Show Table of Contents
20.3. Using Active Directory with Cross-Forest Trust
Kerberos can create cross-forest trust that defines a relationship between two otherwise separate domain forests. A domain forest is a hierarchical structure of domains; both AD and IdM/IPA constitute a forest. With a trust relationship enabled between AD and IdM/IPA, users of AD can access Linux hosts and services using a single set of credentials. For more information on cross-forest trusts, see Red Hat Enterprise Linux Windows Integration Guide[14].
From the Satellite point of view, the configuration process is the same as integration with IdM/IPA server without cross-forest trust configured. The Satellite server has to be IPA-enrolled and integrated as described in Section 20.2, “Using Identity Management”. On the IdM/IPA server, the following additional steps are required:
- To enable the HBAC feature, create an external group and add the AD group to it. Add the new external group to a POSIX group. Use this POSIX group in a HBAC rule.
- Configure sssd to transfer additional attributes of AD users. Add these attributes to the nss and domain sections in
/etc/sssd/sssd.conf. For example:[nss] user_attributes=+mail, +sn, +givenname [domain/EXAMPLE] ldap_user_extra_attrs=mail, sn, givenname
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.