Windows Integration Guide
1. Ways to Integrate Active Directory and Linux Environments
Expand section "1. Ways to Integrate Active Directory and Linux Environments" Collapse section "1. Ways to Integrate Active Directory and Linux Environments"
1. 1.1. Defining Windows Integration
2. 1.2. Direct Integration
  Expand section "1.2. Direct Integration" Collapse section "1.2. Direct Integration"
  1. 1.2.1. Supported Windows Platforms for direct integration
3. 1.3. Indirect Integration
I. Adding a Single Linux System to an Active Directory Domain
Expand section "I. Adding a Single Linux System to an Active Directory Domain" Collapse section "I. Adding a Single Linux System to an Active Directory Domain"
1. 2. Using Active Directory as an Identity Provider for SSSD
  Expand section "2. Using Active Directory as an Identity Provider for SSSD" Collapse section "2. Using Active Directory as an Identity Provider for SSSD"
  1. 2.1. How the AD Provider Handles Trusted Domains
  2. 2.2. Configuring an AD Provider for SSSD
    
    Expand section "2.2. Configuring an AD Provider for SSSD" Collapse section "2.2. Configuring an AD Provider for SSSD"
    
    2.2.1. Overview of the Integration Options
    
    2.2.2. Configuring an AD Domain with ID Mapping as a Provider for SSSD
    
    2.2.3. Configuring SSSD to Use POSIX Attributes Defined in AD
  3. 2.3. Automatic Kerberos Host Keytab Renewal
  4. 2.4. Enabling Dynamic DNS Updates
  5. 2.5. Using Range Retrieval Searches with SSSD
  6. 2.6. Group Policy Object Access Control
    
    Expand section "2.6. Group Policy Object Access Control" Collapse section "2.6. Group Policy Object Access Control"
    
    2.6.1. How SSSD Works with GPO Access Control
    
    2.6.2. GPO Settings Supported by SSSD
    
    2.6.3. Configuring GPO-based Access Control for SSSD
    
    2.6.4. Additional Resources
  7. 2.7. Creating User Private Groups Automatically Using SSSD
    
    Expand section "2.7. Creating User Private Groups Automatically Using SSSD" Collapse section "2.7. Creating User Private Groups Automatically Using SSSD"
    
    2.7.1. Activating the Automatic Creation of User Private Groups for AD users
    
    2.7.2. Deactivating the Automatic Creation of User Private Groups for AD users
  8. 2.8. SSSD Clients and Active Directory DNS Site Autodiscovery
  9. 2.9. Troubleshooting SSSD
2. 3. Using realmd to Connect to an Active Directory Domain
  Expand section "3. Using realmd to Connect to an Active Directory Domain" Collapse section "3. Using realmd to Connect to an Active Directory Domain"
3. 4. Using Samba for Active Directory Integration
  Expand section "4. Using Samba for Active Directory Integration" Collapse section "4. Using Samba for Active Directory Integration"
  1. 4.1. Using winbindd to Authenticate Domain Users
    
    Expand section "4.1. Using winbindd to Authenticate Domain Users" Collapse section "4.1. Using winbindd to Authenticate Domain Users"
    
    4.1.1. Joining an AD Domain
  2. 4.2. Using SMB shares with SSSD and Winbind
    
    Expand section "4.2. Using SMB shares with SSSD and Winbind" Collapse section "4.2. Using SMB shares with SSSD and Winbind"
    
    4.2.1. How SSSD Works with SMB
    
    4.2.2. Switching Between SSSD and Winbind for SMB Share Access
  3. 4.3. Additional Resources
II. Integrating a Linux Domain with an Active Directory Domain: Cross-forest Trust
Expand section "II. Integrating a Linux Domain with an Active Directory Domain: Cross-forest Trust" Collapse section "II. Integrating a Linux Domain with an Active Directory Domain: Cross-forest Trust"
1. 5. Creating Cross-forest Trusts with Active Directory and Identity Management
  Expand section "5. Creating Cross-forest Trusts with Active Directory and Identity Management" Collapse section "5. Creating Cross-forest Trusts with Active Directory and Identity Management"
  1. 5.1. Introduction to Cross-forest Trusts
    
    Expand section "5.1. Introduction to Cross-forest Trusts" Collapse section "5.1. Introduction to Cross-forest Trusts"
    
    5.1.1. The Architecture of a Trust Relationship
    
    5.1.2. Active Directory Security Objects and Trust
    
    5.1.3. Trust Architecture in IdM
    
    Expand section "5.1.3. Trust Architecture in IdM" Collapse section "5.1.3. Trust Architecture in IdM"
    
    5.1.3.1. Active Directory PACs and IdM Tickets
    
    5.1.3.2. Active Directory Users and Identity Management Groups
    
    5.1.3.3. Active Directory Users and IdM Policies and Configuration
    
    5.1.4. One-Way and Two-Way Trusts
    
    5.1.5. External Trusts to Active Directory
    
    5.1.6. Trust Controllers and Trust Agents
  2. 5.2. Creating Cross-forest Trusts
    
    Expand section "5.2. Creating Cross-forest Trusts" Collapse section "5.2. Creating Cross-forest Trusts"
    
    5.2.1. Environment and Machine Requirements
    
    Expand section "5.2.1. Environment and Machine Requirements" Collapse section "5.2.1. Environment and Machine Requirements"
    
    5.2.1.1. Supported Windows Platforms
    
    5.2.1.2. DNS and Realm Settings
    
    5.2.1.3. NetBIOS Names
    
    5.2.1.4. Firewalls and Ports
    
    5.2.1.5. IPv6 Settings
    
    5.2.1.6. Clock Settings
    
    5.2.1.7. Creating a Conditional Forwarder for the IdM Domain in AD
    
    5.2.1.8. Creating a Forward Zone for the AD Domain in IdM
    
    5.2.1.9. Supported User Name Formats
    
    5.2.2. Creating Trusts
    
    Expand section "5.2.2. Creating Trusts" Collapse section "5.2.2. Creating Trusts"
    
    5.2.2.1. Creating a Trust from the Command Line
    
    Expand section "5.2.2.1. Creating a Trust from the Command Line" Collapse section "5.2.2.1. Creating a Trust from the Command Line"
    
    5.2.2.1.1. Preparing the IdM Server for Trust
    
    5.2.2.1.2. Creating a Trust Agreement
    
    5.2.2.1.3. Verifying the Kerberos Configuration
    
    5.2.2.2. Creating a Trust Using a Shared Secret
    
    Expand section "5.2.2.2. Creating a Trust Using a Shared Secret" Collapse section "5.2.2.2. Creating a Trust Using a Shared Secret"
    
    5.2.2.2.1. Creating a Two-Way Trust Using a Shared Secret
    
    5.2.2.2.2. Creating a One-Way Trust Using a Shared Secret
    
    5.2.2.3. Verifying the ID Mapping
    
    5.2.2.4. Creating a Trust on an Existing IdM Instance
    
    5.2.2.5. Adding a Second Trust
    
    5.2.2.6. Creating a Trust in the Web UI
    
    5.2.3. Post-installation Considerations for Cross-forest Trusts
    
    Expand section "5.2.3. Post-installation Considerations for Cross-forest Trusts" Collapse section "5.2.3. Post-installation Considerations for Cross-forest Trusts"
    
    5.2.3.1. Potential Behavior Issues with Active Directory Trust
    
    Expand section "5.2.3.1. Potential Behavior Issues with Active Directory Trust" Collapse section "5.2.3.1. Potential Behavior Issues with Active Directory Trust"
    
    5.2.3.1.1. Active Directory Users and IdM Administration
    
    5.2.3.1.2. Authenticating Deleted Active Directory Users
    
    5.2.3.1.3. Credential Cache Collections and Selecting Active Directory Principals
    
    5.2.3.1.4. Resolving Group SIDs
    
    5.2.3.2. Configuring Trust Agents
  3. 5.3. Managing and Configuring a Cross-forest Trust Environment
    
    Expand section "5.3. Managing and Configuring a Cross-forest Trust Environment" Collapse section "5.3. Managing and Configuring a Cross-forest Trust Environment"
    
    5.3.1. User Principal Names in a Trusted Domains Environment
    
    5.3.2. IdM Clients in an Active Directory DNS Domain
    
    Expand section "5.3.2. IdM Clients in an Active Directory DNS Domain" Collapse section "5.3.2. IdM Clients in an Active Directory DNS Domain"
    
    5.3.2.1. Kerberos Single Sign-on to the IdM Client is not Required
    
    5.3.2.2. Kerberos Single Sign-on to the IdM Client is Required
    
    5.3.3. Creating IdM Groups for Active Directory Users
    
    5.3.4. Maintaining Trusts
    
    Expand section "5.3.4. Maintaining Trusts" Collapse section "5.3.4. Maintaining Trusts"
    
    5.3.4.1. Editing the Global Trust Configuration
    
    Expand section "5.3.4.1. Editing the Global Trust Configuration" Collapse section "5.3.4.1. Editing the Global Trust Configuration"
    
    5.3.4.1.1. Changing the NetBIOS Name
    
    5.3.4.1.2. Changing the Default Group for Windows Users
    
    5.3.4.2. Discovering, Enabling, and Disabling Trust Domains
    
    5.3.4.3. Viewing and managing domains associated with IdM Kerberos realm
    
    5.3.4.4. Adding Ranges for UID and GID Numbers in a Transitive Trust
    
    5.3.4.5. Adjusting DNA ID ranges manually
    
    5.3.4.6. Kerberos Flags for Services and Hosts
    
    5.3.5. Setting PAC Types for Services
    
    Expand section "5.3.5. Setting PAC Types for Services" Collapse section "5.3.5. Setting PAC Types for Services"
    
    5.3.5.1. Setting Default PAC Types
    
    5.3.5.2. Setting PAC Types for a Service
    
    5.3.6. Using POSIX Attributes Defined in Active Directory
    
    Expand section "5.3.6. Using POSIX Attributes Defined in Active Directory" Collapse section "5.3.6. Using POSIX Attributes Defined in Active Directory"
    
    5.3.6.1. Defining UID and GID Attributes for Active Directory Users
    
    5.3.6.2. Transferring Login Shell and Home Directory Attributes
    
    5.3.7. Using SSH from Active Directory Machines for IdM Resources
    
    Expand section "5.3.7. Using SSH from Active Directory Machines for IdM Resources" Collapse section "5.3.7. Using SSH from Active Directory Machines for IdM Resources"
    
    5.3.7.1. Caching Considerations
    
    5.3.7.2. Using SSH Without Passwords
    
    5.3.8. Using a Trust with Kerberos-enabled Web Applications
    
    5.3.9. Configuring an IdM server as a Kerberos Distribution Center Proxy for Active Directory Kerberos communication
  4. 5.4. Changing the LDAP Search Base for Users and Groups in a Trusted Active Directory Domain
    
    Expand section "5.4. Changing the LDAP Search Base for Users and Groups in a Trusted Active Directory Domain" Collapse section "5.4. Changing the LDAP Search Base for Users and Groups in a Trusted Active Directory Domain"
    
    5.4.1. Prerequisites
    
    5.4.2. Configuring the LDAP Search Base to Restrict Searches
  5. 5.5. Changing the Format of User Names Displayed by SSSD
  6. 5.6. Restricting Identity Management or SSSD to Selected Active Directory Servers or Sites in a Trusted Active Directory Domain
    
    Expand section "5.6. Restricting Identity Management or SSSD to Selected Active Directory Servers or Sites in a Trusted Active Directory Domain" Collapse section "5.6. Restricting Identity Management or SSSD to Selected Active Directory Servers or Sites in a Trusted Active Directory Domain"
    
    5.6.1. Configuring SSSD to Contact a Specific Active Directory Server
  7. 5.7. Active Directory Trust for Legacy Linux Clients
    
    Expand section "5.7. Active Directory Trust for Legacy Linux Clients" Collapse section "5.7. Active Directory Trust for Legacy Linux Clients"
    
    5.7.1. Server-side Configuration for AD Trust for Legacy Clients
    
    5.7.2. Client-side Configuration Using the ipa-advise Utility
  8. 5.8. Troubleshooting Cross-forest Trusts
    
    Expand section "5.8. Troubleshooting Cross-forest Trusts" Collapse section "5.8. Troubleshooting Cross-forest Trusts"
    
    5.8.1. Troubleshooting the ipa-extdom Plug-in
III. Integrating a Linux Domain with an Active Directory Domain: Synchronization
Expand section "III. Integrating a Linux Domain with an Active Directory Domain: Synchronization" Collapse section "III. Integrating a Linux Domain with an Active Directory Domain: Synchronization"
1. 6. Synchronizing Active Directory and Identity Management Users
  Expand section "6. Synchronizing Active Directory and Identity Management Users" Collapse section "6. Synchronizing Active Directory and Identity Management Users"
  1. 6.1. Supported Windows Platforms
  2. 6.2. About Active Directory and Identity Management
  3. 6.3. About Synchronized Attributes
    
    Expand section "6.3. About Synchronized Attributes" Collapse section "6.3. About Synchronized Attributes"
    
    6.3.1. User Schema Differences between Identity Management and Active Directory
    
    Expand section "6.3.1. User Schema Differences between Identity Management and Active Directory" Collapse section "6.3.1. User Schema Differences between Identity Management and Active Directory"
    
    6.3.1.1. Values for cn Attributes
    
    6.3.1.2. Values for street and streetAddress
    
    6.3.1.3. Constraints on the initials Attribute
    
    6.3.1.4. Requiring the surname (sn) Attribute
    
    6.3.2. Active Directory Entries and POSIX Attributes
  4. 6.4. Setting up Active Directory for Synchronization
    
    Expand section "6.4. Setting up Active Directory for Synchronization" Collapse section "6.4. Setting up Active Directory for Synchronization"
    
    6.4.1. Creating an Active Directory User for Synchronization
    
    6.4.2. Setting up an Active Directory Certificate Authority
  5. 6.5. Managing Synchronization Agreements
    
    Expand section "6.5. Managing Synchronization Agreements" Collapse section "6.5. Managing Synchronization Agreements"
    
    6.5.1. Creating Synchronization Agreements
    
    6.5.2. Changing the Behavior for Synchronizing User Account Attributes
    
    6.5.3. Changing the Synchronized Windows Subtree
    
    6.5.4. Configuring Uni-directional Synchronization
    
    6.5.5. Deleting Synchronization Agreements
    
    6.5.6. Winsync Agreement Failures
  6. 6.6. Managing Password Synchronization
    
    Expand section "6.6. Managing Password Synchronization" Collapse section "6.6. Managing Password Synchronization"
    
    6.6.1. Setting up the Windows Server for Password Synchronization
    
    6.6.2. Setting up Password Synchronization
7. Migrating Existing Environments from Synchronization to Trust
Expand section "7. Migrating Existing Environments from Synchronization to Trust" Collapse section "7. Migrating Existing Environments from Synchronization to Trust"
1. 7.1. Migrate from Synchronization to Trust Automatically Using ipa-winsync-migrate
  Expand section "7.1. Migrate from Synchronization to Trust Automatically Using ipa-winsync-migrate" Collapse section "7.1. Migrate from Synchronization to Trust Automatically Using ipa-winsync-migrate"
  1. 7.1.1. How Migration Using ipa-winsync-migrate Works
  2. 7.1.2. How to Migrate Using ipa-winsync-migrate
2. 7.2. Migrate from Synchronization to Trust Manually Using ID Views
8. Using ID Views in Active Directory Environments
Expand section "8. Using ID Views in Active Directory Environments" Collapse section "8. Using ID Views in Active Directory Environments"
1. 8.1. Active Directory Default Trust View
  Expand section "8.1. Active Directory Default Trust View" Collapse section "8.1. Active Directory Default Trust View"
2. 8.2. Fixing ID Conflicts
3. 8.3. Using ID Views to Define AD User Attributes
4. 8.4. Migrating NIS Domains to IdM
5. 8.5. Configuration Options for Using Short Names to Resolve and Authenticate Users and Groups
  Expand section "8.5. Configuration Options for Using Short Names to Resolve and Authenticate Users and Groups" Collapse section "8.5. Configuration Options for Using Short Names to Resolve and Authenticate Users and Groups"
  1. 8.5.1. How Domain Resolution Works
  2. 8.5.2. Configuring the Domain Resolution Order on an Identity Management Server
    
    Expand section "8.5.2. Configuring the Domain Resolution Order on an Identity Management Server" Collapse section "8.5.2. Configuring the Domain Resolution Order on an Identity Management Server"
    
    8.5.2.1. Setting the Domain Resolution Order Globally
    
    8.5.2.2. Setting the Domain Resolution Order for an ID view
  3. 8.5.3. Configuring the Domain Resolution Order on an IdM Client
A. Revision History
Legal Notice

Language:
Format:

Language:
Format:

Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

2.9. Troubleshooting SSSD

For details about troubleshooting SSSD, see the Troubleshooting SSSD appendix in the System-Level Authentication Guide.