In this tutorial, we will demonstrate how Linux IPA v4 can be indirectly integrated to the Windows Active Directory as (trust):

  • Windows AD version: Windows 2012 R2
  • Windows IP: 192.168.1.100
  • Windows hostname: NT.ecc.com
  • Windows AD Domain: ecc.com
  • Linux IPA v4 : RHEL7.4
  • Linux IPA IP: 192.168.1.200
  • Linux IPA hostname: ipaserver.ipa.ecc.com
  • Linux IPA Domain: ipa.ecc.com

 

Pre-Configuration of IPA

On Linux IPA:

# hostname

ipaserver.ipa.ecc.com

# cat /etc/hosts

192.168.1.200    ipaserver.ipa.ecc.com

# iptables –F

 

IPA installation Steps:

# ipa-server-install

Do you want to configure integrated DNS (BIND)? [no]: yes

Server host name [ipaserver.ipa.ecc.com]: [Enter]

Please confirm the domain name [ipa.ecc.com]: [Enter]

Please provide a realm name [IPA.ECC.COM]: [Enter]

Do you want to configure DNS forwarders? [yes]: no

Do you want to search for missing reverse zones? [yes]: no

Continue to configure the system with these values? [no]: yes

 

Configure IPA server for cross-forest trusts

# ipa-adtrust-install

Enable trusted domains support in slapi-nis? [no]: no

NetBIOS domain name [IPA]: [Enter]

Do you want to run the ipa-sidgen task? [no]: no

 

Configure IPA server to sync time with Active Directory

# ntpdate –u 192.168.1.100

(and make it permanent in Chrony)

 

Configure DNS: Conditional DNS forwarders

In the Active Directory server, add “new delegation” using the DNS GUI, by right-clicking on “ecc.com” and clicking “new delegation”

Delegated domain: ipa.ecc.com

Server FQDN: ipaserver.ipa.ecc.com

IP Address: 192.168.1.200

 

Then, add conditional forwarder for IPA domain:

C:\> dnscmd 127.0.0.1 /ZoneAdd ipa.ecc.com /Forwarder 192.168.1.200

 

Similarly, on IPA, add conditional forwarder for AD domain:

# ipa dnsforwardzone-add ecc.com –forwarder=192.168.1.100 –forward-policy=only

It should appear in the IPA GUI

 

If IPA is subdomain of AD

If the IPA domain is a subdomain of the AD domain (e.g. IPA domain is ipadomain.addomain.example.com and AD domain is addomain.example.com), configure DNS as follows

C:\> dnscmd 127.0.0.1 /RecordAdd ecc.com ipaserver.ipa.ecc.com A 192.168.1.200

C:\> dnscmd 127.0.0.1 /RecordAdd ecc.com ipa.ecc.com NS ipaserver.ipa.ecc.com

 

Disable DNSSEC in IPA

Disable DNSSEC in /etc/named.conf

Restart IPA

Verify DNS configuration

To make sure both AD and IPA servers can see each other, check if SRV records are being properly resolved.

C:\> nslookup

> set type=srv

> _ldap._tcp.ecc.com

> _ldap._tcp.ipa.ecc.com> quit

 

On IPA server:

# dig SRV _ldap._tcp.ipa.ecc.com

# dig SRV _ldap._tcp.ecc.com

 

Add IPA trust with AD domain

# ipa trust-add –type=ad ecc.com –admin=Administrator

Then enter the password of the AD Administrator

 

At the end, modify the /etc/krb5.conf file in the IPA server as follows:

dns_lookup_kdc = true

 

Testing: create a user in AD, and then test it in the IPA server:

# id user@ecc.com