4

I want to deploy FreeIPA or Red Hat IdM in my existing environment

Currently my domain is managed by MS AD which is controlled by a separate group. Assume that changing anything in MS AD is going to be difficult or impossible for political reasons.

For Linux I recently configured systems to use Kerberos password authentication provided directly by MS AD, using SSSD on Enterprise Linux. Identity information is still provided on the local system.

My biggest hangup right now is figuring out how to propose the new domain name space.

Can I use a sub-domain of our MS AD domain and delegate control of it to FreeIPA?

I think it may be desirable to have the Kerberos configurations point directly at MS AD, it is already extremely resilient, why not take advantage of existing infrastructure? But will this me more trouble than it is worth? I am unsure of how things will integrate.

Take this into consideration:

Our host naming standard is something like this "app-id-dev/prd.domain.com". So for example: “server01dev.domain.com”

By policy we do not duplicate server id between dev/prd environments so I was thinking a nifty way to use sub-domains would be to convert the previous example to “server01.dev.domain.com”. A nice feature of this would be that when specifying the short name of a host we wouldn't need to specify dev/prd anymore if our domain search order is set up properly on the client.

Perceived Advantage: This would allow me to become the CA for those sub-domains. That should simplify anything certificate related down the road.

Perceived Disadvantage: What would that mean for authentication? I still want users to authenticate using a user name which already exists on the original domain. Example: user0321@DOMAIN.COM not user0321@DEV.DOMAIN.COM

Another doubt I have is whether there is any point in using MS AD Kerberos directly, because if Identity information is not available from the FreeIPA LDAP, it will still prevent the user from logging in properly unless they have a local identity on the client system.

If that is a real problem, it makes me wonder if it is possible to synchronize the FreeIPA LDAP information with AD, but then I think users would have to be created in the sub-domain.

Or, should I throw away any notion of using MS AD directly for resiliency and accept that I need to create a resilient FreeIPA/RH IdM environment?

xdfil
  • 491
  • 2
  • 7
  • 15
  • This may help you https://www.linuxsysadmins.com/setup-a-linux-server-as-idm-client-to-authenticate-with-active-directory/ – Babin Lonston Jun 26 '19 at 08:24

1 Answers1

3

Firstly, I will use FreeIPA and Red Hat Enterprise IdM interchangeably. If this causes discomfort, let me suggest a drink.

FreeIPA should be a separate Kerberos realm from Active Directory, and should use a separate DNS zone corresponding to the Krb5 realm. If your AD Domain uses the DNS zone "domain.com" with child zones "dev" and "prd", you would want to create a new DNS zone called something like "idm.domain.com", and any sub-realms under it. You would want to create a Krb5 realm called "IDM.DOMAIN.COM", with all UPNs as USER@IDM.DOMAIN.COM and all SPNs as HOST/SERVER123.IDM.DOMAIN.COM or the like (perhaps WWW/SERVER123.PRD.IDM.DOMAIN.COM).

You can use the same DNS zone as AD, but it is a REALLY bad idea. Not only do you lose service discovery using DNS, you have to do manual mappings, and will likely have hard-to-troubleshoot problems of clients attempting to pass a Krb token that is inappropriate to the servers in the IdM realm

You will need to work with the AD team at least briefly to have them setup a cross-realm trust. They may want it to be a one-way trust, where AD is the Trusted domain and FreeIPA is the Trusting domain. In most cases, this should not be a problem.

At this time, the version of FreeIPA that ships with RHEL 7 does not support establishing trust with the forest-apex AD domain and traversing downward to child domains for authentication. I am told in RHEL 7u1, this will be remedied, as transitive trust support will be added to FreeIPA, but I am not holding my breath until I see the feature-list a day after code-freeze. As a work-around, you should be able to setup the trust to the child domain where user principals are genned.

I am working on a similar effort. Good luck, let us know how this works out. I am lucky enough to have the AD team as an element on my team (and they sit right across from me). We roll up to the same leader at the team level (squad-sized unit) and we have a lot of support from our division leader, who wants to see this integration succeed.

DTK
  • 1,718
  • 10
  • 15
  • 1
    https://fedorahosted.org/freeipa/ticket/3510 – Michael Hampton Dec 17 '14 at 13:29
  • @MichaelHampton glad to see if has been solved in the upstream project. I'm hoping it will be in the version shipped with RHEL 7u1. – DTK Dec 17 '14 at 14:58
  • Just one note - ticket #3510 was fixed in FreeIPA 3.3.x which was part of RHEL-7.0. So it was supported to create an AD Trust with forest root domain, FreeIPA then loaded all subdomains (or could be loaded with trust-fetch-domains command). – Martin Kosek Dec 18 '14 at 07:54
  • 1
    You *cannot* use the same DNS zone as AD with FreeIPA cross-forest trust. Establishing trust will be denied by AD due to conflict of name routing suffixes. Your FreeIPA DNS domains must not be in conflict with any DNS domain controlled by your AD forest. This is basic requirement for trust relationship on Active Directory side when Kerberos is in use. FreeIPA cross-forest trust to AD always requires to establish trust relationship to the forest root domain of your AD forest. This is, again, a requirement of Active Directory cross-forest trust feature. – abbra Dec 19 '14 at 21:43
  • @abbra Good to know, thank you. I have not tried setting-up cross-realm trusts with overlapping DNS zones. – DTK Dec 19 '14 at 21:56