These pages describes simple tips to setup and configure cross-forest trust between an IPA domain as well as an advertising (Active Directory) domain.

These pages describes simple tips to setup and configure cross-forest trust between an IPA domain as well as an advertising (Active Directory) domain.


  • 1 Description
  • 2 Prerequisites
    • 2.1 IPv6 stack usage
    • 2.2 Trusts and Windows Server 2003 R2
  • 3 Assumptions
  • 4 Install and configure IPA server
    • 4.1 make certain all packages are as much as date
    • 4.2 Install needed packages
    • 4.3 Configure host name
    • 4.4 Install IPA host
    • 4.5 Login as admin

    • 4.6 Make sure IPA users can be obtained to your system solutions
    • 4.7 Configure IPA server for cross-forest trusts
  • 5 Cross-forest trust list
    • 5.1 Date/time settings
    • 5.2 Firewall setup
      • 5.2.1 On AD DC
      • 5.2.2 On IPA host
        • Firewalld
        • iptables
    • 5.3 DNS setup
      • 5.3.1 Conditional DNS forwarders
      • 5.3.2 If AD is subdomain of IPA
      • 5.3.3 If IPA is subdomain of AD
      • 5.3.4 Verify DNS setup
  • 6 Establish and trust that is verify cross-forest
    • 6.1 trust that is add advertising domain
      • 6.1.1 When advertising administrator qualifications are available
      • 6.1.2 Whenever advertising administrator qualifications are not available
    • 6.2 Edit /etc/krb5. Conf
    • 6.3 enable access for users from AD domain to protected resources
      • 6.3.1 generate outside and POSIX groups for trusted domain users
      • 6.3.2 Include trusted domain users to your group that is external
      • 6.3.3 Include group that is external POSIX group
  • 7 Test cross-forest trust
    • 7.1 Making Use Of SSH
    • 7.2 Making Use Of Samba stocks
    • 7.3 making use of Kerberized internet applications
  • 8 trust that is debugging
    • 8.1 General debugging instructions
    • 8.2 problems as a result of exhausted DNA range on replica


These pages describes simple tips to setup and configure cross-forest trust between an IPA domain as well as an advertisement (Active Directory) domain.


  • FreeIPA 3.3.3 or later is advised
  • Windows Server 2008 R2 or later with configured advertisement DC and DNS installed locally from the DC

You can follow article Setting up Active Directory domain for assessment purposes if you need to install and configure AD DC for testing purposes.

IPv6 stack use

Suggested method for modern networking applications will be just available IPv6 sockets for paying attention because IPv4 and IPv6 share the exact same slot range locally. FreeIPA makes use of Samba included in its Active Directory integration and Samba requires enabled IPv6 stack in the device.

Adding ipv6. Disable=1 towards the kernel demand line disables the entire IPv6 stack

Adding ipv6. Disable_ipv6=1 could keep the IPv6 stack functional but will maybe not designate IPv6 details to virtually any of the system products. That is suggested approach for instances once you do not use IPv6 networking.

Creating and contributing to for instance /etc/sysctl. D/ipv6. Conf will avoid assigning IPv6 addresses to a particular community screen

Where interface0 is the specific program.

Observe that all we have been requiring is IPv6 stack is enabled during the kernel degree and also this is suggested option to develop networking applications for the very long time currently.

Trusts and Windows Server 2003 R2

As noted above, the necessity for trusts is Windows Server 2008 R2. While cross-forest trusts had been included with woodland practical degree Windows Server 2003, you can find extra needs imposed by utilization of AES encryption kinds which require domain functional degree Windows Server 2008. You’ll be able to begin a trust from a FreeIPA server and Windows Server 2003 R2, with restricted functionality with just RC4 and DES encryption kinds. Next paragraph defines the actions needed to carry out this. Please be aware, nonetheless, that this will be unsupported, very experimental as well as really value that is limited regarding the poor encryption types for trusted domain objects which is often fairly simple cracked with present improvements in technology.

So that you can begin a trust between a FreeIPA host and a Windows Server 2003 R2, you’ll want to improve the forest functional degree to Windows Server 2003. To work on this, available ‘Active Directory Domains and Trusts’ snap-in and right-click on ‘Active Directory Domains and Trusts’ root within the remaining pane. Then select ‘Raise forest functional degree. ‘ and employ ‘Windows Server 2003’ once the degree to improve.

Make certain you perform this course of action before developing a trust aided by the ‘ipa trust-add’ demand. All of those other setup is the same as compared to Windows Server 2008 R2.