FreeIPA : FreeIPA trust AD2018/08/09 |
FreeIPA ドメインと Windows Active Directory ドメイン間で相互に信頼関係を構築する クロス フォレスト トラスト の設定です。
当例では以下のような環境を例にします。
+----------------------+ | +----------------------+ | [ FreeIPA (CentOS) ] |10.0.0.30 | 10.0.0.100| [ AD (Win 2016) ] | | dlp.ipa.srv.world +----------+-----------+ fd3s.ad.srv.world | | | | | +----------------------+ +----------------------+ |
[1] | 構築済みの FreeIPA サーバー上で FreeIPA trust AD をインストールします。 |
[root@dlp ~]#
[root@dlp ~]# yum -y install ipa-server-trust-ad ipa-adtrust-install The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will setup components needed to establish trust to AD domains for the IPA Server. This includes: * Configure Samba * Add trust related objects to IPA LDAP server To accept the default shown in brackets, press the Enter key. Configuring cross-realm trusts for IPA server requires password for user 'admin'. This user is a regular system account used for IPA server administration. # FreeIPA admin パスワードで応答 admin password: WARNING: The smb.conf already exists. Running ipa-adtrust-install will break your existing samba configuration. Do you wish to continue? [no]: yes Do you want to enable support for trusted domains in Schema Compatibility plugin? This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users. # slapi-nis を有効にするか否か # SSSD 1.9 以前の古い Linux OS などとの互換性 Enable trusted domains support in slapi-nis? [no]: Enter the NetBIOS name for the IPA domain. Only up to 15 uppercase ASCII letters, digits and dashes are allowed. Example: EXAMPLE. # FreeIPA ドメインの NetBIOS名を設定 NetBIOS domain name [IPA]: IPA01 WARNING: 7 existing users or groups do not have a SID identifier assigned. Installer can run a task to have ipa-sidgen Directory Server plugin generate the SID identifier for all these users. Please note, in case of a high number of users and groups, the operation might lead to high replication traffic and performance degradation. Refer to ipa-adtrust-install(1) man page for details. # 既存ユーザー向けに SID を作成するタスクを実行するか否か Do you want to run the ipa-sidgen task? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring CIFS [1/23]: validate server hostname [2/23]: stopping smbd [3/23]: creating samba domain object ..... ..... [21/23]: starting CIFS services [22/23]: adding SIDs to existing users and groups This step may take considerable amount of time, please wait.. [23/23]: restarting smbd Done configuring CIFS. ============================================================================= Setup complete You must make sure these network ports are open: TCP Ports: * 135: epmap * 138: netbios-dgm * 139: netbios-ssn * 445: microsoft-ds * 1024..1300: epmap listener range * 3268: msft-gc UDP Ports: * 138: netbios-dgm * 139: netbios-ssn * 389: (C)LDAP * 445: microsoft-ds See the ipa-adtrust-install(1) man page for more details ============================================================================= # firewalld 稼働中の場合は以下も設定 [root@dlp ~]# firewall-cmd --add-service=freeipa-trust --permanent success [root@dlp ~]# firewall-cmd --reload success |
[2] | FreeIPA サーバー上で DNS 関連の設定を追加します。 |
# ipa dnsforwardzone-add [ADのドメイン名] --forwarder=[ADのIPアドレス] --forward-policy=only [root@dlp ~]# ipa dnsforwardzone-add ad.srv.world --forwarder=10.0.0.100 --forward-policy=only Server will check DNS forwarder(s). This may take some time, please wait ... Zone name: ad.srv.world. Active zone: TRUE Zone forwarders: 10.0.0.100 Forward policy: only # ipa dnsrecord-add [IPAのドメイン名] [ADのホスト名].[ADのNetBIOS名] --a-ip-address=[ADのIPアドレス] # ipa dnsrecord-add [IPAのドメイン名] [ADのNetBIOS名] --ns-hostname=[ADのホスト名].[ADのNetBIOS名] [root@dlp ~]# ipa dnsrecord-add ipa.srv.world fd3s.FD3S01 --a-ip-address=10.0.0.100 [root@dlp ~]# ipa dnsrecord-add ipa.srv.world FD3S01 --ns-hostname=fd3s.FD3S01
# ipa dnszone-mod [IPAのドメイン名] --allow-transfer=[ADのIPアドレス] [root@dlp ~]# ipa dnszone-mod ipa.srv.world --allow-transfer=10.0.0.100 Zone name: ipa.srv.world. Active zone: TRUE Authoritative nameserver: dlp.ipa.srv.world. Administrator e-mail address: hostmaster.ipa.srv.world. SOA serial: 1533791906 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: 10.0.0.100; |
[3] | Windows Active Directory 側でも FreeIPA ドメインをゾーンに追加します。 ⇒ dnscmd 127.0.0.1 /ZoneAdd [IPAのドメイン名] /Secondary [IPAのIPアドレス] |
[4] | DNS の設定を確認し、問題なければ FreeIPA trust AD をセットアップします。 |
[root@dlp ~]# dig SRV _ldap._tcp.ipa.srv.world ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> SRV _ldap._tcp.ipa.srv.world ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14793 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;_ldap._tcp.ipa.srv.world. IN SRV ;; ANSWER SECTION: _ldap._tcp.ipa.srv.world. 86400 IN SRV 0 100 389 dlp.ipa.srv.world. ;; AUTHORITY SECTION: ipa.srv.world. 86400 IN NS dlp.ipa.srv.world. ;; ADDITIONAL SECTION: dlp.ipa.srv.world. 1200 IN A 10.0.0.30 ..... .....[root@dlp ~]# dig SRV _ldap._tcp.ad.srv.world ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> SRV _ldap._tcp.ad.srv.world ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12195 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;_ldap._tcp.ad.srv.world. IN SRV ;; ANSWER SECTION: _ldap._tcp.ad.srv.world. 600 IN SRV 0 100 389 FD3S.ad.srv.world. ..... ..... # ipa trust-add --type=ad [ADのドメイン名] --admin Administrator --password [root@dlp ~]# ipa trust-add --type=ad ad.srv.world --admin Administrator --password Active Directory domain administrator's password: ----------------------------------------------------- Added Active Directory trust for realm "ad.srv.world" ----------------------------------------------------- Realm name: ad.srv.world Domain NetBIOS name: FD3S01 Domain Security Identifier: S-1-5-21-3929321687-412289865-1056573164 Trust direction: Trusting forest Trust type: Active Directory domain Trust status: Established and verified # 任意の AD ユーザーの情報が取得できるか確認 [root@dlp ~]# id FD3S01\\Serverworld uid=1890801000(serverworld@ad.srv.world) gid=1890801000(serverworld@ad.srv.world) groups=1890801000(serverworld@ad.srv.world),1890800513(domain users@ad.srv.world) # 任意の AD ユーザーに遷移可能か確認 [root@dlp ~]# su - FD3S01\\Serverworld Creating home directory for serverworld@ad.srv.world. -sh-4.2$ |
Sponsored Link |
|