Intro
I’ve been playing around with FreeIPA in my homelab for a while and have always wanted to enable seamless authentication between all my hosts regardless of their operating system. I stumbled upon the concept of cross-domain trusts between FreeIPA and Active Directory which allows us to achieve this.
There is a caveat though, and that is that two-way trusts are still not fully implemented in FreeIPA, which means Windows users can authenticate against Linux hosts but Linux users can’t do the same the other way around.
Creating the trust (on your FreeIPA server)
First, make sure that your FreeIPA server and your Active Directory do not share the same domain. You can have each of them be on a subdomain of the other or even create custom domains altogether. In my case, I went with lin.mydomain.com for FreeIPA and win.mydomain.com for Active Directory. Once the servers are set up with their respective domains, you can begin setting up the trust.
You should have the following ports open: TCP ports: 53, 80, 88, 135, 138, 139, 389, 443, 445, 464, 636, 1024-1300 UDP ports: 53, 88, 123, 138, 139, 389, 445, 464,
Make sure to install the ad trust package for FreeIPA:
yum install \*ipa-server-trust-adThen proceed to run the command:
kinit <user with ipa admin privileges>
ipa-adtrust-installFollow the on-screen instructions to input your ad domain, domain admin, and password.
Validating the Trust (on your AD server)
On server manager, navigate to tools->Active Directory Domains and Trusts. Right-click on your domain, and select properties. Click on Trusts, select the incoming trust for your FreeIPA domain, and click validate. Input your domain admin credentials.
Validating the Trust (on your FreeIPA server)
Try to log in using kinit [email protected]. If everything is right, this should succeed.