Integration FreeIPA in CentOS7 to Microsoft Active Directory

Our purpose is configure and integrate CentOS7 with Microsoft Active Directory as domain controller.

We use the following machines:
DC (Windows)– dc01.domain.lan – 10.50.3.2
DC(Windows) – dc02.domain.lan – 10.50.3.3
DC(CentOS7) – ipa.ec.domain.lan – 10.50.3.126
Client(CentOS7) centos7client.ec.domain.lan – 10.50.3.124

Our Base DN is DOMAIN.LAN. Both of Active Directory Domain Controllers works on Windows server 2012 R2.

The network topology will be as following:
toplogy

First of all go to the Active Directory Domain Controller and open PowerShell to write the DNS records as following:
PS C:\Users\Administrator> dnscmd 127.0.0.1 /RecordAdd domain.lan ipa.ec A 10.50.3.126
Add A Record for ipa.ec.domain.lan at domain.lan
Command completed successfully.

PS C:\Users\Administrator> dnscmd 127.0.0.1 /RecordAdd domain.lan ec NS ipa.ec.domain.lan
Add NS Record for ec.domain.lan at domain.lan
Command completed successfully.

PS C:\Users\Administrator> dnscmd 127.0.0.1 /ClearCache
127.0.0.1 completed successfully.
Command completed successfully.

After adding new A and NS records we must restart DNS service for each AD to quickly
newns

The result of the changes must be as following:
resultofns

Note: Hostname for FreeIPA server(10.50.3.126) must be configured as ipa.ec.domain.lan and for FreeIPA client(10.50.3.124) must be configured as centos7client

Note: Disable SELinux and firewalld for both(FreeIPA server and client)
Machines. 

Disable Selinux and firewall for FreeIPA server:
[root@ipa ~]# sed -i ‘s/SELINUX=enforcing/SELINUX=disabled/g’ /etc/selinux/config
[root@ipa ~]# systemctl stop firewalld; systemctl disable firewalld; reboot
rm ‘/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service’
rm ‘/etc/systemd/system/basic.target.wants/firewalld.service’

/etc/hosts file for FreeIPA(10.50.3.126) server will be as following:
[root@ipa ~]# echo “10.50.3.126 ipa.ec.domain.lan ipa” >> /etc/hosts

Install needed packages:
[root@ipa ~]# yum -y install vim net-tools bind-utils 

Install packages for FreeIPA server:
[root@ipa ~]# yum -y install ipa-server-trust-ad bind bind-dyndb-ldap ipa-server-dns

Install and configure FreeIPA server with the following credentials(Result must be as following):
[root@ipa ~]# ipa-server-install –realm=EC.DOMAIN.LAN –domain=ec.domain.lan –ds-password=’A123456789a’ –admin-password=’A123456789a’ –mkhomedir –ssh-trust-dns –setup-dns –unattended –forwarder=10.50.3.2 –no-host-dns

Checking DNS domain ec.domain.lan, please wait …

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server 

This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the Network Time Daemon (ntpd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure DNS (bind)

Warning: skipping DNS resolution of host ipa.ec.domain.lan
Checking DNS domain ec.domain.lan., please wait …
Checking DNS forwarders, please wait …
DNS server 10.50.3.2: answer to query ‘. SOA’ is missing DNSSEC signatures (no RRSIG data)
Please fix forwarder configuration to enable DNSSEC support.
(For BIND 9 add directive “dnssec-enable yes;” to “options {}”)
WARNING: DNSSEC validation will be disabled

The IPA Master Server will be configured with:
Hostname:       ipa.ec.domain.lan
IP address(es): 10.50.3.126
Domain name:    ec.domain.lan
Realm name:     EC.DOMAIN.LAN

BIND DNS server will be configured to serve IPA domain with:
Forwarders:       10.50.3.2
Forward policy:   only
Reverse zone(s):  No reverse zone
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
[1/47]: creating directory server user
[2/47]: creating directory server instance
[3/47]: updating configuration in dse.ldif
[4/47]: restarting directory server
[5/47]: adding default schema
[6/47]: enabling memberof plugin
[7/47]: enabling winsync plugin
[8/47]: configuring replication version plugin
[9/47]: enabling IPA enrollment plugin
[10/47]: enabling ldapi
[11/47]: configuring uniqueness plugin
[12/47]: configuring uuid plugin
[13/47]: configuring modrdn plugin
[14/47]: configuring DNS plugin
[15/47]: enabling entryUSN plugin
[16/47]: configuring lockout plugin
[17/47]: configuring topology plugin
[18/47]: creating indices
[19/47]: enabling referential integrity plugin
[20/47]: configuring certmap.conf
[21/47]: configure autobind for root
[22/47]: configure new location for managed entries
[23/47]: configure dirsrv ccache
[24/47]: enabling SASL mapping fallback
[25/47]: restarting directory server
[26/47]: adding sasl mappings to the directory
[27/47]: adding default layout
[28/47]: adding delegation layout
[29/47]: creating container for managed entries
[30/47]: configuring user private groups
[31/47]: configuring netgroups from hostgroups
[32/47]: creating default Sudo bind user
[33/47]: creating default Auto Member layout
[34/47]: adding range check plugin
[35/47]: creating default HBAC rule allow_all
[36/47]: adding sasl mappings to the directory
[37/47]: adding entries for topology management
[38/47]: initializing group membership
[39/47]: adding master entry
[40/47]: initializing domain level
[41/47]: configuring Posix uid/gid generation
[42/47]: adding replication acis
[43/47]: enabling compatibility plugin
[44/47]: activating sidgen plugin
[45/47]: activating extdom plugin
[46/47]: tuning directory server
[47/47]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
[1/31]: creating certificate server user
[2/31]: configuring certificate server instance
[3/31]: stopping certificate server instance to update CS.cfg
[4/31]: backing up CS.cfg
[5/31]: disabling nonces
[6/31]: set up CRL publishing
[7/31]: enable PKIX certificate path discovery and validation
[8/31]: starting certificate server instance
[9/31]: creating RA agent certificate database
[10/31]: importing CA chain to RA certificate database
[11/31]: fixing RA database permissions
[12/31]: setting up signing cert profile
[13/31]: setting audit signing renewal to 2 years
[14/31]: restarting certificate server
[15/31]: requesting RA certificate from CA
[16/31]: issuing RA agent certificate
[17/31]: adding RA agent as a trusted user
[18/31]: authorizing RA to modify profiles
[19/31]: authorizing RA to manage lightweight CAs
[20/31]: Ensure lightweight CAs container exists
[21/31]: configure certmonger for renewals
[22/31]: configure certificate renewals
[23/31]: configure RA certificate renewal
[24/31]: configure Server-Cert certificate renewal
[25/31]: Configure HTTP to proxy connections
[26/31]: restarting certificate server
[27/31]: migrating certificate profiles to LDAP
[28/31]: importing IPA certificate profiles
[29/31]: adding default CA ACL
[30/31]: adding ‘ipa’ CA entry
[31/31]: updating IPA configuration
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv). Estimated time: 10 seconds
[1/3]: configuring ssl for ds instance
[2/3]: restarting directory server
[3/3]: adding CA certificate entry
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
[1/9]: adding kerberos container to the directory
[2/9]: configuring KDC
[3/9]: initialize kerberos container
WARNING: Your system is running out of entropy, you may experience long delays
[4/9]: adding default ACIs
[5/9]: creating a keytab for the directory
[6/9]: creating a keytab for the machine
[7/9]: adding the password extension to the directory
[8/9]: starting the KDC
[9/9]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
[1/2]: starting ipa_memcached
[2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring ipa-otpd
[1/2]: starting ipa-otpd
[2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring ipa-custodia
[1/5]: Generating ipa-custodia config file
[2/5]: Making sure custodia container exists
[3/5]: Generating ipa-custodia keys
[4/5]: starting ipa-custodia
[5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring the web interface (httpd). Estimated time: 1 minute
[1/21]: setting mod_nss port to 443
[2/21]: setting mod_nss cipher suite
[3/21]: setting mod_nss protocol list to TLSv1.0 – TLSv1.2
[4/21]: setting mod_nss password file
[5/21]: enabling mod_nss renegotiate
[6/21]: adding URL rewriting rules
[7/21]: configuring httpd
[8/21]: configure certmonger for renewals
[9/21]: setting up httpd keytab
[10/21]: setting up ssl
[11/21]: importing CA certificates from LDAP
[12/21]: setting up browser autoconfig
[13/21]: publish CA cert
[14/21]: clean up any existing httpd ccache
[15/21]: configuring SELinux for httpd
[16/21]: create KDC proxy user
[17/21]: create KDC proxy config
[18/21]: enable KDC proxy
[19/21]: restarting httpd
[20/21]: configuring httpd to start on boot
[21/21]: enabling oddjobd
Done configuring the web interface (httpd).
Applying LDAP updates
Upgrading IPA:
[1/9]: stopping directory server
[2/9]: saving configuration
[3/9]: disabling listeners
[4/9]: enabling DS global lock
[5/9]: starting directory server
[6/9]: upgrading server
[7/9]: stopping directory server
[8/9]: restoring configuration
[9/9]: starting directory server
Done.
Restarting the directory server
Restarting the KDC
Configuring DNS (named)
[1/11]: generating rndc key file
WARNING: Your system is running out of entropy, you may experience long delays
[2/11]: adding DNS container
[3/11]: setting up our zone
[4/11]: setting up our own record
[5/11]: setting up records for other masters
[6/11]: adding NS record to the zones
[7/11]: setting up kerberos principal
[8/11]: setting up named.conf
[9/11]: setting up server configuration
[10/11]: configuring named to start on boot
[11/11]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Configuring DNS key synchronization service (ipa-dnskeysyncd)
[1/7]: checking status
[2/7]: setting up bind-dyndb-ldap working directory
[3/7]: setting up kerberos principal
[4/7]: setting up SoftHSM
[5/7]: adding DNSSEC containers
[6/7]: creating replica keys
[7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records
Restarting the web server
Configuring client side components
Using existing certificate ‘/etc/ipa/ca.crt’.
Client hostname: ipa.ec.domain.lan
Realm: EC.DOMAIN.LAN
DNS Domain: ec.domain.lan
IPA Server: ipa.ec.domain.lan
BaseDN: dc=ec,dc=atl,dc=lan
Skipping synchronizing time with NTP server.
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
trying https://ipa.ec.domain.lan/ipa/json
Forwarding ‘schema’ to json server ‘https://ipa.ec.domain.lan/ipa/json’
trying https://ipa.ec.domain.lan/ipa/session/json
Forwarding ‘ping’ to json server ‘https://ipa.ec.domain.lan/ipa/session/json’
Forwarding ‘ca_is_enabled’ to json server ‘https://ipa.ec.domain.lan/ipa/session/json’
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding ‘host_mod’ to json server ‘https://ipa.ec.domain.lan/ipa/session/json’
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring ec.domain.lan as NIS domain.
Client configuration complete.
==============================================================================
Setup complete

Next steps:

  1. You must make sure these network ports are open:

TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind

UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp

  1. You can now obtain a kerberos ticket using the command: ‘kinit admin’

This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password

After installation of the FreeIPA server to the 10.50.3.126 server change the /etc/resolv.conf file as following:
[root@ipa ~]# cat /etc/resolv.conf
search domain.lan ec.domain.lan
nameserver 10.50.3.2
nameserver 10.50.3.3

Or restart network service:
[root@ipa ~]# systemctl restart network

Configure IPA server for cross-realm trusts:
[root@ipa ~]# ipa-adtrust-install –admin-password=’A123456789a’ –netbios-name=EC –add-sids –unattended
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.

This includes:
* Configure Samba
* Add trust related objects to IPA LDAP server

To accept the default shown in brackets, press the Enter key.
WARNING: The smb.conf already exists. Running ipa-adtrust-install will break your existing samba configuration.
Configuring CIFS
[1/22]: stopping smbd
[2/22]: creating samba domain object
[3/22]: creating samba config registry
[4/22]: writing samba config file
[5/22]: adding cifs Kerberos principal
[6/22]: adding cifs and host Kerberos principals to the adtrust agents group
[7/22]: check for cifs services defined on other replicas
[8/22]: adding cifs principal to S4U2Proxy targets
[9/22]: adding admin(group) SIDs
[10/22]: adding RID bases
[11/22]: updating Kerberos config
‘dns_lookup_kdc’ already set to ‘true’, nothing to do.
[12/22]: activating CLDAP plugin
[13/22]: activating sidgen task
[14/22]: configuring smbd to start on boot
[15/22]: adding special DNS service records
16/22]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
[17/22]: adding fallback group
[18/22]: adding Default Trust View
[19/22]: setting SELinux booleans
[20/22]: starting CIFS services
[21/22]: adding SIDs to existing users and groups
This step may take considerable amount of time, please wait..
[22/22]: restarting smbd
Done configuring CIFS.
=============================================================================
Setup complete

You must make sure these network ports are open:
TCP Ports:
* 135: epmap
* 138: netbios-dgm
* 139: netbios-ssn
* 445: microsoft-ds
* 1024..1300: epmap listener range

UDP Ports:
* 138: netbios-dgm
* 139: netbios-ssn
* 389: (C)LDAP
* 445: microsoft-ds
See the ipa-adtrust-install(1) man page for more details
=============================================================================

Establish and verify cross-realm trust – Add trust with AD domain(We do this in FreeIPA server):
[root@ipa ~]# ipa trust-add –type=ad domain.lan
Active Directory domain administrator: atladm
Active Directory domain administrator’s password: write_pass_here
————————————————
Added Active Directory trust for realm “domain.lan”
————————————————
Realm name: domain.lan
Domain NetBIOS name: ATL
Domain Security Identifier: S-1-5-21-2852957904-459492390-1610673386
Trust direction: Trusting forest
Trust type: Active Directory domain
Trust status: Established and verified

Check trusted domain:
[root@ipa ~]# ipa trustdomain-find domain.lan
Domain name: domain.lan
Domain NetBIOS name: ATL
Domain Security Identifier: S-1-5-21-2852957904-459492390-1610673386
Domain enabled: True
—————————-
Number of entries returned 1
—————————-

Install X packages and firefos browser to FreeIPA server(10.50.3.126). We will use X for use browser in server:
[root@ipa ~]# yum -y install xorg-x11-apps xorg-x11-utils xorg-x11-xinit xorg-x11-xauth xorg-x11-server-Xorg xorg-x11-font*
[root@ipa ~]# yum install -y firefox

Login to FreeIPA (10.50.3.126) server with X11 forward again and open Firefox browser. In url tab write about:config and press I’ll be careful, I promise! button:
browserconfig.png

In opened search page write network.negotiate-auth.trusted-uris and then double click to opened page and write BASE DN (.domain.lan)of our AD Domain controller and press to OK button:
browsertrusteduris
browservalue

After that login to FreeIPA server management interface(https://ipa.ec.domain.lan):
freeipamgmt.png

Go to the IPA server -> Trusts -> Trusts to check domain:
freeipaservertrusts.png

Click to domain and check trusts:
trustdomain
trustdomain1.png

Then go to the Network Services -> DNS -> DNS Zones and click to the domain name to check records:
dnszones
dnszones1.png

Again go to the Network Services -> DNS -> DNS Zones and the press to Add button and then select Reverse zone IP network, write there 10/8 and press to Add button.
adddnszone

Result must be as following:
addeddnszone

List of records:
listofrecords.png

Change default shell to /bin/bash for all users:
[root@ipa ~]# ipa config-mod –defaultshell=/bin/bash
Maximum username length: 32
Home directory base: /home
Default shell: /bin/bash
Default users group: ipausers
Default e-mail domain: ec.domain.lan
Search time limit: 2
Search size limit: 100
User search fields: uid,givenname,sn,telephonenumber,ou,title
Group search fields: cn,description
Enable migration mode: FALSE
Certificate Subject base: O=EC.DOMAIN.LAN
Password Expiration Notification (days): 4
Password plugin features: AllowNThash
SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
Default SELinux user: unconfined_u:s0-s0:c0.c1023
Default PAC types: nfs:NONE, MS-PAC
IPA masters: ipa.ec.domain.lan
IPA CA servers: ipa.ec.domain.lan
IPA NTP servers: ipa.ec.domain.lan
IPA CA renewal master: ipa.ec.domain.lan

To change default shell in the client machine, go to client machine and in the /etc/sssd/sssd.conf file change under [nss] section override_shell variable to the /bin/bash like as following:
[nss]
override_shell = /bin/bash

Add new CentOS7 client machine to server:
[root@ipa ~]# ipa host-add centos7client.ec.domain.lan –password=’A123456789a’ –ip-address=10.50.3.124 –os=”CentOS 7″ –platform=”VMware” –location=”ATL datacenter” –locality=”Narimanov” –desc=”Test CentOS7 server”
————————————-
Added host “centos7client.ec.domain.lan”
————————————-
Host name: centos7client.ec.domain.lan
Description: Test CentOS7 server
Locality: Narimanov
Location: ATL datacenter
Platform: VMware
Operating system: CentOS 7
Password: True
Keytab: False
Managed by: centos7client.ec.domain.lan

Now we must to go to the CentOS7 FreeIPA client(10.50.3.124) machine

DNS servers for our CentOS7 client machine must be as following in the /etc/resolv.conf file:
[root@centos7client ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search ipa.ec.domain.lan
nameserver 10.50.3.126
nameserver 10.50.3.2
nameserver 10.50.3.3

Disable Selinux, add IP to /etc/hosts file, update and install needed packages and disable firewalld:
[root@centos7client ~]# sed -i ‘s/SELINUX=enforcing/SELINUX=disabled/g’ /etc/selinux/config
[root@centos7client ~]# echo “10.50.3.124 centos7client.ec.domain.lan centos7client” >> /etc/hosts
[root@centos7client ~]# yum update -y && yum -y install vim net-tools bind-utils
[root@centos7client ~]# systemctl stop firewalld; systemctl disable firewalld; reboot

Install IPA client package to the CentOS7 client machine:
[root@centos7client ~]# yum -y install ipa-client

Connect to FreeIPA server(Password we created before for this machine):
[root@centos7client ~]# ipa-client-install -w ‘A123456789a’ –mkhomedir
Discovery was successful!
Client hostname: centos7client.ec.domain.lan
Realm: EC.DOMAIN.LAN
DNS Domain: ec.domain.lan
IPA Server: ipa.ec.domain.lan
BaseDN: dc=ec,dc=atl,dc=lan

Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC…
Attempting to sync time using ntpd.  Will timeout after 15 seconds
Do you want to download the CA cert from http://ipa.ec.domain.lan/ipa/config/ca.crt ?
(this is INSECURE) [no]: yes
Successfully retrieved CA cert
Subject:     CN=Certificate Authority,O=EC.DOMAIN.LAN
Issuer:      CN=Certificate Authority,O=EC.DOMAIN.LAN
Valid From:  Tue Dec 27 10:21:46 2016 UTC
Valid Until: Sat Dec 27 10:21:46 2036 UTC

Enrolled in IPA realm EC.DOMAIN.LAN
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EC.DOMAIN.LAN
trying https://ipa.ec.domain.lan/ipa/json
Forwarding ‘schema’ to json server ‘https://ipa.ec.domain.lan/ipa/json’
trying https://ipa.ec.domain.lan/ipa/session/json
Forwarding ‘ping’ to json server ‘https://ipa.ec.domain.lan/ipa/session/json’
Forwarding ‘ca_is_enabled’ to json server ‘https://ipa.ec.domain.lan/ipa/session/json’
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding ‘host_mod’ to json server ‘https://ipa.ec.domain.lan/ipa/session/json’
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring ec.domain.lan as NIS domain.
Client configuration complete.

Try to resolve LDAP servers:
[root@centos7client ~]# dig SRV _ldap._tcp.domain.lan | grep ‘^_ldap’
_ldap._tcp.domain.lan.     539     IN      SRV     0 100 389 dc01.domain.lan.
_ldap._tcp.domain.lan.     539     IN      SRV     0 100 389 dc02.domain.lan.

[root@centos7client ~]# dig SRV _ldap._tcp.ec.domain.lan | grep ‘^_ldap’
_ldap._tcp.ec.domain.lan.  86400   IN      SRV     0 100 389 ipa.ec.domain.lan.

Try to login to the FreeIPA server with admin username and look at the ticket from FreeIPA:
[root@centos7client ~]# kinit admin

Password for admin@EC.DOMAIN.LAN: write_admin_pass
[root@centos7client ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin@EC.DOMAIN.LAN
Valid starting       Expires              Service principal
12/27/2016 16:34:22  12/28/2016 16:34:16  krbtgt/EC.DOMAIN.LAN@EC.DOMAIN.LAN

Go to the FreeIPA server Network Services -> DNS -> DNS Zones click to ec.domain.lan. domain and the look at the new records:
newlistofrecs

Then go to the Identity -> Hosts and click to the centos7client.domain.lan host to see credentials:
hosts
hosts1.png

Open Putty client and try to login with domain account to the centos7client.ec.domain.lan machine:
putty_config

First time it will take some time because will create some profile files:
result_of_connection

Look at ID and path of home directory:
-sh-4.2$ id
uid=349801110(jamal@domain.lan) gid=349801110(jamal@domain.lan) groups=349801110(jamal@domain.lan),349800513(domain users@domain.lan),349801113(vpnusers@domain.lan),349801156(rtcuniversalglobalreadonlygroup@domain.lan),349801158(rtcuniversalserverreadonlygroup@domain.lan),349801159(rtcuniversaluserreadonlygroup@domain.lan),349801164(rtcuniversaluseradmins@domain.lan),349801165(rtcuniversalreadonlyadmins@domain.lan),349801171(csuseradministrator@domain.lan),349801210(dl atltech members@domain.lan),349801280(dl atlgroup members@domain.lan),349801287(dl it members@domain.lan),349801343(mercurial@domain.lan),349801365(atltech –  it members@domain.lan),349801384(scomadmins@domain.lan),349801397(owncloudmembers@domain.lan),349801429(allow vpn to bvim@domain.lan),349801451(allow vpn to fhn@domain.lan),349801482(xwikimembers@domain.lan),349801498(openvpnfausers@domain.lan),349801499(openvpnmausers@domain.lan),349801504(atlwifiusers@domain.lan),349801538(gitusers@domain.lan),349801540(omusers@domain.lan),349801564(atlcanvas@domain.lan),349801642(sp_project2013_reportcreators@domain.lan),349801676(sp_projectstatus_list_members@domain.lan),349801692(proxy_unlimited@domain.lan),349801847(dlbyodusers@domain.lan),349802123(redminemembers@domain.lan),349802143(openfiremembers@domain.lan),349802227(allow send to dl atlgroup members@domain.lan),349802240(openprojectmembers@domain.lan)

-sh-4.2$ pwd
/home/domain.lan/jamal

-sh-4.2$ who
jamal@domain.lan pts/1        2016-12-27 16:53 (10.50.63.241)
Create new Group with FreeIPA-Members name in domain controller and add Administrators to this group:
freeipa-members

Create new External group with name “ad_users_external_freeipa“:
[root@ipa ~]# ipa group-add –desc=’AD users external for FreeIPA-Members’ ad_users_external_freeipa –external
—————————————
Added group “ad_users_external_freeipa”
—————————————
Group name: ad_users_external_freeipa
Description: AD users external for FreeIPA-Members

Create new internal group with name “ad_sshaccess_users” (We will map this group to the external group “ad_users_external_freeipa“):
[root@ipa ~]# ipa group-add –desc=’AD SSH access users’ ad_sshaccess_users
——————————–
Added group “ad_sshaccess_users”
——————————–
Group name: ad_sshaccess_users
Description: AD SSH access users
GID: 1811000005

Add external group members from Base DN “ATL\FreeIPA-Members”:
[root@ipa ~]# ipa group-add-member ad_users_external_freeipa –external “ATL\FreeIPA-Members”
[member user]:
[member group]:
Group name: ad_users_external_freeipa
Description: AD users external for FreeIPA-Members
External member: S-1-5-21-2852957904-459492390-1610673386-2258
————————-
Number of members added 1
————————-

Map external group to our internal group which will go to check FreeIPA-Members group in AD DOMAIN.LAN:
[root@ipa ~]# ipa group-add-member ad_sshaccess_users –groups ad_users_external_freeipa
Group name: ad_sshaccess_users
Description: AD SSH access users
GID: 1811000005
Member groups: ad_users_external_freeipa
————————-
Number of members added 1
————————-

Then go to the FreeIPA web admin panel and open Policy -> Host Based Access Control. Disable allow_all rule and add new rule with name allowed_groups:
policy_groups

Then open group allowed_groups and add ad_sshaccess_users to this group with Add button:
allowed_groups.png

 

Advertisements

4 thoughts on “Integration FreeIPA in CentOS7 to Microsoft Active Directory

  1. Why do you feel it necessary to switch off SELinux? Do you have some particular issues (what are bug numbers) or is it just general persuasion that SELinux is evil?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s