Random Musings

These pages describes how exactly to setup and configure cross-forest trust between an IPA domain and a advertisement (Active Directory) domain.

These pages describes how exactly to setup and configure cross-forest trust between an IPA domain and a advertisement (Active Directory) domain.


  • 1 Description
  • 2 Prerequisites
    • 2.1 IPv6 stack usage
    • 2.2 Trusts and Windows Server 2003 R2
  • 3 Assumptions
  • 4 Install and configure IPA server
    • 4.1 ensure all packages are as much as date
    • 4.2 Install needed packages
    • 4.3 Configure host title
    • 4.4 Install IPA host
    • 4.5 Login as admin
    • 4.6 Make sure IPA users can be found towards the operational system services
    • 4.7 Configure IPA host for cross-forest trusts
  • 5 Cross-forest trust list
    • 5.1 Date/time settings
    • 5.2 Firewall setup
      • 5.2.1 On AD DC
      • 5.2.2 On IPA server
        • Firewalld
        • iptables
    • 5.3 DNS setup
      • 5.3.1 Conditional DNS forwarders
      • 5.3.2 If AD is subdomain of IPA
      • 5.3.3 If IPA is subdomain of advertising
      • 5.3.4 Verify DNS setup
  • 6 Establish and trust that is verify cross-forest
    • 6.1 trust that is add advertising domain
      • 6.1.1 Whenever advertising administrator qualifications can be found
      • 6.1.2 Whenever advertising administrator qualifications are not available
    • 6.2 Edit /etc/krb5. Conf
    • 6.3 enable access for users from AD domain to protected resources
  • 7 Test cross-forest trust
    • 7.1 Utilizing SSH
    • 7.2 Utilizing Samba stocks
    • 7.3 Making use of Kerberized internet applications
  • 8 trust that is debugging
    • 8.1 General debugging recommendations
    • 8.2 problems because of exhausted DNA range on reproduction


These pages describes how to setup and configure cross-forest trust between an IPA domain as well as an advertisement (Active Directory) domain.


  • FreeIPA 3.3.3 or later is preferred
  • Windows Server 2008 R2 or later on with configured advertising DC and DNS installed locally from the DC

You can follow article Setting up Active Directory domain for screening purposes if you want to install and configure advertisement DC for testing purposes.

IPv6 stack use

Recommended method for modern networking applications will be only available IPv6 sockets for paying attention because IPv4 and IPv6 share the port that is same locally. FreeIPA makes use of Samba as an element of its Active Directory integration and Samba requires enabled IPv6 stack in the device.

Adding ipv6. Disable=1 towards the kernel demand line disables the IPv6 stack that is whole

Adding ipv6. Disable_ipv6=1 could keep the IPv6 stack functional but will likely not designate IPv6 details to virtually any of the system devices. This can be recommended approach for instances once you do not utilize IPv6 networking.

Creating and adding to as an example /etc/sysctl. D/ipv6. Conf will avoid assigning IPv6 details to a network interface that is specific

Where interface0 is your specific user interface.

Keep in mind that all we’re requiring is the fact that IPv6 stack is enabled during the kernel degree and also this is preferred solution to develop networking applications for a very long time currently.

Trusts and Windows Server 2003 R2

As noted above, the necessity for trusts is Windows Server 2008 R2. While cross-forest trusts had been included with woodland level that is functional Server 2003, you can find extra needs imposed by usage of AES encryption types which need domain functional degree Windows Server 2008. You can set up a trust between a FreeIPA server and Windows Server 2003 R2, with restricted functionality with just RC4 and DES encryption kinds. Next paragraph describes the actions required to carry out this. Take note, but, that this can be unsupported, extremely experimental as well as really value that is limited for the poor encryption types for trusted domain objects which is often fairly simple cracked with present improvements in technology.

To be able to begin a trust from a FreeIPA host and a Windows Server 2003 R2, you will need to improve the forest functional degree to Windows Server 2003. For this, available ‘Active Directory Domains and Trusts’ snap-in and right-click on ‘Active Directory Domains and Trusts’ root into the remaining pane. Then choose ‘Raise forest functional degree. ‘ and usage ‘Windows Server 2003’ whilst the known degree to boost.

Be sure you perform this action before developing a trust because of the ‘ipa trust-add’ demand. The remainder setup is just like compared to Windows Server 2008 R2.

Previous Post Next Post

You Might Also Like

No Comments

Leave a Reply

fashion and math..you are a genius! *