Jump To Close Expand all Collapse all Table of contents Windows Integration Guide 1. Ways to Integrate Active Directory and Linux Environments Expand section "1. Ways to Integrate Active Directory and Linux Environments" Collapse section "1. Ways to Integrate Active Directory and Linux Environments" 1.1. Defining Windows Integration 1.2. Direct Integration Expand section "1.2. Direct Integration" Collapse section "1.2. Direct Integration" 1.2.1. Supported Windows Platforms for direct integration 1.3. Indirect Integration I. Adding a Single Linux System to an Active Directory Domain Expand section "I. Adding a Single Linux System to an Active Directory Domain" Collapse section "I. Adding a Single Linux System to an Active Directory Domain" 2. Using Active Directory as an Identity Provider for SSSD Expand section "2. Using Active Directory as an Identity Provider for SSSD" Collapse section "2. Using Active Directory as an Identity Provider for SSSD" 2.1. How the AD Provider Handles Trusted Domains 2.2. Configuring an AD Provider for SSSD Expand section "2.2. Configuring an AD Provider for SSSD" Collapse section "2.2. Configuring an AD Provider for SSSD" 2.2.1. Overview of the Integration Options 2.2.2. Configuring an AD Domain with ID Mapping as a Provider for SSSD 2.2.3. Configuring SSSD to Use POSIX Attributes Defined in AD 2.3. Automatic Kerberos Host Keytab Renewal 2.4. Enabling Dynamic DNS Updates 2.5. Using Range Retrieval Searches with SSSD 2.6. Group Policy Object Access Control Expand section "2.6. Group Policy Object Access Control" Collapse section "2.6. Group Policy Object Access Control" 2.6.1. How SSSD Works with GPO Access Control 2.6.2. GPO Settings Supported by SSSD 2.6.3. Configuring GPO-based Access Control for SSSD 2.6.4. Additional Resources 2.7. Creating User Private Groups Automatically Using SSSD Expand section "2.7. Creating User Private Groups Automatically Using SSSD" Collapse section "2.7. Creating User Private Groups Automatically Using SSSD" 2.7.1. Activating the Automatic Creation of User Private Groups for AD users 2.7.2. Deactivating the Automatic Creation of User Private Groups for AD users 2.8. SSSD Clients and Active Directory DNS Site Autodiscovery 2.9. Troubleshooting SSSD 3. Using realmd to Connect to an Active Directory Domain Expand section "3. Using realmd to Connect to an Active Directory Domain" Collapse section "3. Using realmd to Connect to an Active Directory Domain" 3.1. Supported Domain Types and Clients 3.2. Prerequisites for Using realmd 3.3. realmd Commands 3.4. Discovering and Joining Identity Domains 3.5. Removing a System from an Identity Domain 3.6. Listing Domains 3.7. Managing Login Permissions for Domain Users 3.8. Changing Default User Configuration 3.9. Additional Configuration for the Active Directory Domain Entry 4. Using Samba for Active Directory Integration Expand section "4. Using Samba for Active Directory Integration" Collapse section "4. Using Samba for Active Directory Integration" 4.1. Using winbindd to Authenticate Domain Users Expand section "4.1. Using winbindd to Authenticate Domain Users" Collapse section "4.1. Using winbindd to Authenticate Domain Users" 4.1.1. Joining an AD Domain 4.2. Using SMB shares with SSSD and Winbind Expand section "4.2. Using SMB shares with SSSD and Winbind" Collapse section "4.2. Using SMB shares with SSSD and Winbind" 4.2.1. How SSSD Works with SMB 4.2.2. Switching Between SSSD and Winbind for SMB Share Access 4.3. Additional Resources II. Integrating a Linux Domain with an Active Directory Domain: Cross-forest Trust Expand section "II. Integrating a Linux Domain with an Active Directory Domain: Cross-forest Trust" Collapse section "II. Integrating a Linux Domain with an Active Directory Domain: Cross-forest Trust" 5. Creating Cross-forest Trusts with Active Directory and Identity Management Expand section "5. Creating Cross-forest Trusts with Active Directory and Identity Management" Collapse section "5. Creating Cross-forest Trusts with Active Directory and Identity Management" 5.1. Introduction to Cross-forest Trusts Expand section "5.1. Introduction to Cross-forest Trusts" Collapse section "5.1. Introduction to Cross-forest Trusts" 5.1.1. The Architecture of a Trust Relationship 5.1.2. Active Directory Security Objects and Trust 5.1.3. Trust Architecture in IdM Expand section "5.1.3. Trust Architecture in IdM" Collapse section "5.1.3. Trust Architecture in IdM" 5.1.3.1. Active Directory PACs and IdM Tickets 5.1.3.2. Active Directory Users and Identity Management Groups 5.1.3.3. Active Directory Users and IdM Policies and Configuration 5.1.4. One-Way and Two-Way Trusts 5.1.5. External Trusts to Active Directory 5.1.6. Trust Controllers and Trust Agents 5.2. Creating Cross-forest Trusts Expand section "5.2. Creating Cross-forest Trusts" Collapse section "5.2. Creating Cross-forest Trusts" 5.2.1. Environment and Machine Requirements Expand section "5.2.1. Environment and Machine Requirements" Collapse section "5.2.1. Environment and Machine Requirements" 5.2.1.1. Supported Windows Platforms 5.2.1.2. DNS and Realm Settings 5.2.1.3. NetBIOS Names 5.2.1.4. Firewalls and Ports 5.2.1.5. IPv6 Settings 5.2.1.6. Clock Settings 5.2.1.7. Creating a Conditional Forwarder for the IdM Domain in AD 5.2.1.8. Creating a Forward Zone for the AD Domain in IdM 5.2.1.9. Supported User Name Formats 5.2.2. Creating Trusts Expand section "5.2.2. Creating Trusts" Collapse section "5.2.2. Creating Trusts" 5.2.2.1. Creating a Trust from the Command Line Expand section "5.2.2.1. Creating a Trust from the Command Line" Collapse section "5.2.2.1. Creating a Trust from the Command Line" 5.2.2.1.1. Preparing the IdM Server for Trust 5.2.2.1.2. Creating a Trust Agreement 5.2.2.1.3. Verifying the Kerberos Configuration 5.2.2.2. Creating a Trust Using a Shared Secret Expand section "5.2.2.2. Creating a Trust Using a Shared Secret" Collapse section "5.2.2.2. Creating a Trust Using a Shared Secret" 5.2.2.2.1. Creating a Two-Way Trust Using a Shared Secret 5.2.2.2.2. Creating a One-Way Trust Using a Shared Secret 5.2.2.3. Verifying the ID Mapping 5.2.2.4. Creating a Trust on an Existing IdM Instance 5.2.2.5. Adding a Second Trust 5.2.2.6. Creating a Trust in the Web UI 5.2.3. Post-installation Considerations for Cross-forest Trusts Expand section "5.2.3. Post-installation Considerations for Cross-forest Trusts" Collapse section "5.2.3. Post-installation Considerations for Cross-forest Trusts" 5.2.3.1. Potential Behavior Issues with Active Directory Trust Expand section "5.2.3.1. Potential Behavior Issues with Active Directory Trust" Collapse section "5.2.3.1. Potential Behavior Issues with Active Directory Trust" 5.2.3.1.1. Active Directory Users and IdM Administration 5.2.3.1.2. Authenticating Deleted Active Directory Users 5.2.3.1.3. Credential Cache Collections and Selecting Active Directory Principals 5.2.3.1.4. Resolving Group SIDs 5.2.3.2. Configuring Trust Agents 5.3. Managing and Configuring a Cross-forest Trust Environment Expand section "5.3. Managing and Configuring a Cross-forest Trust Environment" Collapse section "5.3. Managing and Configuring a Cross-forest Trust Environment" 5.3.1. User Principal Names in a Trusted Domains Environment 5.3.2. IdM Clients in an Active Directory DNS Domain Expand section "5.3.2. IdM Clients in an Active Directory DNS Domain" Collapse section "5.3.2. IdM Clients in an Active Directory DNS Domain" 5.3.2.1. Kerberos Single Sign-on to the IdM Client is not Required 5.3.2.2. Kerberos Single Sign-on to the IdM Client is Required 5.3.3. Creating IdM Groups for Active Directory Users 5.3.4. Maintaining Trusts Expand section "5.3.4. Maintaining Trusts" Collapse section "5.3.4. Maintaining Trusts" 5.3.4.1. Editing the Global Trust Configuration Expand section "5.3.4.1. Editing the Global Trust Configuration" Collapse section "5.3.4.1. Editing the Global Trust Configuration" 5.3.4.1.1. Changing the NetBIOS Name 5.3.4.1.2. Changing the Default Group for Windows Users 5.3.4.2. Discovering, Enabling, and Disabling Trust Domains 5.3.4.3. Viewing and managing domains associated with IdM Kerberos realm 5.3.4.4. Adding Ranges for UID and GID Numbers in a Transitive Trust 5.3.4.5. Adjusting DNA ID ranges manually 5.3.4.6. Kerberos Flags for Services and Hosts 5.3.5. Setting PAC Types for Services Expand section "5.3.5. Setting PAC Types for Services" Collapse section "5.3.5. Setting PAC Types for Services" 5.3.5.1. Setting Default PAC Types 5.3.5.2. Setting PAC Types for a Service 5.3.6. Using POSIX Attributes Defined in Active Directory Expand section "5.3.6. Using POSIX Attributes Defined in Active Directory" Collapse section "5.3.6. Using POSIX Attributes Defined in Active Directory" 5.3.6.1. Defining UID and GID Attributes for Active Directory Users 5.3.6.2. Transferring Login Shell and Home Directory Attributes 5.3.7. Using SSH from Active Directory Machines for IdM Resources Expand section "5.3.7. Using SSH from Active Directory Machines for IdM Resources" Collapse section "5.3.7. Using SSH from Active Directory Machines for IdM Resources" 5.3.7.1. Caching Considerations 5.3.7.2. Using SSH Without Passwords 5.3.8. Using a Trust with Kerberos-enabled Web Applications 5.3.9. Configuring an IdM server as a Kerberos Distribution Center Proxy for Active Directory Kerberos communication 5.4. Changing the LDAP Search Base for Users and Groups in a Trusted Active Directory Domain Expand section "5.4. Changing the LDAP Search Base for Users and Groups in a Trusted Active Directory Domain" Collapse section "5.4. Changing the LDAP Search Base for Users and Groups in a Trusted Active Directory Domain" 5.4.1. Prerequisites 5.4.2. Configuring the LDAP Search Base to Restrict Searches 5.5. Changing the Format of User Names Displayed by SSSD 5.6. Restricting Identity Management or SSSD to Selected Active Directory Servers or Sites in a Trusted Active Directory Domain Expand section "5.6. Restricting Identity Management or SSSD to Selected Active Directory Servers or Sites in a Trusted Active Directory Domain" Collapse section "5.6. Restricting Identity Management or SSSD to Selected Active Directory Servers or Sites in a Trusted Active Directory Domain" 5.6.1. Configuring SSSD to Contact a Specific Active Directory Server 5.7. Active Directory Trust for Legacy Linux Clients Expand section "5.7. Active Directory Trust for Legacy Linux Clients" Collapse section "5.7. Active Directory Trust for Legacy Linux Clients" 5.7.1. Server-side Configuration for AD Trust for Legacy Clients 5.7.2. Client-side Configuration Using the ipa-advise Utility 5.8. Troubleshooting Cross-forest Trusts Expand section "5.8. Troubleshooting Cross-forest Trusts" Collapse section "5.8. Troubleshooting Cross-forest Trusts" 5.8.1. Troubleshooting the ipa-extdom Plug-in III. Integrating a Linux Domain with an Active Directory Domain: Synchronization Expand section "III. Integrating a Linux Domain with an Active Directory Domain: Synchronization" Collapse section "III. Integrating a Linux Domain with an Active Directory Domain: Synchronization" 6. Synchronizing Active Directory and Identity Management Users Expand section "6. Synchronizing Active Directory and Identity Management Users" Collapse section "6. Synchronizing Active Directory and Identity Management Users" 6.1. Supported Windows Platforms 6.2. About Active Directory and Identity Management 6.3. About Synchronized Attributes Expand section "6.3. About Synchronized Attributes" Collapse section "6.3. About Synchronized Attributes" 6.3.1. User Schema Differences between Identity Management and Active Directory Expand section "6.3.1. User Schema Differences between Identity Management and Active Directory" Collapse section "6.3.1. User Schema Differences between Identity Management and Active Directory" 6.3.1.1. Values for cn Attributes 6.3.1.2. Values for street and streetAddress 6.3.1.3. Constraints on the initials Attribute 6.3.1.4. Requiring the surname (sn) Attribute 6.3.2. Active Directory Entries and POSIX Attributes 6.4. Setting up Active Directory for Synchronization Expand section "6.4. Setting up Active Directory for Synchronization" Collapse section "6.4. Setting up Active Directory for Synchronization" 6.4.1. Creating an Active Directory User for Synchronization 6.4.2. Setting up an Active Directory Certificate Authority 6.5. Managing Synchronization Agreements Expand section "6.5. Managing Synchronization Agreements" Collapse section "6.5. Managing Synchronization Agreements" 6.5.1. Creating Synchronization Agreements 6.5.2. Changing the Behavior for Synchronizing User Account Attributes 6.5.3. Changing the Synchronized Windows Subtree 6.5.4. Configuring Uni-directional Synchronization 6.5.5. Deleting Synchronization Agreements 6.5.6. Winsync Agreement Failures 6.6. Managing Password Synchronization Expand section "6.6. Managing Password Synchronization" Collapse section "6.6. Managing Password Synchronization" 6.6.1. Setting up the Windows Server for Password Synchronization 6.6.2. Setting up Password Synchronization 7. Migrating Existing Environments from Synchronization to Trust Expand section "7. Migrating Existing Environments from Synchronization to Trust" Collapse section "7. Migrating Existing Environments from Synchronization to Trust" 7.1. Migrate from Synchronization to Trust Automatically Using ipa-winsync-migrate Expand section "7.1. Migrate from Synchronization to Trust Automatically Using ipa-winsync-migrate" Collapse section "7.1. Migrate from Synchronization to Trust Automatically Using ipa-winsync-migrate" 7.1.1. How Migration Using ipa-winsync-migrate Works 7.1.2. How to Migrate Using ipa-winsync-migrate 7.2. Migrate from Synchronization to Trust Manually Using ID Views 8. Using ID Views in Active Directory Environments Expand section "8. Using ID Views in Active Directory Environments" Collapse section "8. Using ID Views in Active Directory Environments" 8.1. Active Directory Default Trust View Expand section "8.1. Active Directory Default Trust View" Collapse section "8.1. Active Directory Default Trust View" 8.1.1. What Is the Default Trust View 8.1.2. Overriding the Default Trust View with Other ID Views 8.1.3. ID Overrides on Clients Based on the Client Version 8.2. Fixing ID Conflicts 8.3. Using ID Views to Define AD User Attributes 8.4. Migrating NIS Domains to IdM 8.5. Configuration Options for Using Short Names to Resolve and Authenticate Users and Groups Expand section "8.5. Configuration Options for Using Short Names to Resolve and Authenticate Users and Groups" Collapse section "8.5. Configuration Options for Using Short Names to Resolve and Authenticate Users and Groups" 8.5.1. How Domain Resolution Works 8.5.2. Configuring the Domain Resolution Order on an Identity Management Server Expand section "8.5.2. Configuring the Domain Resolution Order on an Identity Management Server" Collapse section "8.5.2. Configuring the Domain Resolution Order on an Identity Management Server" 8.5.2.1. Setting the Domain Resolution Order Globally 8.5.2.2. Setting the Domain Resolution Order for an ID view 8.5.3. Configuring the Domain Resolution Order on an IdM Client A. Revision History Legal Notice Settings Close Language: 简体中文 日本語 한국어 English Language: 简体中文 日本語 한국어 English Format: Multi-page Single-page PDF Format: Multi-page Single-page PDF Language and Page Formatting Options Language: 简体中文 日本語 한국어 English Language: 简体中文 日本語 한국어 English Format: Multi-page Single-page PDF Format: Multi-page Single-page PDF Red Hat Training A Red Hat training course is available for Red Hat Enterprise Linux 2.9. Troubleshooting SSSD For details about troubleshooting SSSD, see the Troubleshooting SSSD appendix in the System-Level Authentication Guide. Previous Next