FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments. A FreeIPA server provides centralized authentication, authorization and account information by storing data about user, groups, hosts and other objects necessary to manage the security aspects of a network of computers.
I will be installing FreeIPA and its Active Directory Trust Module in this article. I want my linux clients to have their own domain (linuxlab.local) and I want Active Directory domain (mydomain.local) users to be autheticated by using their Active Directory credentials. I need one way trust for this scenario (FreeIPA → AD). The benefit in this is:
-We can manage linux users from Active Directory
-Linux hosts do not have to join AD domain
-Linux systems would not communicate with AD for authentication
In this article, I will use the following servers
192.168.1.200 srv-dc01.mydomain.local (active directory)
192.168.1.201 ipa.linuxlab.local (ipa server / OS:Rocky Linux 9.5 DNS is set to 8.8.8.8 / firewall disabled)
#change user to root
sudo su
#update rocky linux
dnf update -y
#change IP server hostname
hostnamectl set-hostname ipa.linuxlab.local
#Edit /etc/hosts file and add AD and IPA hosts
echo "192.168.1.201 ipa.linuxlab.local ipa" >> /etc/hosts
echo "192.168.1.200 srv-dc01.mydomain.local" >> /etc/hosts
We need to keep the IPv6 stack functional but will not assign IPv6 addresses to any of your network devices except Loopback interface. Samba components needs loopback interface to have IPv6 address.
nano /etc/sysctl.d/ipv6.conf
#Add the following lines to /etc/sysctl.d/ipv6.conf. ens34 in the last line is my interface name.
#Here I say ens34 will not have an IPv6 address.
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
net.ipv6.conf.ens34.disable_ipv6 = 1
load and apply kernel parameters from configuration files
sysctl --system
INSTALL AND CONFIGURE IPA SERVER:
dnf update -y
#install required packages
dnf install -y "*ipa-server" "*ipa-server-trust-ad" bind bind-dyndb-ldap ipa-server-dns
#install IPA Server
ipa-server-install -a <YourDMPass123> -p <YourAdminPass123> --domain=linuxlab.local --realm=LINUXLAB.LOCAL --setup-dns --no-forwarders -U
The above command's explanation is:
-a <password>: Directory Manager password.
-p <password>: IPA admin password
--setup-dns: installs DNS server
--no-forwarders: no forwareders defined
-U: unattended install, meaning don't ask me anymore questions
To obtain a ticket-granting ticket, run the following command. The password is your admin user’s password (from -a option in the ipa-server-install comand).
kinit admin
#Then run the following to make sure IPA users are available to the system services
id admin
getent passwd admin
If above commands fail, restart the sssd service (service sssd restart), and try them again.
I need to check NETBIOS name at this point.
ipa trustconfig-show
CONFIGURE IPA SERVER FOR CROSS-FOREST TRUSTS:
The trust configuration that we are going to establish is one way trust (from IPA to AD). Lets first install adtrust module.
ipa-adtrust-install --netbios-name=LINUXLAB -a <YourDMPass123>
On Active Directory Server:
Create a conditional forwarder for ipaserver
dnscmd 127.0.0.1 /ZoneAdd linuxlab.local /Forwarder 192.168.1.201
On IPA Server:
We need to disable DNSSEC validation first.
nano /etc/named/ipa-options-ext.confmodify it to "no"
#restart dns service
systemctl restart named
Then create a conditional forwarder for AD server
ipa dnsforwardzone-add mydomain.local --forwarder=192.168.1.200 --forward-policy=only
Verify DNS Configuration:
Before Adding trust with AD Domain we need to make sure both AD and IPA servers can see each other, check if SRV records are being properly resolved.
On AD Server:
nslookup
set type=srv
_ldap._tcp.mydomain.local
_ldap._tcp.linuxlab.local
quit
On IPA Server:
dig SRV _ldap._tcp.linuxlab.local
dig SRV _ldap._tcp.mydomain.local
status must be NOERROR
Add Trust with AD Domain:
On Active Directory I created a service user named "svc-ipa-trust". This user has to be in Domain Admins group.
Then on IPA Server, I created one-way trust with the following command.
ipa trust-add --type=ad mydomain.local --admin svc-ipa-trust --password
At this point;
-FreeIPA trust AD domain
-AD users can be authenticated on the FreeIPA realm machines
-DNS, Kerberos, SID, NetBIOS works properly
Testing:
On IPA Server run the following.
id This email address is being protected from spambots. You need JavaScript enabled to view it.
getent passwd This email address is being protected from spambots. You need JavaScript enabled to view it.
I can try ssh access on IPA server by using
ssh This email address is being protected from spambots. You need JavaScript enabled to view it. @ipa.linuxlab.local
Actually we established ssh access with no problems but home directory is not created automatically. On Rocky linux we can run the following commands to create home directory automaticall once a new user logs on.
authselect enable-feature with-mkhomedir
#make sure module is installed
rpm -q oddjob oddjob-mkhomedir
#make sure service is running
systemctl enable --now oddjobd
#restart sssd service
systemctl restart sssd
If we try to log on again, we can see that home directory is created now.
You can manage IPA Server from https://<ipaserver>/iap/ui
JOIN A LINUX MACHINE TO IPA DOMAIN:
We did previous test on our FreeIPA Server but Linux hosts will need IPA client to join our domain. Let's join a newly created rocky linux machine to our domain.
Change host name first & install FreeIPA client & Check IP configuration
hostnamectl set-hostname rockyclient.linuxlab.local
dnf install freeipa-client
nmcli
Change DNS to FreeIPA address (c= connection m=modify u= UP)
nmcli c m "ens160" ipv4.dns 192.168.1.201
nmcli c u "ens160"
nmclinmcli command now should show that DNS IP address changed to 192.168.1.201.
We should ping FreeIPA server by using its DNS name
We can also ping internet addresses on this rocky linux client machine
The command below will join our machine to linuxlab.local domain.
ipa-client-install --enable-dns-updates --mkhomedir
On FreeIPA server I am going to create a user on linuxlab.local
ipa user-add <username> --password --homedir=/home/<username> --shell=/bin/bash
SSH Access test by using a linuxlab.local domain user
ssh This email address is being protected from spambots. You need JavaScript enabled to view it. 
SSH Access by us,ng a mydomain.local domain user
ssh This email address is being protected from spambots. You need JavaScript enabled to view it. @192.168.1.127
I tried to cover as much as possible which is crucial to this subject. Thanks for reading.