:

ipa group-add --desc='ENCOREDEV LinuxAdmins' linux_admins

Add trusted domain users to the external group

ipa group-add-member linux_admins_external --external 'encoredev\LinuxAdmins'

When asked for member user and member group, just leave it blank and hit Enter.

Add external group to POSIX group

Allow members of linux_admins_external group to be associated with linux_admins POSIX group:

ipa group-add-member linux_admins --groups linux_admins_external

Home Directory Mapping

Create the auto.home key map:

ipa automountmap-add default auto.home

Add the mapping info to the key map:

ipa automountkey-add default auto.home --key="*" --info="-fstype=nfs nfs.linux.local:/srv/nfs/homes/&"

Add the automount key to default.master:

ipa automountkey-add default auto.master  --key=/home --info=auto.home

Run automount installer:

ipa-client-automount

Now you should be able to SSH in as either a encoredev.local or linux.local user and have your /home directory auto mounted for you.

Author: Eric Sarakaitis

I'm Eric, I love to cook, sing, garden and enjoy cold beverages!