Chapter 14. Identity: Integrating with Active Directory Through Cross-forest Trust (Technology Preview)
Kerberos implements a concept of a trust. In a trust, a principal from one Kerberos realm can request a ticket to a service in another Kerberos realm. Using this ticket, the principal can authenticate against resources on machines belonging to the other realm.
Kerberos also has the ability to create a relationship between two otherwise separate Kerberos realms: a cross-realm trust. Realms that are part of a trust use a shared pair of a ticket and key; a member of one realm then counts as a member of both realms.
Both Active Directory and Identity Management manage a variety of core services such as Kerberos, LDAP, DNS, or certificate services. Therefore, establishing Kerberos cross-realm trust is not enough to allow users from one realm to access resources in a different realm; support is required at other levels of communication as well. For this purpose, IdM enables configuring a cross-forest trust between an IdM domain and an AD domain. Cross-forest trust is a trust established between two separate forest root domains, allowing users and services from different forests to communicate.
Multiple AD domains can be organized together into an Active Directory forest. A root domain of the forest is the first domain created in the forest. The IdM domain cannot be part of an existing AD forest, thus it is always seen as a separate forest.
Cross-forest Trust As Technology Preview in Red Hat Enterprise Linux 6
In Red Hat Enterprise Linux 6, the cross-forest trust feature is offered as a Technology Preview. Note that Red Hat recommends to connect Red Hat Enterprise Linux 6 IdM clients to a Red Hat Enterprise Linux 7 IdM server for cross-forest trust capability. Trusts are fully supported on servers running Red Hat Enterprise Linux 7. Configuration with Red Hat Enterprise Linux 6 clients connected to a Red Hat Enterprise Linux 7 server for cross-forest trust is fully supported as well. In such setups, it is recommended to use the latest version of Red Hat Enterprise Linux 6 on the client side and the latest version of Red Hat Enterprise Linux 7 on the server side.
Red Hat will not upgrade the cross-forest trust feature within Red Hat Enterprise Linux 6 from the Technology Preview status to Supported. If a certain AD deployment does not work with cross-forest trust in Red Hat Enterprise Linux 6, consider trying the latest Red Hat Enterprise Linux 7 IdM version to identify whether a particular configuration requires improvement in Red Hat Enterprise Linux 7.
For documentation on cross-forest trust in Red Hat Enterprise Linux 7, including a more detailed description of what cross-forest trust is, see the Red Hat Enterprise Linux 7 Windows Integration Guide.
Overview of Cross-forest Trust in Red Hat Enterprise Linux 6
The cross-forest trust feature in Red Hat Enterprise Linux 6 includes the ability to:
- Establish a trust to a single AD forest.
- Allow access to IdM resources for users from the root domain of a trusted AD forest.
The cross-forest trust feature in Red Hat Enterprise Linux 6 does not include the ability to:
- Override default attributes of AD users, such as the login shell or home directory, in a centralized way. To achieve this, deploy ID views using IdM in Red Hat Enterprise Linux 7.
- Expose AD users and groups using the compatibility tree for legacy clients. To provide legacy clients with access to AD users and groups, use IdM in Red Hat Enterprise Linux 7.
Trusts vs Synchronization
Trusts and synchronization are fundamentally different approaches to integrating an IdM domain and an AD domain. Both approaches offer the advantage of managing Linux systems and policies related to those systems centrally while enabling users from AD domains to transparently access Linux systems and services.
For a comparison of the trust-based and synchronization-based solutions, see the Red Hat Enterprise Linux 7 Windows Integration Guide. For information on integrating with AD using synchronization in Red Hat Enterprise Linux 6, see Chapter 15, Identity: Integrating with Microsoft Active Directory Through Synchronization.