In this tutorial, we will demonstrate how Linux IPA v4 can be indirectly integrated to the Windows Active Directory as (trust):
- Windows AD version: Windows 2012 R2
- Windows IP: 192.168.1.100
- Windows hostname: NT.ecc.com
- Windows AD Domain: ecc.com
- Linux IPA v4 : RHEL7.4
- Linux IPA IP: 192.168.1.200
- Linux IPA hostname: ipaserver.ipa.ecc.com
- Linux IPA Domain: ipa.ecc.com
Pre-Configuration of IPA
On Linux IPA:
# hostname
ipaserver.ipa.ecc.com
# cat /etc/hosts
192.168.1.200 ipaserver.ipa.ecc.com
# iptables –F
IPA installation Steps:
# ipa-server-install
Do you want to configure integrated DNS (BIND)? [no]: yes
Server host name [ipaserver.ipa.ecc.com]: [Enter]
Please confirm the domain name [ipa.ecc.com]: [Enter]
Please provide a realm name [IPA.ECC.COM]: [Enter]
Do you want to configure DNS forwarders? [yes]: no
Do you want to search for missing reverse zones? [yes]: no
Continue to configure the system with these values? [no]: yes
Configure IPA server for cross-forest trusts
# ipa-adtrust-install
Enable trusted domains support in slapi-nis? [no]: no
NetBIOS domain name [IPA]: [Enter]
Do you want to run the ipa-sidgen task? [no]: no
Configure IPA server to sync time with Active Directory
# ntpdate –u 192.168.1.100
(and make it permanent in Chrony)
Configure DNS: Conditional DNS forwarders
In the Active Directory server, add “new delegation” using the DNS GUI, by right-clicking on “ecc.com” and clicking “new delegation”
Delegated domain: ipa.ecc.com
Server FQDN: ipaserver.ipa.ecc.com
IP Address: 192.168.1.200
Then, add conditional forwarder for IPA domain:
C:\> dnscmd 127.0.0.1 /ZoneAdd ipa.ecc.com /Forwarder 192.168.1.200
Similarly, on IPA, add conditional forwarder for AD domain:
# ipa dnsforwardzone-add ecc.com –forwarder=192.168.1.100 –forward-policy=only
It should appear in the IPA GUI
If IPA is subdomain of AD
If the IPA domain is a subdomain of the AD domain (e.g. IPA domain is ipadomain.addomain.example.com and AD domain is addomain.example.com), configure DNS as follows
C:\> dnscmd 127.0.0.1 /RecordAdd ecc.com ipaserver.ipa.ecc.com A 192.168.1.200
C:\> dnscmd 127.0.0.1 /RecordAdd ecc.com ipa.ecc.com NS ipaserver.ipa.ecc.com
Disable DNSSEC in IPA
Disable DNSSEC in /etc/named.conf
Restart IPA
Verify DNS configuration
To make sure both AD and IPA servers can see each other, check if SRV records are being properly resolved.
C:\> nslookup
> set type=srv
> _ldap._tcp.ecc.com
> _ldap._tcp.ipa.ecc.com> quit
On IPA server:
# dig SRV _ldap._tcp.ipa.ecc.com
# dig SRV _ldap._tcp.ecc.com
Add IPA trust with AD domain
# ipa trust-add –type=ad ecc.com –admin=Administrator
Then enter the password of the AD Administrator
At the end, modify the /etc/krb5.conf file in the IPA server as follows:
dns_lookup_kdc = true
Testing: create a user in AD, and then test it in the IPA server:
# id user@ecc.com