Red Hat Security: Identity Management and Authentication
- Section Establishing a Trust Relationship between IdM and AD
- Guided Exercise: Establishing a Trust Relationship between IdM and AD
- Managing AD User Integration with ID Views
- Guided Exercise: Managing AD User Integration with ID Views
- Quiz: Integrating Identity Management with Active Directory
- Summary
Abstract
| Goal |
Implement a cross-forest trust between Identity Management and Active Directory, and configure ID views to map POSIX attributes to Active Directory users. |
| Objectives |
|
| Sections |
|
Organizations commonly use a range of environments with different infrastructure, operating systems, and software. Many organizations use Active Directory (AD) for identity management of Windows users, desktops, servers, and cloud instances.
In Active Directory, a forest is the highest logical level of organization. A forest is composed of domain trees, which are collections of one or more domains. A company can set up a separate forest for a particular division or department and use a trust to allow the two forests to access each other's resources.
The following diagram describes how trusts work:
IdM can implement trusts that allow principals from one Kerberos realm to interact with another Kerberos realm. Principals can authenticate against resources on machines belonging to another realm. Kerberos can also create a relationship between two separate Kerberos realms, which is referred to as a cross-realm trust. IdM supports the configuration of a cross-realm trust between an IdM domain and an Active Directory domain.
Trust relationships can be either one-way or two-way. In an IdM one-way trust, IdM trusts AD without reciprocation. AD users can access IdM resources, but IdM users cannot access AD resources.
In a two-way trust, IdM users can authenticate to AD and AD users can authenticate to IdM. AD users can access resources in IdM in the same way as a one-way trust. IdM users can authenticate to AD but can only access Kerberos-enabled services in AD forests without access control checks. Accessing AD resources from IdM is not currently possible, and so accessing resources is limited from both ends.
In one-way or two-way trusts, IdM servers exchange authentication data with Active Directory Domain Controllers (DC).
The first domain in the forest is the root domain. This domain remains active for the lifecycle of the forest. IdM domains cannot be part of an existing Active Directory forest, and are treated as a separate forest by Active Directory. When you establish a trust relationship between two separate forest root domains, the trust is called an Active Directory cross-forest trust.
IdM can be part of trust relationships with multiple Active Directory forests, allowing users from unrelated Active Directory forests to access resources in the same shared IdM domain.
There are many ways to configure Active Directory trusts between subdomains, root domains, and forests. The trust flow identifies how information moves between domains. Trusted domains contain users, and trusting domains allow access to resources. In a one-way trust, trusts flow only in one direction; users have access to the trusting domain's resources, but users in the trusting domains cannot access resources in the trusted domain.
You can configure transitive and non-transitive trusts between domains. When you configure a transitive trust, the configured domain trusts another domain and any other domain trusted by that trusted domain.
The following diagram describes a transitive trust between three domains.
The DOMAIN C domain trusts DOMAIN A because DOMAIN C trusts DOMAIN B and DOMAIN B trusts DOMAIN A.
In a non-transitive trust relationship, the trust is limited to only the domains explicitly specified. Within an Active Directory forest, trust relationships between domains are usually two-way and transitive by default. Trust between two Active Directory forests is a trust between two forest root domains, which can be two-way or one-way. The transitivity of the cross-forest trust is explicit, which means that any domain trust within an Active Directory forest that leads to the root domain of the forest is transitive over the cross-forest trust. Separate cross-forest trusts are not transitive; therefore, you must establish an explicit cross-forest trust between each Active Directory forest root domain to another Active Directory forest root domain.
An IdM domain represents a separate Active Directory forest with a single Active Directory domain. Through a cross-forest trust between an Active Directory forest root domain and an IdM domain, users from the Active Directory forest can interact with Linux machines and services from the IdM domain.
The following diagram describes users from an Active Directory domain accessing resources in an IdM domain after the trust has been established between the two domains:
IdM and Active Directory have different user structures. On Windows systems, the Microsoft Privilege Account Certificate (MS-PAC) contains information about users, which includes security identifiers, domain usernames, and group memberships. On Linux systems, system users and groups are identified as POSIX entries and LDAP POSIX attributes contain that required information. The IdM server must be able to identify Active Directory entities and process their group memberships for access control.
There are two components for analyzing the data in the account certificate on a Kerberos ticket:
SSSD performs identity lookups on Active Directory and retrieves user and group security identifiers for authorization. SSSD caches user, group, and ticket information for users. SSSD also maps Kerberos and DNS domains for the users.
IdM associates Active Directory users with IdM groups for IdM policies and access.
Access control rules and policies for Linux domain administration, such as SELinux, Sudo, and host-based access controls are defined and applied through the IdM server. Any access control rules set in Active Directory are not evaluated or used by IdM servers, and the only relevant Active Directory configuration is group membership.
You can add individual Active Directory users and groups to IdM groups. User groups are required to set access permissions, host-based access control, Sudo rules, and other controls on IdM users. These groups grant or restrict access to IdM domain resources. Active Directory users and groups can be added directly to IdM user groups.
To add users and groups to the IdM server, add Active Directory users to a non-POSIX IdM external group, and then to a local IdM POSIX group. The POSIX group is then used for user and role management of the Active Directory users.
IdM uses LDAP for managing groups, which are expressed by specifying the distinguished name (DN) of an LDAP object that is a member of a group. Active Directory entries are not synchronized or copied to IdM, which means that Active Directory users and groups have no LDAP objects in the LDAP directory. Consequently, LDAP objects cannot be directly used to express group membership in the IdM LDAP.
For this reason, IdM creates non-POSIX external groups, referenced as normal IdM LDAP objects to signify group membership for Active Directory users and groups in IdM.
Security IDs (SIDs) for non-POSIX external groups are processed by SSSD, which maps the SIDs of groups in Active Directory to POSIX groups in IdM. In Active Directory, SIDs are associated with usernames. When a username is used to access IdM resources, SSSD in IdM resolves the username to its security ID before retrieving the information for that SID in the Active Directory domain.
Linux users are assigned a user ID (UID) number and a private group. The private group identifier number is the same as the user ID number. In a Linux environment, this does not create a conflict, but in Active Directory, the security ID number must be unique for every object in the domain. The trusted users in Active Directory require a UID and a group ID (GID) number in Linux systems.
These UID and GID numbers can be generated by IdM, however, if Active Directory entries already have UIDs and GIDs numbers assigned, assigning different numbers creates a conflict. Therefore, to avoid conflict, use the POSIX attributes defined by Active Directory instead of having IdM generate new values. These attributes include the UID, the GID number, and preferred login shell.
Important
Active Directory stores a subset of information for all objects in a global catalog, which includes every entry for every domain in a forest. Red Hat recommends replicating the attributes to the global catalog first.
When you create a trust, IdM automatically detects which ID range to use and creates a unique range for Active Directory domains added to the trust.
Pass one of the following --range-type options to the ipa trust-add command to define the range:
The
ipa-ad-trustrange option uses the IDs generated by IdM based on the security ID. If IdM generates the security IDs using the SID-to-POSIX ID mapping, ID ranges for Active Directory and IdM users and groups must have unique and non-overlapping ranges:[user@host ~]$
ipa trust-add --range-type=ipa-ad-trustThe
ipa-ad-trust-posixrange option uses IDs defined in POSIX attributes in Active Directory entries. IdM obtains the POSIX attributes, includinguidNumberandgidNumberfrom the Active Directory global catalog or from the domain controller:[user@host ~]$
ipa trust-add --range-type=ipa-ad-trust-posix
If there are no ID conflicts, then the ID numbers that are generated are unique, so no ID validation or ID range is required.
You can configure IdM trusts to Active Directory domain by using trust agents and trust controllers.
Trust agents are IdM servers that can perform identity lookups against Active Directory domain controllers. Trust controllers are IdM servers that are also trust agents and run the Samba suite. Active Directory domain controllers contact trust controllers when establishing and verifying the trust.
Important
Trust controllers run more network-facing services compared to trust agents, and so they present a greater attack surface for potential intruders.
The following table describes the different capabilities between trust agents and trust controllers.
| Capability | Trust agents | Trust controllers |
|---|---|---|
| Resolve Active Directory users and groups | Yes | Yes |
| Enroll IdM clients that run services accessible by users from trusted Active Directory forests | Yes | Yes |
| Manage trust; for example, adding a trust agreement | No | Yes |
Note
To prevent failures in the trust, deploy at least two trust controllers per IdM deployment and two trust controllers in each data center.
The trust between IdM and Active Directory (AD) is established on the cross-realm Kerberos trust. This solution uses the Kerberos capability to establish trusts between different identity sources.
Ensure that the IdM and Active Directory servers comply with the requisites to establish the trust. Make sure you verify the Kerberos configuration after you establish the trust.
Before establishing a trust, consider the following requirements for establishing a trust between IdM and Active Directory domains.
IdM and Active Directory must have their clocks synced. Kerberos requires that system times are within five minutes of each other.
IdM must have the IPv6 protocol enabled in the kernel. If IPv6 is disabled, the connectionless LDAP (CLDAP) plug-in used by the IdM services fails to initialize. IPv6 does not need to be used for communication.
The Active Directory forest and domain functional levels must be in the range of Windows Server 2012 to Windows Server 2016.
Kerberos realm names must be the same as the primary DNS domain names, with all letters uppercase. For example, if the domain names are
ad.example.comandidm.example.com, the Kerberos realm names must beAD.EXAMPLE.COMandIDM.EXAMPLE.COM.The IdM domain and Active Directory domain must have different NetBIOS names.
The following ports must be open in the Active Directory firewall for accessing services in IdM and Active Directory servers.
Service Port Protocol Microsoft RPC Endpoint Mapper 135 TCP NetBIOS-DGM 138 TCP and UDP NetBIOS-SSN 139 TCP and UDP Microsoft-DS 445 TCP and UDP Dynamic RPC 49152-65535 TCP AD Global Catalog 3268 TCP LDAP 389 TCP and UDP In IdM, ensure that the
FreeIPA trust setup,FreeIPA with LDAP,Kerberos, andDNSservices are open in the firewall.All DNS records must be resolvable from all DNS domains in the trust. Each system must have its own unique primary DNS domain configured, such as
ad.example.comfor the Active Directory domain andidm.example.comfor the IdM domain.Important
IdM and Active Directory cannot share the primary DNS domain with another system for identity management.
Before you establish a trust, you can verify the DNS configuration by resolving the domain services.
If your environment does not use DNSSEC, you can disable it in IdM to prevent communication errors.
Edit the /etc/named/ipa-options-ext.conf file and update the dnssec-enable and dnssec-validation directives.
Restart the named service after you apply the changes:
[root@host ~]#cat /etc/named/ipa-options-ext.conf...output omitted... dnssec-enable no; dnssec-validation no; [root@host ~]#systemctl restart named.service
In the following examples, you test different services such as Kerberos and LDAP and the IdM realm name:
[user@host ~]$dig +short -t SRV _kerberos._udp.example.com0 100 88 idm.example.com. [user@host ~]$dig +short -t SRV _ldap._tcp.idm.example.com0 100 389 idm.example.com. [user@host ~]$dig +short -t TXT _kerberos.idm.example.com."EXAMPLE.COM"
In the following examples, you test the resolution of domain controllers and service records in Active Directory:
[user@host ~]$dig +short -t SRV _kerberos._udp.dc._msdcs.idm.example.com.0 100 88 idm.example.com. [user@host ~]$dig +short -t SRV _ldap._tcp.dc._msdcs.idm.example.com.0 100 389 idm.example.com. [user@host ~]$dig +short -t SRV _kerberos._udp.dc._msdcs.ad.example.com.0 100 88 ad.example.com. [user@host ~]$dig +short -t SRV _ldap._tcp.dc._msdcs.ad.example.com.0 100 389 ad.example.com.
Install the ipa-server-trust-ad package and run the ipa-adtrust-install utility.
This utility adds DNS service records required for Active Directory trusts.
These records are created automatically if IdM is installed with an integrated DNS server.
If IdM is not installed with an integrated DNS server, the ipa-adtrust-install command prints a list of service records that must be manually added to DNS before proceeding with establishing the trust:
[root@host ~]#dnf install ipa-server ipa-server-trust-ad samba-client...output omitted... [root@host ~]#ipa-adtrust-install
Use the ipa trust-add command to create a trust agreement.
The command sets up a one-way trust by default.
To establish a two-way trust, use the --two-way=true option:
[user@host ~]$ipa trust-addexample.com\--type=ad \--admin=administrator\--password
The following procedure describes the necessary steps for verifying the Kerberos configuration upon establishing a trust agreement.
To verify the Kerberos configuration, retrieve a ticket for an AD user. To verify a two-way trust, request a ticket for an IdM user, and then request a service ticket for a service in the Active Directory domain.
[user@host ~]$kinit[user@host ~]$userkvno -S host idm.example.com[user@host ~]$kvno -S cifs ad.example.com
If successfully granted, a cross-realm ticket-granting ticket (TGT) is listed with all other requested tickets.
The TGT name uses the krbtgt/ format.AD.DOMAIN@IDM.DOMAIN
To verify a one-way trust, request a ticket for an Active Directory user, and then request a service ticket for a service within the IdM domain.
[user@host ~]$kinit user@ad.example.com[user@host ~]$kvno -S host idm.example.com
If granted, a cross-realm Ticket-granting Ticket (TGT) is listed with all other requested tickets.
The TGT is called krbtgt/.IDM.DOMAIN@AD.DOMAIN
Then, log in to a client as an Active Directory user:
[user@host ~]$ ssh ad_user@ad.example.com@client.example.comYou can also verify the Active Directory trust agreements in the web UI.
Log in to the Active Directory server as the administrator user and access the Active Directory Domains and Trusts tool from the dashboard.
Review the trust type for the domain.
Ensure that the trust type reads Forest and that the direction of the trust is set to Incoming.
Shared secrets are passwords known to trusted peers, and which can be used by other domains to join the trust. Using a shared secret, you can configure a two-way trust within Active Directory. The shared secret is stored as a Trusted Domain Object (TDO) within the trust configuration.
IdM supports creating a two-way trust using a shared secret instead of the Active Directory administrator credentials. Setting up such a trust requires the administrator to create the shared secret in Active Directory and manually validate the trust.
Note
Shared secrets can only be used to create a two-way trust. To establish a one-way trust, use administrator credentials.
To configure a trust in the Active Directory Domains and Trusts console with a shared secret, use the following procedure:
Create a new trust.
Give the trust the IdM domain name with a forest type of trust.
Specify that this is a two-way trust and a forest-wide authentication.
Set the trust password. Use the same password when configuring the trust in IdM.
Then you can create a trust agreement.
When running the ipa trust-add command, use the --type, --trust-secret, and --two-way=True options, and omit the --admin option.
On the IdM server, ensure that the trust relationship is established by running the ipa trust-show command.
Note
Use the ipa trust-fetch-domains to ensure that you can obtain a Common Internet File System (CIFS) Ticket-granting Ticket before running the domainipa trust-show command.
References
For more information, refer to the Planning Integration with AD chapter at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/planning_identity_management/planning-integration-with-ad_planning-identity-management
For more information, refer to the Installing Trust Between IdM and AD guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/installing_trust_between_idm_and_ad/index
