Integrating FreeIPA with Active Directory
A comprehensive guide to establishing trust relationships between FreeIPA and Microsoft Active Directory
Prerequisites
- • Existing FreeIPA installation with DNS configured
- • Active Directory domain with administrative access
- • Network connectivity between FreeIPA and AD servers
- • Time synchronization configured (NTP/chrony)
- • Understanding of Kerberos and LDAP fundamentals
Introduction
Many organizations operate hybrid environments with both Linux and Windows systems. FreeIPA’s Active Directory trust feature enables seamless integration between FreeIPA realms and Active Directory domains, allowing users to authenticate to Linux systems using their existing AD credentials.
Understanding Trust Relationships
What is a Trust?
A trust relationship allows users from one domain (or realm) to access resources in another without maintaining separate accounts. FreeIPA trusts leverage Kerberos cross-realm authentication and LDAP integration.
Types of Trusts
FreeIPA supports several trust configurations:
- One-Way Trust: AD users access FreeIPA resources
- Two-Way Trust: Bidirectional resource access (less common)
- Forest-Level Trust: Trust entire AD forest
- Domain-Level Trust: Trust specific AD domain
Most deployments use one-way, forest-level trusts where AD users access Linux resources managed by FreeIPA.
Prerequisites
Network Requirements
Ensure proper network connectivity:
# DNS resolution must work both ways
dig +short ipa.linux.example.com
dig +short dc.windows.example.com
# Required ports open between FreeIPA and AD:
# TCP 135, 139, 389, 445, 464, 636 (LDAPS)
# TCP 49152-65535 (Dynamic RPC)
# UDP 138, 389, 464
# TCP/UDP 53 (DNS), 88 (Kerberos), 123 (NTP)DNS Configuration
Critical for trust success:
- Forward DNS Zones: Create SRV records for both realms
- Reverse DNS: Configure PTR records
- DNS Forwarders: Each side must resolve the other’s names
# On FreeIPA, add AD DNS as forwarder
ipa dnsforwardzone-add windows.example.com \
--forwarder=192.168.1.10 \
--forward-policy=only
# Verify resolution
dig +short _ldap._tcp.windows.example.com SRV
dig +short _kerberos._tcp.WINDOWS.EXAMPLE.COM SRVTime Synchronization
Kerberos requires synchronized clocks (within 5 minutes):
# Install and configure chrony/ntp
dnf install chrony
systemctl enable --now chronyd
# Verify time sync
chronyc sourcesFreeIPA Preparation
Install required packages:
# Install trust packages
dnf install ipa-server-trust-ad samba-client
# Run trust installer
ipa-adtrust-installThe installer will:
- Configure Samba
- Create trust agents
- Set up CIFS services
- Configure DNS SRV records
Establishing the Trust
Using the Web UI
- Navigate to IPA Server → Trusts
- Click Add to create new trust
- Enter AD domain name (e.g.,
windows.example.com) - Select trust type (usually Forest trust)
- Enter AD administrator credentials
- Click Add
Using the CLI
# Create trust with AD
ipa trust-add windows.example.com \
--type=ad \
--admin=Administrator \
--password
# Verify trust
ipa trust-show windows.example.com
# Check trust status
ipa trustdomain-find windows.example.comTroubleshooting Trust Creation
Common issues and solutions:
# DNS resolution problems
# Verify SRV records
dig +short _ldap._tcp.dc._msdcs.windows.example.com SRV
# Verify AD reachability
smbclient -L dc.windows.example.com -U Administrator
# Test Kerberos authentication to AD
kinit Administrator@WINDOWS.EXAMPLE.COM
klist
# Check trust connectivity
ipa trust-fetch-domains windows.example.comUser and Group Mapping
ID Ranges
FreeIPA automatically manages ID ranges for AD users:
# View ID ranges
ipa idrange-find
# AD users get UIDs/GIDs from the AD domain range
# Format: {SID} → {UID/GID}Group Mapping
Map AD groups to FreeIPA groups:
# Create external group
ipa group-add --external windows_admins_external
# Add AD group to external group
ipa group-add-member windows_admins_external \
--external='WINDOWS\Domain Admins'
# Create POSIX group
ipa group-add windows_admins --desc="AD Domain Admins"
# Link external group to POSIX group
ipa group-add-member windows_admins \
--groups=windows_admins_external
# Verify membership
ipa group-show windows_admins --allUser Override
Customize AD user attributes:
# Create ID override for AD user
ipa idoverrideuser-add 'Default Trust View' \
'administrator@windows.example.com' \
--homedir=/home/administrator \
--shell=/bin/bash \
--uid=900000000
# Show override
ipa idoverrideuser-show 'Default Trust View' \
'administrator@windows.example.com'Access Control for AD Users
HBAC Rules
Control which AD users access which hosts:
# Create HBAC rule for AD users
ipa hbacrule-add ad_users_ssh \
--desc="Allow AD users SSH access to dev servers"
# Add AD group
ipa hbacrule-add-user ad_users_ssh \
--groups=windows_admins
# Add target hosts
ipa hbacrule-add-host ad_users_ssh \
--hostgroups=dev_servers
# Add services
ipa hbacrule-add-service ad_users_ssh \
--hbacsvcs=sshd
# Test access
ipa hbactest --user='administrator@windows.example.com' \
--host=dev01.linux.example.com \
--service=sshdSudo Rules
Grant sudo access to AD users:
# Create sudo rule
ipa sudorule-add ad_admin_sudo \
--desc="Sudo access for AD admins"
# Add AD group
ipa sudorule-add-user ad_admin_sudo \
--groups=windows_admins
# Add hosts
ipa sudorule-add-host ad_admin_sudo \
--hostgroups=all_servers
# Allow all commands
ipa sudorule-add-allow-command ad_admin_sudo \
--sudocmds=ALL
# Set run as root
ipa sudorule-mod ad_admin_sudo --runasusercat=allClient Configuration
SSSD Setup
Configure Linux clients to trust AD users:
# Client enrollment
ipa-client-install \
--domain=linux.example.com \
--realm=LINUX.EXAMPLE.COM \
--server=ipa.linux.example.com \
--mkhomedir
# SSSD automatically configures trust support
# Verify configuration
sssctl domain-status linux.example.com
# Test AD user resolution
id administrator@windows.example.com
getent passwd administrator@windows.example.comSSH Configuration
Enable SSH for AD users:
# /etc/ssh/sshd_config
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
UsePAM yes
# Restart SSH
systemctl restart sshd
# Test login
ssh administrator@windows.example.com@linux-client.linux.example.comAdvanced Configuration
Multiple Domain Trust
Trust multiple AD domains:
# Add second domain trust
ipa trust-add second.windows.example.com \
--type=ad \
--admin=Administrator \
--password
# List all trusts
ipa trust-findSelective Authentication
Restrict which AD users can authenticate:
# Create restricted HBAC rule
ipa hbacrule-add ad_restricted \
--desc="Only specific AD users"
# Add specific users (not entire groups)
ipa hbacrule-add-user ad_restricted \
--users='jsmith@windows.example.com' \
--users='ajones@windows.example.com'Forest Trust with Realm Routing
For complex AD forest topologies:
# Configure realm routing
ipa realmdomains-mod \
--add-domain=subdomain.windows.example.com
# Verify routing
ipa realmdomains-showMonitoring and Maintenance
Trust Health Checks
Regular trust validation:
# Verify trust status
ipa trust-show windows.example.com
# Fetch latest domain information
ipa trust-fetch-domains windows.example.com
# Test AD user authentication
kinit administrator@WINDOWS.EXAMPLE.COMLog Monitoring
Monitor trust-related logs:
# SSSD logs
tail -f /var/log/sssd/sssd_linux.example.com.log
# Samba logs
tail -f /var/log/samba/log.smbd
# System logs
journalctl -u sssd -f
journalctl -u winbind -fPerformance Tuning
Optimize trust performance:
# SSSD cache timeout (seconds)
# /etc/sssd/sssd.conf
[domain/linux.example.com]
entry_cache_timeout = 1200
ldap_purge_cache_timeout = 0
# Restart SSSD
systemctl restart sssdCommon Issues and Solutions
”Realm not found” Errors
# Verify DNS SRV records
dig _kerberos._tcp.WINDOWS.EXAMPLE.COM SRV
# Test AD connectivity
smbclient -L dc.windows.example.com -U AdministratorUser ID Resolution Failures
# Clear SSSD cache
sssctl cache-expire -E
# Force ID mapping refresh
ipa trust-fetch-domains windows.example.comTrust Authentication Failures
# Verify Kerberos tickets
kinit administrator@WINDOWS.EXAMPLE.COM
klist
# Check time synchronization
timedatectl status
# Verify keytab
klist -k /etc/krb5.keytabSecurity Considerations
Least Privilege
- Map only necessary AD groups
- Use HBAC to restrict access
- Regular audit of AD user access
- Monitor authentication logs
Credential Management
- Don’t store AD admin passwords
- Use service accounts for trust creation
- Rotate trust credentials periodically
- Enable AD admin MFA
Network Security
- Encrypt cross-realm traffic
- Use VPNs for trust traffic when possible
- Firewall rules limiting trust-related ports
- Network monitoring for anomalies
Migration Strategies
Gradual Migration
Phased approach to AD trust:
- Pilot Phase: Trust with test AD domain
- Limited Rollout: Select departments/servers
- Monitoring: Verify functionality and performance
- Full Deployment: Production-wide trust
- Optimization: Fine-tune based on usage patterns
Hybrid Identity Model
Maintain both FreeIPA and AD users:
- Critical infrastructure users in FreeIPA
- End users authenticated via AD trust
- Service accounts in FreeIPA
- Admin accounts in both (with different permissions)
Best Practices
- DNS First: Ensure perfect DNS resolution before trust
- Time Sync: Maintain strict time synchronization
- Testing: Test in lab before production
- Documentation: Document trust configuration
- Monitoring: Continuous trust health monitoring
- Updates: Keep FreeIPA and AD updated
- Backups: Backup before trust modifications
- Security: Apply least privilege principles
Use Cases
Cross-Platform SSO
Users authenticate with AD credentials to access Linux resources seamlessly.
Unified Identity Management
Central management of all identities while leveraging existing AD infrastructure.
Cloud Migration
Bridge on-premises AD with cloud Linux infrastructure.
DevOps Automation
AD-authenticated access to CI/CD systems running on Linux.
Conclusion
FreeIPA and Active Directory integration provides the best of both worlds: enterprise-grade Windows identity management combined with robust Linux authentication and authorization. Proper planning, configuration, and monitoring ensure a secure, performant hybrid identity solution.
Resources
Need help with your trust setup? Reach out to the FreeIPA community!