Red Hat Enterprise Linux 7

Windows Integration Guide

Integrating Linux Systems with Active Directory Environments

Aneta Šteflová Petrová

Red Hat Customer Content Services

Marc Muehlfeld

Red Hat Customer Content Services

Tomáš Čapek

Red Hat Customer Content Services

Ella Deon Ballard

Red Hat Customer Content Services

Abstract

Heterogeneous IT environments often contain various different domains and operating systems that need to be able to seamlessly communicate. Red Hat Enterprise Linux offers multiple ways to tightly integrate Linux domains with Active Directory (AD) on Microsoft Windows. The integration is possible on different domain objects that include users, groups, services, or systems. This guide also covers different integration scenarios, ranging from lightweight AD pass-through authentication to full-fledged Kerberos trusted realms.
In addition to this guide, you can find documentation on other features and services related to Red Hat Enterprise Linux Identity Management in the following guides:
The Linux Domain Identity, Authentication, and Policy Guide documents Red Hat Identity Management, a solution that provides a centralized and unified way to manage identity stores as well as authentication and authorization policies in a Linux-based domain.
The System-Level Authentication Guide documents different applications and services available to configure authentication on local systems, including the authconfig utility, the System Security Services Daemon (SSSD) service, the Pluggable Authentication Module (PAM) framework, Kerberos, the certmonger utility, and single sign-on (SSO) for applications.
1. Ways to Integrate Active Directory and Linux Environments
1.1. Defining Windows Integration
1.2. Direct Integration
1.3. Indirect Integration
I. Adding a Single Linux System to an Active Directory Domain
2. Using Active Directory as an Identity Provider for SSSD
2.1. About SSSD
2.1.1. SSSD Configuration
2.1.2. Active Directory Domain Configuration
2.2. Environments for SSSD
2.3. How SSSD Integrates with an Active Directory Environment
2.3.1. Active Directory Identities on the Local System
2.3.1.1. About Security ID Mapping
2.3.1.2. About SSSD and POSIX Attributes
2.3.1.3. Accessing a CIFS share with SSSD
2.3.2. Active Directory Users and Range Retrieval Searches
2.3.3. Linux Clients and Active Directory DNS Sites
2.4. Configuring an Active Directory Domain with ID Mapping
2.5. Configuring an Active Directory Domain with POSIX Attributes
2.6. Additional Configuration Examples
2.6.1. Account Settings
2.6.1.1. Setting a User Home Directory
2.6.1.2. Setting a User Shell
2.6.2. Enabling Dynamic DNS Updates (Active Directory Only)
2.6.3. Using a Filter with Access Controls
2.7. Group Policy Object Access Control
2.7.1. Configuring GPO-based Access Control
3. Using realmd to Connect to an Active Directory Domain
3.1. Supported Domain Types and Clients
3.2. Prerequisites for Using realmd
3.3. realmd Commands
3.4. Discovering and Joining Identity Domains
3.5. Removing a System from an Identity Domain
3.6. Listing Domains
3.7. Managing Login Permissions for Domain Users
3.8. Changing Default User Configuration
3.9. Additional Configuration for the Active Directory Domain Entry
4. Using Samba, Kerberos, and Winbind
4.1. About Samba and Active Directory Authentication
4.1.1. Samba, Kerberos, and Active Directory Domains
4.1.1.1. Samba
4.1.1.2. Kerberos
4.1.1.3. DNS
4.1.1.4. PAM and NSS
4.1.2. Authentication Using Winbind and Samba
4.2. Summary of Configuration Files, Options, and Packages
4.3. Configuring a Domain Member Using authconfig
4.3.1. Arguments and Configuration Parameters of authconfig
4.3.2. CLI Configuration of Active Directory Authentication with authconfig
4.3.3. Configuring Active Directory Authentication in the authconfig GUI
II. Integrating a Linux Domain with an Active Directory Domain: Cross-forest Trust
5. Creating Cross-forest Trusts with Active Directory and Identity Management
5.1. Introduction to Cross-forest Trusts
5.1.1. The Architecture of a Trust Relationship
5.1.2. Active Directory Security Objects and Trust
5.1.3. Trust Architecture in IdM
5.1.3.1. Active Directory PACs and IdM Tickets
5.1.3.2. Active Directory Users and Identity Management Groups
5.1.3.3. Active Directory Users and IdM Policies and Configuration
5.1.4. One-Way and Two-Way Trusts
5.1.5. External Trusts to Active Directory
5.1.6. Trust Controllers and Trust Agents
5.2. Creating Cross-forest Trusts
5.2.1. Environment and Machine Requirements
5.2.1.1. Supported Windows Platforms
5.2.1.2. DNS and Realm Settings
5.2.1.3. NetBIOS Names
5.2.1.4. Firewalls and Ports
5.2.1.5. IPv6 Settings
5.2.1.6. Clock Settings
5.2.1.7. Supported User Name Formats
5.2.2. Creating Trusts
5.2.2.1. Creating a Trust from the Command Line
5.2.2.2. Creating a Trust with a Shared Secret
5.2.2.3. Creating a Trust on an Existing IdM Instance
5.2.2.4. Adding a Second Trust
5.2.2.5. Creating a Trust in the Web UI
5.2.3. Post-installation Considerations for Cross-forest Trusts
5.2.3.1. Potential Behavior Issues with Active Directory Trust
5.2.3.2. Configuring Trust Agents
5.3. Managing and Configuring a Cross-forest Trust Environment
5.3.1. User Principal Names in a Trusted Domains Environment
5.3.2. IdM Clients in an Active Directory DNS Domain
5.3.2.1. Kerberos Single Sign-on to the IdM Client is not Required
5.3.2.2. Kerberos Single Sign-on to the IdM Client is Required
5.3.3. Creating IdM Groups for Active Directory Users
5.3.4. Maintaining Trusts
5.3.4.1. Editing the Global Trust Configuration
5.3.4.2. Discovering, Enabling, and Disabling Trust Domains
5.3.4.3. Viewing and Managing DNS Realms
5.3.4.4. Adding Ranges for UID and GID Numbers in a Transitive Trust
5.3.4.5. Kerberos Flags for Services and Hosts
5.3.5. Setting PAC Types for Services
5.3.5.1. Setting Default PAC Types
5.3.5.2. Setting PAC Types for a Service
5.3.6. Using POSIX Attributes Defined in Active Directory
5.3.6.1. Defining UID and GID Attributes for Active Directory Users
5.3.6.2. Transferring Login Shell and Home Directory Attributes
5.3.7. Using SSH from Active Directory Machines for IdM Resources
5.3.7.1. Using SSH Without Passwords
5.3.8. Using a Trust with Kerberos-enabled Web Applications
5.3.9. Smart Card Certificates in a Trusted Active Directory Environment
5.4. Active Directory Trust for Legacy Linux Clients
5.4.1. Server-side Configuration for AD Trust for Legacy Clients
5.4.2. Client-side Configuration Using the ipa-advise Utility
III. Integrating a Linux Domain with an Active Directory Domain: Synchronization
6. Synchronizing Active Directory and Identity Management Users
6.1. Supported Windows Platforms
6.2. About Active Directory and Identity Management
6.3. About Synchronized Attributes
6.3.1. User Schema Differences between Identity Management and Active Directory
6.3.1.1. Values for cn Attributes
6.3.1.2. Values for street and streetAddress
6.3.1.3. Constraints on the initials Attribute
6.3.1.4. Requiring the surname (sn) Attribute
6.3.2. Active Directory Entries and POSIX Attributes
6.4. Setting up Active Directory for Synchronization
6.4.1. Creating an Active Directory User for Synchronization
6.4.2. Setting up an Active Directory Certificate Authority
6.5. Managing Synchronization Agreements
6.5.1. Creating Synchronization Agreements
6.5.2. Changing the Behavior for Synchronizing User Account Attributes
6.5.3. Changing the Synchronized Windows Subtree
6.5.4. Configuring Uni-directional Synchronization
6.5.5. Deleting Synchronization Agreements
6.5.6. Winsync Agreement Failures
6.6. Managing Password Synchronization
6.6.1. Setting up the Windows Server for Password Synchronization
6.6.2. Setting up Password Synchronization
7. Migrating Existing Environments from Synchronization to Trust
7.1. Migrate from Synchronization to Trust Automatically Using ipa-winsync-migrate
7.1.1. How Migration Using ipa-winsync-migrate Works
7.1.2. How to Migrate Using ipa-winsync-migrate
7.2. Migrate from Synchronization to Trust Manually Using ID Views
8. Using ID Views in Active Directory Environments
8.1. Active Directory Default Trust View
8.2. Fixing ID Conflicts
8.3. Using ID Views to Define AD User Attributes
8.4. Overriding Smart Card Certificates for AD Users
8.5. Migrating NIS Domains to IdM
A. Revision History