This site describes how exactly to setup and configure cross-forest trust between an IPA domain as well as a advertising (Active Directory) domain.

This site describes how exactly to setup and configure cross-forest trust between an IPA domain as well as a advertising (Active Directory) domain.


  • 1 Description
  • 2 Prerequisites
    • 2.1 IPv6 stack usage
    • 2.2 Trusts and Windows Server 2003 R2
  • 3 Assumptions
  • 4 Install and configure IPA server
    • 4.1 make certain all packages are as much as date
    • 4.2 Install needed packages
    • 4.3 Configure host title
    • 4.4 Install IPA host
    • 4.5 Login as admin
    • 4.6 Make sure IPA users can be obtained into the operational system solutions
    • 4.7 Configure IPA host for cross-forest trusts
  • 5 Cross-forest trust list
    • 5.1 Date/time settings
    • 5.2 Firewall setup
      • 5.2.1 On AD DC
      • 5.2.2 On IPA host
        • Firewalld
        • iptables
    • 5.3 DNS setup
      • 5.3.1 Conditional DNS forwarders
      • 5.3.2 If AD is subdomain of IPA
      • 5.3.3 If IPA is subdomain of advertising
      • 5.3.4 Verify DNS setup
  • 6 Establish and trust that is verify cross-forest
    • 6.1 trust that is add advertising domain
      • 6.1.1 Whenever advertising administrator credentials can be found
      • 6.1.2 Whenever advertising administrator credentials aren’t available
    • 6.2 Edit /etc/krb5. Conf
    • 6.3 Allow access for users from AD domain to protected resources
      • 6.3.1 generate outside and POSIX groups for trusted domain users
      • 6.3.2 Include trusted domain users to your group that is external
      • 6.3.3 Include outside team to POSIX team
  • 7 Test cross-forest trust
    • 7.1 Utilizing SSH
    • 7.2 Utilizing Samba stocks
    • 7.3 utilizing Kerberized internet applications
  • 8 Debugging trust
    • 8.1 General debugging directions
    • 8.2 problems as a result of exhausted DNA range on reproduction


These pages describes simple tips to setup and configure cross-forest trust between an IPA domain and a ad (Active Directory) domain.


  • FreeIPA 3.3.3 or later is advised
  • Windows Server 2008 R2 or later on with configured advertisement DC and DNS installed locally in the DC

You can follow article Setting up Active Directory domain for evaluating purposes if you wish to install and configure advertisement DC for testing purposes.

IPv6 stack use

Suggested means for modern networking applications would be to only available IPv6 sockets for paying attention because IPv4 and IPv6 share the exact same slot range locally. FreeIPA makes use of Samba included in its Active Directory integration and Samba requires enabled IPv6 stack in the device.

Adding ipv6. Disable=1 towards the kernel demand line disables the IPv6 stack that is whole

Adding ipv6. Disable_ipv6=1 could keep the IPv6 stack functional but will likely not designate IPv6 details to virtually any of one’s community products. It is suggested approach for situations whenever you do not utilize IPv6 networking.

Creating and contributing to as an example /etc/sysctl. D/ipv6. Conf will avoid assigning IPv6 details to a particular system software

Where interface0 is the specific program.

Observe that all our company is requiring is the fact that IPv6 stack is enabled during the kernel degree and also this is advised solution to develop networking applications for a time that is long.

Trusts and Windows Server 2003 R2

As noted above, the necessity for trusts is Windows Server 2008 R2. While cross-forest trusts had been put into woodland level that is functional Server 2003, you will find extra demands imposed by usage of AES encryption kinds which need domain functional degree Windows Server 2008. You can establish a trust between a FreeIPA server and Windows Server 2003 R2, with restricted functionality with just RC4 and DES encryption kinds. Next paragraph defines the actions required to do this. Please be aware, but, that this is certainly unsupported, extremely experimental and of really value that is limited for the poor encryption types for trusted domain objects which is often reasonably simple cracked with present advances in technology.

So that you can begin a trust between a FreeIPA host and a Windows Server 2003 R2, you’ll want to enhance the forest functional degree to Windows Server 2003. To get this done, available ‚Active Directory Domains and Trusts‘ snap-in and right-click on ‚Active Directory Domains and Trusts‘ root within the pane that is left. Then choose ‚Raise forest functional degree. ‚ and employ ‚Windows Server 2003‘ because the degree to boost.

Make certain this action is performed by you before developing a trust using the ‚ipa trust-add‘ demand. All of those other setup is just like compared to Windows Server 2008 R2.