These pages describes how exactly to setup and configure cross-forest trust between an IPA domain as well as an advertisement (Active Directory) domain.

These pages describes how exactly to setup and configure cross-forest trust between an IPA domain as well as an advertisement (Active Directory) domain.


  • 1 Description
  • 2 Prerequisites
    • 2.1 IPv6 stack usage
    • 2.2 Trusts and Windows Server 2003 R2
  • 3 Assumptions
  • 4 Install and configure IPA server
    • 4.1 make certain all packages are as much as date
    • 4.2 Install required packages
    • 4.3 Configure host name
    • 4.4 Install IPA host
    • 4.5 Login as admin
    • 4.6 Make sure IPA users can be obtained to your operational system solutions
    • 4.7 Configure IPA host for cross-forest trusts
  • 5 Cross-forest trust checklist
    • 5.1 Date/time settings
    • 5.2 Firewall setup
      • 5.2.1 On AD DC
      • 5.2.2 On IPA host
        • Firewalld
        • iptables
    • 5.3 DNS setup
      • 5.3.1 Conditional DNS forwarders
      • 5.3.2 If AD is subdomain of IPA
      • 5.3.3 If IPA is subdomain of advertising
      • 5.3.4 Verify DNS setup
  • 6 Establish and trust that is verify cross-forest
    • 6.1 trust that is add advertisement domain
      • 6.1.1 Whenever advertisement administrator qualifications can be obtained
      • 6.1.2 Whenever advertisement administrator qualifications are not available
    • 6.2 Edit /etc/krb5. Conf
    • 6.3 enable access for users from AD domain to protected resources
      • 6.3.1 generate outside and groups that are POSIX trusted domain users
      • 6.3.2 Add trusted domain users towards the outside team
      • 6.3.3 Add group that is external POSIX team
  • 7 Test cross-forest trust
    • 7.1 Utilizing SSH
    • 7.2 Using Samba stocks
    • 7.3 utilizing Kerberized internet applications
  • 8 trust that is debugging
    • 8.1 General debugging directions
    • 8.2 problems because of DNA that is exhausted range reproduction


This site describes how exactly to setup and configure cross-forest trust between an IPA domain and an advertising (Active Directory) domain.


  • FreeIPA 3.3.3 or later is preferred
  • Windows Server 2008 R2 or later on with configured advertisement DC and DNS installed locally in the DC

If you wish to install and configure advertisement DC for testing purposes, it is possible to follow article starting Active Directory domain for testing purposes.

IPv6 stack use

Suggested means for modern networking applications is just available IPv6 sockets for paying attention because IPv4 and IPv6 share the exact same port range locally. FreeIPA makes use of Samba included in its Active Directory integration and Samba requires enabled IPv6 stack in the device.

Adding ipv6. Disable=1 to your kernel demand line disables the IPv6 stack that is whole

Adding ipv6. Disable_ipv6=1 could keep the IPv6 stack functional but will likely not designate IPv6 addresses to virtually any of one’s system products. This is certainly suggested approach for situations whenever you do not utilize IPv6 networking.

Creating and contributing to as an example /etc/sysctl. D/ipv6. Conf will avoid assigning IPv6 details to a network interface that is specific

Where interface0 is the specialized screen.

Keep in mind that all our company is requiring is the fact that IPv6 stack is enabled in the kernel degree and this is suggested option to develop networking applications for the very long time currently.

Trusts and Windows Server 2003 R2

As noted above, the necessity for trusts is Windows Server 2008 R2 matchocean. While cross-forest trusts had been included with woodland practical level Windows Server 2003, you will find extra needs imposed by utilization of AES encryption kinds which need domain functional degree Windows Server 2008. You can begin a trust from a FreeIPA server and Windows Server 2003 R2, with limited functionality with just RC4 and DES encryption kinds. Next paragraph defines the actions required to carry out this. Please be aware, nevertheless, that this really is unsupported, extremely experimental as well as really value that is limited for the poor encryption types for trusted domain objects which is often fairly simple cracked with current improvements in technology.

To be able to set up a trust from a FreeIPA host and a Windows Server 2003 R2, you’ll want to improve the forest functional degree to Windows Server 2003. To get this done, available ‘Active Directory Domains and Trusts’ snap-in and right-click on ‘Active Directory Domains and Trusts’ root within the left pane. Then choose ‘Raise forest functional degree. ‘ and use ‘Windows Server 2003’ while the known level to boost.

Make certain you perform this course of action before developing a trust aided by the ‘ipa trust-add’ demand. The remainder setup is just like compared to Windows Server 2008 R2.