Setup IPA Server to authenticate with Active Directory

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 9
  • Red Hat Enterprise Linux 8
  • IPA
  • Indirect integration
  • Microsoft Windows 2012 / 2012 R2 / 2016 / 2019 / 2022 (RHEL 9.1 and later).

Resolution

The instructions below, apply to IPA servers, for IPA clients see Setup IPA client to authenticate with Active Directory.

  1. Open the required ports in the firewall. See more about required ports here.
# firewall-cmd --permanent --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,88/udp,464/tcp,464/udp,53/tcp,53/udp,123/udp}
  1. Add the following services.
# firewall-cmd --permanent --add-service={freeipa-4,dns}
  1. Reload the service. Check if all the necessary ports and services are added.
# firewall-cmd --reload
# firewall-cmd --list-all
  1. Double-check the DNS of IDM server. For an external DNS, it needs to be set up in /etc/resolv.conf. In this example, it is an internal DNS, so the DNS is 127.0.0.1

NOTE: This DNS will be automatically configured when installing IPA, so there is no need to change the resolv.conf file.

[root@ipaserver~]# cat /etc/resolv.conf 
# Generated by NetworkManager
search idm.example.local
nameserver 127.0.0.1
  1. Run the update-crypto-policies command to enable the AD-SUPPORT cryptographic subpolicy in addition to the DEFAULT cryptographic policy.
# update-crypto-policies --set DEFAULT:AD-SUPPORT

See more about crypto policies at this link.

  1. Install the IDM packages.

a) For RHEL 8

# yum module enable idm:DL1
# yum distro-sync
  • To download the packages necessary for installing an IdM server with an integrated DNS:
# yum module install idm:DL1/{dns,adtrust}
  • To download the packages necessary for installing an IdM server that has a trust agreement with Active Directory (external DNS):
# yum module install idm:DL1/adtrust

b) For RHEL 9 (external DNS):

# dnf install ipa-server ipa-server-trust-ad samba-client

To download the packages necessary for installing an IdM server with an integrated DNS:

# dnf install ipa-server ipa-server-dns ipa-server ipa-server-trust-ad samba-client
  1. Installing an IdM server.
# ipa-server-install --mkhomedir

NOTE: see more details on how to install the IDM server at the link.

Set up a trust

  1. Configuring a DNS forward zone.

a) Check if the required ports are open for communication between IdM and AD.
b) Disable dnssec. Edit /etc/named/ipa-options-ext.conf and add the following settings at the end of the file.

dnssec-enable no;
dnssec-validation no;

Then, restart the DNS service:

# systemctl restart named-pkcs11

c) Create a DNS forward zone for the AD domain, and specify the IP address of the remote DNS server with the --forwarder option:

# ipa dnsforwardzone-add example.local --forwarder=<IP_Active_Directory> --forward-policy=only

  1. Configuring DNS forwarding in AD.
    a) Log in to the Windows Server.
    b) Open Server Manager.
    c) Open DNS Manager.
    d) In Conditional Forwarders, add a new conditional forwarder with:

    • The IdM server IP address
    • A fully qualified domain name, for example, server.idm.example.com
    • Save the settings.

  2. Run a DNS query for the Kerberos over UDP and LDAP over TCP service records. The commands are expected to list all IdM servers.

# dig +short -t SRV _kerberos._udp.idm.example.com.
# dig +short -t SRV _ldap._tcp.idm.example.com.
  1. Verify that IdM can resolve service records for AD with a command that runs a DNS query for Kerberos and LDAP over TCP service records. The commands are expected to list the Active Directory.
# dig +short -t SRV _kerberos._tcp.dc._msdcs.ad.example.com.
# dig +short -t SRV _ldap._tcp.dc._msdcs.ad.example.com.
  1. Preparing the IdM server for the trust. Run the ipa-adtrust-install utility:
# ipa-adtrust-install

NOTE: if you have any questions about the option running the above command see the documentation.

  1. Restart the ipa service:
# ipactl restart
  1. Create a trust agreement for the AD domain and the IdM domain by using the ipa trust-add command:

a) To have SSSD automatically generate UIDs and GIDs for AD users based on their SID, create a trust agreement with the Active Directory domain ID range type. This is the most common configuration.

# ipa trust-add --type=ad ad.example.com --admin <ad_admin_username> --password

b) If you have configured POSIX attributes for your users in Active Directory (such as uidNumber and gidNumber) and you want SSSD to process this information, create a trust agreement with the Active Directory domain with POSIX attributes ID range type:

# ipa trust-add --type=ad ad.example.local --admin <ad_admin_username> --password --range-type=ipa-ad-trust-posix
  1. Validate the trust;
# ipa trust-find
  1. Check if the AD users can log in to the system and get Kerberos ticket.
# KRB5_TRACE=/dev/stdout kinit -V <aduser>@EXAMPLE.LOCAL
# id <aduser>@example.local
# ssh <aduser>@example.local@127.0.0.1

Reference:
Integrating IdM and AD - RHEL 8
Prerequisites for establishing a trust - RHEL 9

  • Component
  • ipa

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments