This site describes just how to setup and configure cross-forest trust between an IPA domain and an advertising (Active Directory) domain.


  • 1 Description
  • 2 Prerequisites
    • 2.1 IPv6 stack usage
    • 2.2 Trusts and Windows Server 2003 R2
  • 3 Assumptions
  • 4 Install and configure IPA server
    • 4.1 ensure all packages are as much as date
    • 4.2 Install needed packages
    • 4.3 Configure host title
    • 4.4 Install IPA server
    • 4.5 Login as admin
    • 4.6 Make sure IPA users can be found towards the system services
    • 4.7 Configure IPA server for cross-forest trusts
  • 5 Cross-forest trust checklist
    • 5.1 Date/time settings
    • 5.2 Firewall setup
      • 5.2.1 On AD DC
      • 5.2.2 On IPA host
        • Firewalld
        • iptables
    • 5.3 DNS setup
      • 5.3.1 Conditional DNS forwarders
      • 5.3.2 If AD is subdomain of IPA
      • 5.3.3 If IPA is subdomain of AD
      • 5.3.4 Verify DNS setup
  • 6 Establish and trust that is verify cross-forest
    • 6.1 incorporate trust with advertisement domain
      • 6.1.1 Whenever AD administrator qualifications can be found
      • 6.1.2 Whenever AD administrator qualifications are not available
    • 6.2 Edit /etc/krb5. Conf
    • 6.3 enable access for users from AD domain to protected resources
      • 6.3.1 generate external and POSIX groups for trusted domain users
      • 6.3.2 Add trusted domain users towards the outside team
      • 6.3.3 Add group that is external POSIX team
  • 7 Test cross-forest trust
    • 7.1 Making Use Of SSH
    • 7.2 Making use of Samba stocks
    • 7.3 Making use of Kerberized internet applications
  • 8 trust that is debugging
    • 8.1 General debugging directions
    • 8.2 problems as a result of exhausted DNA range on reproduction


This site describes just how to setup and configure cross-forest trust between an IPA domain and an advertisement (Active Directory) domain.


  • FreeIPA 3.3.3 or later is preferred
  • Windows Server 2008 R2 or later on with configured advertising DC and DNS installed locally in the DC

If you want to install and configure advertisement DC for testing purposes, it is possible to follow article starting Active Directory domain for testing purposes.

IPv6 stack use

Suggested means for modern networking applications would be to just available IPv6 sockets for paying attention because IPv4 and IPv6 share the same slot range locally. FreeIPA makes use of Samba as an element of its Active Directory integration and Samba requires enabled IPv6 stack in the device.

Adding ipv6. Disable=1 into the kernel demand line disables the IPv6 stack that is whole

Adding ipv6. Disable_ipv6=1 could keep the IPv6 stack functional but will likely not assign IPv6 details to virtually any of one’s community devices. That is suggested approach for instances whenever you do not utilize IPv6 networking.

Creating and contributing to for instance /etc/sysctl. D/ipv6. Conf will avoid assigning IPv6 details to a network interface that is specific

Where interface0 is the specific software.

Observe that all our company is requiring is the fact that IPv6 stack is enabled in the kernel degree and also this is recommended option to develop networking applications for a time that is long.

Trusts and Windows Server 2003 R2

As noted above, the necessity for trusts is Windows Server 2008 R2. While cross-forest trusts had been put into woodland practical degree Windows Server 2003, you will find extra needs ts dating imposed by utilization of AES encryption kinds which need domain functional level Windows Server 2008. You’ll be able to set up a trust between a FreeIPA server and Windows Server 2003 R2, with restricted functionality with just RC4 and DES encryption kinds. Next paragraph defines the actions required to do this. Please be aware, nonetheless, that it is unsupported, very experimental as well as really value that is limited of this poor encryption types for trusted domain objects which is often fairly effortless cracked with current improvements in technology.

So that you can begin a trust between a FreeIPA host and a Windows Server 2003 R2, you ought to improve the forest functional degree to Windows Server 2003. To get this done, available ‘Active Directory Domains and Trusts’ snap-in and right-click on ‘Active Directory Domains and Trusts’ root when you look at the pane that is left. Then choose ‘Raise forest functional degree. ‘ and usage ‘Windows Server 2003’ due to the fact known level to boost.

Be sure this action is performed by you before developing a trust aided by the ‘ipa trust-add’ demand. The remainder setup is just like compared to Windows Server 2008 R2.

Leave a Reply

Your email address will not be published. Required fields are marked *