20.3. Using Active Directory with Cross-Forest Trust

Kerberos can create cross-forest trust that defines a relationship between two otherwise separate domain forests. A domain forest is a hierarchical structure of domains; both AD and IdM/IPA constitute a forest. With a trust relationship enabled between AD and IdM/IPA, users of AD can access Linux hosts and services using a single set of credentials. For more information on cross-forest trusts, see Red Hat Enterprise Linux Windows Integration Guide[14].
From the Satellite point of view, the configuration process is the same as integration with IdM/IPA server without cross-forest trust configured. The Satellite server has to be IPA-enrolled and integrated as described in Section 20.2, “Using Identity Management”. On the IdM/IPA server, the following additional steps are required:
  1. To enable the HBAC feature, create an external group and add the AD group to it. Add the new external group to a POSIX group. Use this POSIX group in a HBAC rule.
  2. Configure sssd to transfer additional attributes of AD users. Add these attributes to the nss and domain sections in /etc/sssd/sssd.conf. For example:
    user_attributes=+mail, +sn, +givenname
    ldap_user_extra_attrs=mail, sn, givenname