FreeIPA
Draft version. Content is hallucinated. Do not use!
integration

Active Directory Trusts

Manage trust relationships with Active Directory domains for cross-realm authentication and user federation. Trusts enable Active Directory users to access IPA resources using their existing credentials. Features include trust establishment with AD administrator credentials, trust type selection (AD, IPA), bidirectional and one-way trust support, SID mapping, external group membership for AD user mapping to POSIX groups, and DNS integration for service discovery.

12 commands
integration
ad trust federation windows

Overview

Active Directory trusts enable seamless integration between FreeIPA and Microsoft Active Directory domains, allowing AD users to authenticate to IPA-managed systems using their existing Windows credentials. Trust relationships establish cross-realm Kerberos authentication where AD users can access IPA resources without requiring duplicate accounts, while maintaining separate identity management in each domain.

IPA supports trusts with Active Directory domains running Windows Server 2008 or later with domain functional level 2008+. Trust establishment creates Kerberos cross-realm principals, configures ID mapping for converting Windows SIDs to POSIX UIDs/GIDs, and enables SSSD on IPA clients to resolve AD users and groups. AD users gain access to Linux resources while IT maintains a single source of truth for Windows identities in Active Directory.

Trust relationships can be one-way (AD users access IPA resources only) or two-way (bidirectional access), and can be forest-level (transitive across all domains in AD forest) or external (limited to specific domain). Trust establishment requires AD Domain Administrator credentials and proper DNS configuration enabling service discovery between domains. Once established, HBAC and sudo rules can reference AD users and groups, enabling policy-based access control for federated identities.

Prerequisites and Requirements

DNS Configuration: Both IPA and AD domains must have properly configured DNS with SRV records enabling service discovery. IPA DNS servers must be able to resolve AD domain controllers, and AD DNS must resolve IPA servers. Conditional forwarders or bidirectional DNS trust simplifies this requirement.

Kerberos Realm Configuration: Kerberos realms must be properly configured on both sides. IPA’s realm should match its DNS domain (uppercased), and AD’s realm similarly matches its domain. Realm trust principals enable cross-realm authentication.

Windows Server Version: Active Directory must run Windows Server 2008 or later with domain functional level 2008+. Older versions lack necessary trust protocols and Kerberos extensions for IPA integration.

ipa-adtrust-install: The IPA server must have AD trust support installed via ipa-adtrust-install. This configures Samba integration, creates the local SID/NetBIOS name, and prepares the domain for trust establishment.

Administrator Credentials: Trust establishment requires Active Directory Domain Administrator credentials to create the trust relationship from the AD side. The IPA admin performs configuration on the IPA side.

Firewall Configuration: Required ports (Kerberos 88, LDAP 389/636, Samba 139/445, etc.) must be open between IPA servers and AD domain controllers.

Trust Types and Directionality

One-Way Trusts (default): AD users can access IPA resources, but IPA users cannot access AD resources. This asymmetric trust suits scenarios where Linux/UNIX infrastructure needs AD user integration but Windows systems don’t need IPA user access.

Two-Way Trusts (--two-way): Bidirectional trust allowing both AD users to access IPA resources and IPA users to access AD resources. This comprehensive integration enables full cross-domain access in both directions.

Forest Trusts (default for AD forests): Transitive trust across all domains in the AD forest. When trust is established with the forest root domain, users from any domain in the forest can authenticate to IPA (subject to transitivity rules).

External Trusts (--external): Non-transitive trust limited to the specific AD domain. Users from child domains in the AD forest cannot access IPA resources. External trusts suit scenarios requiring strict control over which AD domains have access.

SID Mapping and ID Ranges

Security Identifier (SID) mapping converts Windows SIDs to POSIX UIDs and GIDs required for UNIX/Linux file permissions and process ownership. IPA allocates an ID range for each trusted domain, algorithmically deriving UID/GID from SID components.

ID ranges are configured during trust establishment using --base-id (starting ID) and --range-size (number of IDs). If not specified, IPA automatically allocates ranges. Range type (--range-type) determines the SID-to-UID mapping algorithm: ipa-ad-trust (default, algorithmic), ipa-ad-trust-posix (use existing POSIX attributes from AD).

SID-to-UID mapping is deterministic and consistent across all IPA clients, ensuring AD users receive the same UID regardless of which IPA client they authenticate to. This consistency is critical for NFS, file sharing, and process ownership.

External Group Mapping

AD users cannot directly join POSIX groups in IPA. Instead, external group mapping creates a two-tier structure: external non-POSIX groups contain AD SIDs, and POSIX groups contain external groups as members. When AD users authenticate, SSSD resolves their SID membership in external groups and grants effective POSIX group membership.

The mapping process:

  1. Create external non-POSIX group (group-add --external)
  2. Add AD users/groups by SID to external group (group-add-member --external)
  3. Create POSIX group for actual authorization
  4. Add external group to POSIX group as member

This indirection enables AD group membership to grant POSIX group privileges, allowing HBAC rules, sudo rules, and file permissions to reference POSIX groups that include AD users through external mapping.

DNS Integration

Trust establishment and operation depend heavily on DNS service discovery. AD clients locate domain controllers via DNS SRV records (_ldap._tcp, _kerberos._tcp, etc.). IPA clients similarly use DNS to locate IPA servers and AD domain controllers for cross-realm authentication.

Proper DNS configuration is the most common trust establishment pain point. Verify:

  • IPA can resolve AD SRV records: dig -t SRV _ldap._tcp.dc._msdcs.ad.domain.com
  • AD can resolve IPA SRV records: dig -t SRV _kerberos._tcp.ipa.domain.com
  • Conditional forwarders or stub zones correctly route queries

DNS misconfigurations cause cryptic errors during trust establishment and authentication. Always validate DNS before troubleshooting more complex trust issues.

Best Practices

Test in non-production first: Establish test trusts in lab environments before production deployment. Trust configuration errors can be difficult to undo cleanly.

Use one-way trusts when possible: Bidirectional trusts expand attack surface. If IPA users don’t need AD resource access, use default one-way trusts.

Plan ID range allocation carefully: Ensure ID ranges don’t overlap with existing local IDs or other trust ranges. Ranges cannot be easily changed after trust establishment.

Document external group mappings: Maintain clear records of which AD groups map to which POSIX groups. This mapping becomes complex in large environments.

Monitor trust health: Regularly verify trust status, password synchronization, and cross-realm authentication functionality.

Coordinate with AD administrators: Trust establishment impacts both domains. Work closely with AD team to schedule changes and troubleshoot issues.

Configure conditional forwarders: Rather than complex DNS delegation, use conditional forwarders in AD DNS forwarding IPA domain queries to IPA DNS servers, and vice versa.

Limit AD group usage in HBAC/sudo: Prefer IPA groups in policies when possible. AD group resolution adds latency and depends on trust availability.

Test fail-over scenarios: Verify behavior when AD domain controllers are unreachable. SSSD caching should enable continued operation, but test to confirm.

Plan for trust migration: If migrating users from AD to IPA, plan for gradual transition. Trusts enable coexistence during migration periods.

Integration with Other IPA Components

ID Ranges (idrange-*): Each trust requires an ID range allocating UID/GID space for SID mapping. Range management is critical for trust operation.

External Groups (group-*): External group membership enables AD users to gain POSIX group membership for authorization contexts.

HBAC Rules (hbacrule-*): HBAC rules can target external groups containing AD users, enabling access control for federated identities.

Sudo Rules (sudorule-*): Sudo rules can reference external groups, granting sudo privileges to AD users.

SSSD: SSSD on IPA clients handles AD user resolution, SID-to-UID mapping, and cross-realm authentication.

Global Trust Configuration (trustconfig-*): Global settings control fallback primary groups and trust-wide parameters.

Examples

  1. Establish cross-realm trust with Active Directory using AD administrator credentials:
ipa trust-add --type=ad <ad.domain> --admin <AD domain administrator>            --password
  1. List all existing trust relationships:
ipa trust-find
  1. Show details of the specific trust relationship:
ipa trust-show <ad.domain>
  1. Delete existing trust relationship:
ipa trust-del <ad.domain>

Once trust relationship is established, remote users will need to be mapped to local POSIX groups in order to actually use IPA resources. The mapping should be done via use of external membership of non-POSIX group and then this group should be included into one of local POSIX groups.

Example

1. Create group for the trusted domain admins’ mapping and their local POSIX group:

ipa group-add --desc='<ad.domain> admins external map'            ad_admins_external --external
ipa group-add --desc='<ad.domain> admins' ad_admins
  1. Add security identifier of Domain Admins of the <ad.domain> to the ad_admins_external group:
ipa group-add-member ad_admins_external --external 'AD\Domain Admins'
  1. Allow members of ad_admins_external group to be associated with ad_admins POSIX group:
ipa group-add-member ad_admins --groups ad_admins_external
  1. List members of external members of ad_admins_external group to see their SIDs:
ipa group-show ad_admins_external

GLOBAL TRUST CONFIGURATION

When IPA AD trust subpackage is installed and ipa-adtrust-install is run, a local domain configuration (SID, GUID, NetBIOS name) is generated. These identifiers are then used when communicating with a trusted domain of the particular type.

  1. Show global trust configuration for Active Directory type of trusts:
ipa trustconfig-show --type ad
  1. Modify global configuration for all trusts of Active Directory type and set a different fallback primary group (fallback primary group GID is used as a primary user GID if user authenticating to IPA domain does not have any other primary GID already set):
ipa trustconfig-mod --type ad --fallback-primary-group "another AD group"
  1. Change primary fallback group back to default hidden group (any group with posixGroup object class is allowed):
ipa trustconfig-mod --type ad --fallback-primary-group "Default SMB Group"

Commands

Command Description

trust-add Add new trust to use.

trust-del Delete a trust.

trust-fetch-domains Refresh list of the domains associated with the trust

trust-find Search for trusts.

trust-mod Modify a trust (for future use).

trust-show Display information about a trust.

trustconfig-mod Modify global trust configuration.

trustconfig-show Show global trust configuration.

trustdomain-del Remove information about the domain associated with the trust.

trustdomain-disable Disable use of IPA resources by the domain of the trust

trustdomain-enable Allow use of IPA resources by the domain of the trust

trustdomain-find Search domains of the trust

trust-add

Usage: ipa [global-options] trust-add REALM [options]

Add new trust to use.

This command establishes trust relationship to another domain which becomes ‘trusted’. As result, users of the trusted domain may access resources of this domain.

Only trusts to Active Directory domains are supported right now.

The command can be safely run multiple times against the same domain, this will cause change to trust relationship credentials on both sides.

Note that if the command was previously run with a specific range type, or with automatic detection of the range type, and you want to configure a different range type, you may need to delete first the ID range using ipa idrange-del before retrying the command with the desired range type.

Arguments

Argument Required Description

REALM yes Realm name

Options

Option Description

--setattr SETATTR Set an attribute to a name/value pair. Format is attr=value.

--addattr ADDATTR Add an attribute/value pair. Format is attr=value. The attribute

--type TYPE Trust type (ad for Active Directory, default)

--admin ADMIN Active Directory domain administrator

--password PASSWORD Active Directory domain administrator’s password

--server SERVER Domain controller for the Active Directory domain (optional)

--trust-secret TRUST-SECRET Shared secret for the trust

--base-id BASE-ID First Posix ID of the range reserved for the trusted domain

--range-size RANGE-SIZE Size of the ID range reserved for the trusted domain

--range-type RANGE-TYPE Type of trusted domain ID range, one of allowed values

--two-way TWO-WAY Establish bi-directional trust. By default trust is inbound one-way only.

--external EXTERNAL Establish external trust to a domain in another forest. The trust is not transitive beyond the domain.

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

trust-del

Usage: ipa [global-options] trust-del REALM [options]

Delete a trust.

Arguments

Argument Required Description

REALM yes Realm name

Options

Option Description

--continue Continuous mode: Don’t stop on errors.

trust-fetch-domains

Usage: ipa [global-options] trust-fetch-domains REALM [options]

Refresh list of the domains associated with the trust

Arguments

Argument Required Description

REALM yes Realm name

Options

Option Description

--rights Display the access rights of this entry (requires —all). See ipa man page for details.

--admin ADMIN Active Directory domain administrator

--password PASSWORD Active Directory domain administrator’s password

--server SERVER Domain controller for the Active Directory domain (optional)

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

trust-find

Usage: ipa [global-options] trust-find [CRITERIA] [options]

Search for trusts.

Arguments

Argument Required Description

CRITERIA no A string searched in all relevant object attributes

Options

Option Description

--realm REALM Realm name

--flat-name FLAT-NAME Domain NetBIOS name

--sid SID Domain Security Identifier

--sid-blacklist-incoming SID-BLACKLIST-INCOMING SID blocklist incoming

--sid-blacklist-outgoing SID-BLACKLIST-OUTGOING SID blocklist outgoing

--timelimit TIMELIMIT Time limit of search in seconds (0 is unlimited)

--sizelimit SIZELIMIT Maximum number of entries returned (0 is unlimited)

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--pkey-only Results should contain primary key attribute only (“realm”)

trust-mod

Usage: ipa [global-options] trust-mod REALM [options]

Modify a trust (for future use).

Currently only the default option to modify the LDAP attributes is
available. More specific options will be added in coming releases.

Arguments

Argument Required Description

REALM yes Realm name

Options

Option Description

--sid-blacklist-incoming SID-BLACKLIST-INCOMING SID blocklist incoming

--sid-blacklist-outgoing SID-BLACKLIST-OUTGOING SID blocklist outgoing

--upn-suffixes UPN-SUFFIXES UPN suffixes

--setattr SETATTR Set an attribute to a name/value pair. Format is attr=value.

--addattr ADDATTR Add an attribute/value pair. Format is attr=value. The attribute

--delattr DELATTR Delete an attribute/value pair. The option will be evaluated

--rights Display the access rights of this entry (requires —all). See ipa man page for details.

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

trust-show

Usage: ipa [global-options] trust-show REALM [options]

Display information about a trust.

Arguments

Argument Required Description

REALM yes Realm name

Options

Option Description

--rights Display the access rights of this entry (requires —all). See ipa man page for details.

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

trustconfig-mod

Usage: ipa [global-options] trustconfig-mod [options]

Modify global trust configuration.

Options

Option Description

--fallback-primary-group FALLBACK-PRIMARY-GROUP Fallback primary group

--setattr SETATTR Set an attribute to a name/value pair. Format is attr=value.

--addattr ADDATTR Add an attribute/value pair. Format is attr=value. The attribute

--delattr DELATTR Delete an attribute/value pair. The option will be evaluated

--rights Display the access rights of this entry (requires —all). See ipa man page for details.

--type TYPE Trust type (ad for Active Directory, default)

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

trustconfig-show

Usage: ipa [global-options] trustconfig-show [options]

Show global trust configuration.

Options

Option Description

--rights Display the access rights of this entry (requires —all). See ipa man page for details.

--type TYPE Trust type (ad for Active Directory, default)

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

trustdomain-del

Usage: ipa [global-options] trustdomain-del TRUST DOMAIN [options]

Remove information about the domain associated with the trust.

Arguments

Argument Required Description

TRUST yes Realm name

DOMAIN yes Domain name

Options

Option Description

--continue Continuous mode: Don’t stop on errors.

trustdomain-disable

Usage: ipa [global-options] trustdomain-disable TRUST DOMAIN [options]

Disable use of IPA resources by the domain of the trust

Arguments

Argument Required Description

TRUST yes Realm name

DOMAIN yes Domain name

trustdomain-enable

Usage: ipa [global-options] trustdomain-enable TRUST DOMAIN [options]

Allow use of IPA resources by the domain of the trust

Arguments

Argument Required Description

TRUST yes Realm name

DOMAIN yes Domain name

trustdomain-find

Usage: ipa [global-options] trustdomain-find TRUST [CRITERIA] [options]

Search domains of the trust

Arguments

Argument Required Description

TRUST yes Realm name

CRITERIA no A string searched in all relevant object attributes

Options

Option Description

--domain DOMAIN Domain name

--flat-name FLAT-NAME Domain NetBIOS name

--sid SID Domain Security Identifier

--timelimit TIMELIMIT Time limit of search in seconds (0 is unlimited)

--sizelimit SIZELIMIT Maximum number of entries returned (0 is unlimited)

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--pkey-only Results should contain primary key attribute only (“domain”)

Related Topics

idrange idp