CentOS 7
Sponsored Link

FreeIPA : FreeIPA trust AD2018/08/09

FreeIPA ドメインと Windows Active Directory ドメイン間で相互に信頼関係を構築する クロス フォレスト トラスト の設定です。
ドメインサーバー : CentOS 7 Windows Server 2016
NetBIOS名 : IPA01 FD3S01
ドメイン名 : ipa.srv.world ad.srv.world
ホスト名 : dlp.ipa.srv.world fd3s.ad.srv.world
+----------------------+          |           +----------------------+
| [ FreeIPA (CentOS) ] | ||  [ AD (Win 2016) ]   |
|  dlp.ipa.srv.world   +----------+-----------+  fd3s.ad.srv.world   |
|                      |                      |                      |
+----------------------+                      +----------------------+

[1] 構築済みの FreeIPA サーバー上で FreeIPA trust AD をインストールします。
[root@dlp ~]#
yum -y install ipa-server-trust-ad
[root@dlp ~]#

The log file for this installation can be found in /var/log/ipaserver-install.log
This program will setup components needed to establish trust to AD domains for
the IPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to IPA LDAP server

To accept the default shown in brackets, press the Enter key.

Configuring cross-realm trusts for IPA server requires password for user 'admin'.
This user is a regular system account used for IPA server administration.

# FreeIPA admin パスワードで応答
admin password:

WARNING: The smb.conf already exists. Running ipa-adtrust-install will break your existing samba configuration.

Do you wish to continue? [no]: yes
Do you want to enable support for trusted domains in Schema Compatibility plugin?
This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.

# slapi-nis を有効にするか否か
# SSSD 1.9 以前の古い Linux OS などとの互換性
Enable trusted domains support in slapi-nis? [no]:

Enter the NetBIOS name for the IPA domain.
Only up to 15 uppercase ASCII letters, digits and dashes are allowed.
Example: EXAMPLE.

# FreeIPA ドメインの NetBIOS名を設定
NetBIOS domain name [IPA]: IPA01

WARNING: 7 existing users or groups do not have a SID identifier assigned.
Installer can run a task to have ipa-sidgen Directory Server plugin generate
the SID identifier for all these users. Please note, in case of a high
number of users and groups, the operation might lead to high replication
traffic and performance degradation. Refer to ipa-adtrust-install(1) man page
for details.

# 既存ユーザー向けに SID を作成するタスクを実行するか否か
Do you want to run the ipa-sidgen task? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring CIFS
  [1/23]: validate server hostname
  [2/23]: stopping smbd
  [3/23]: creating samba domain object


  [21/23]: starting CIFS services
  [22/23]: adding SIDs to existing users and groups
This step may take considerable amount of time, please wait..
  [23/23]: restarting smbd
Done configuring CIFS.

Setup complete

You must make sure these network ports are open:
        TCP Ports:
          * 135: epmap
          * 138: netbios-dgm
          * 139: netbios-ssn
          * 445: microsoft-ds
          * 1024..1300: epmap listener range
          * 3268: msft-gc
        UDP Ports:
          * 138: netbios-dgm
          * 139: netbios-ssn
          * 389: (C)LDAP
          * 445: microsoft-ds

See the ipa-adtrust-install(1) man page for more details


# firewalld 稼働中の場合は以下も設定

[root@dlp ~]#
firewall-cmd --add-service=freeipa-trust --permanent

[root@dlp ~]#
firewall-cmd --reload

[2] FreeIPA サーバー上で DNS 関連の設定を追加します。
# ipa dnsforwardzone-add [ADのドメイン名] --forwarder=[ADのIPアドレス] --forward-policy=only

[root@dlp ~]#
ipa dnsforwardzone-add ad.srv.world --forwarder= --forward-policy=only

Server will check DNS forwarder(s).
This may take some time, please wait ...
  Zone name: ad.srv.world.
  Active zone: TRUE
  Zone forwarders:
  Forward policy: only

# ipa dnsrecord-add [IPAのドメイン名] [ADのホスト名].[ADのNetBIOS名] --a-ip-address=[ADのIPアドレス]

# ipa dnsrecord-add [IPAのドメイン名] [ADのNetBIOS名] --ns-hostname=[ADのホスト名].[ADのNetBIOS名]

[root@dlp ~]#
ipa dnsrecord-add ipa.srv.world fd3s.FD3S01 --a-ip-address=

[root@dlp ~]#
ipa dnsrecord-add ipa.srv.world FD3S01 --ns-hostname=fd3s.FD3S01
# ipa dnszone-mod [IPAのドメイン名] --allow-transfer=[ADのIPアドレス]

[root@dlp ~]#
ipa dnszone-mod ipa.srv.world --allow-transfer=

  Zone name: ipa.srv.world.
  Active zone: TRUE
  Authoritative nameserver: dlp.ipa.srv.world.
  Administrator e-mail address: hostmaster.ipa.srv.world.
  SOA serial: 1533791906
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Allow query: any;
  Allow transfer:;
[3] Windows Active Directory 側でも FreeIPA ドメインをゾーンに追加します。
⇒ dnscmd /ZoneAdd [IPAのドメイン名] /Secondary [IPAのIPアドレス]
[4] DNS の設定を確認し、問題なければ FreeIPA trust AD をセットアップします。
[root@dlp ~]#
dig SRV _ldap._tcp.ipa.srv.world

; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> SRV _ldap._tcp.ipa.srv.world
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14793
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

; EDNS: version: 0, flags:; udp: 4096
;_ldap._tcp.ipa.srv.world.      IN      SRV

_ldap._tcp.ipa.srv.world. 86400 IN      SRV     0 100 389 dlp.ipa.srv.world.

ipa.srv.world.          86400   IN      NS      dlp.ipa.srv.world.

dlp.ipa.srv.world.      1200    IN      A


[root@dlp ~]#
dig SRV _ldap._tcp.ad.srv.world

; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> SRV _ldap._tcp.ad.srv.world
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12195
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9

; EDNS: version: 0, flags:; udp: 4096
;_ldap._tcp.ad.srv.world.       IN      SRV

_ldap._tcp.ad.srv.world. 600    IN      SRV     0 100 389 FD3S.ad.srv.world.


# ipa trust-add --type=ad [ADのドメイン名] --admin Administrator --password

[root@dlp ~]#
ipa trust-add --type=ad ad.srv.world --admin Administrator --password

Active Directory domain administrator's password:
Added Active Directory trust for realm "ad.srv.world"
  Realm name: ad.srv.world
  Domain NetBIOS name: FD3S01
  Domain Security Identifier: S-1-5-21-3929321687-412289865-1056573164
  Trust direction: Trusting forest
  Trust type: Active Directory domain
  Trust status: Established and verified

# 任意の AD ユーザーの情報が取得できるか確認

[root@dlp ~]#
id FD3S01\\Serverworld

uid=1890801000(serverworld@ad.srv.world) gid=1890801000(serverworld@ad.srv.world) groups=1890801000(serverworld@ad.srv.world),1890800513(domain users@ad.srv.world)
# 任意の AD ユーザーに遷移可能か確認

[root@dlp ~]#
su - FD3S01\\Serverworld

Creating home directory for serverworld@ad.srv.world.