This site describes just how to setup and configure cross-forest trust between an IPA domain as well as an advertisement (Active Directory) domain.

By: superadmin

This site describes just how to setup and configure cross-forest trust between an IPA domain as well as an advertisement (Active Directory) domain.


  • 1 Description
  • 2 Prerequisites
    • 2.1 IPv6 stack usage
    • 2.2 Trusts and Windows Server 2003 R2
  • 3 Assumptions
  • 4 Install and configure IPA server
    • 4.1 make certain all packages are as much as date
    • 4.2 Install needed packages
    • 4.3 Configure host title
    • 4.4 Install IPA host
    • 4.5 Login as admin
    • 4.6 Make sure IPA users can be found into the system services
    • 4.7 Configure IPA host for cross-forest trusts
  • 5 Cross-forest trust checklist
    • 5.1 Date/time settings
    • 5.2 Firewall setup
      • 5.2.1 On AD DC
      • 5.2.2 On IPA host
        • Firewalld
        • iptables
    • 5.3 DNS setup
      • 5.3.1 Conditional DNS forwarders
      • 5.3.2 If AD is subdomain of IPA
      • 5.3.3 If IPA is subdomain of AD
      • 5.3.4 Verify DNS setup
  • 6 Establish and verify cross-forest trust
    • 6.1 Add trust with advertisement domain
    • 6.2 Edit /etc/krb5. Conf
    • 6.3 enable access for users from AD domain to protected resources
      • 6.3.1 generate outside and POSIX groups for trusted domain users
      • 6.3.2 Add trusted domain users towards the group that is external
      • 6.3.3 Include outside team to POSIX team
  • 7 Test cross-forest trust
    • 7.1 Utilizing SSH
    • 7.2 Utilizing Samba stocks
    • 7.3 Making use of Kerberized internet applications
  • 8 trust that is debugging
    • 8.1 General debugging tips
    • 8.2 Failures as a result of exhausted DNA range on reproduction


This site explains how exactly to setup and configure cross-forest trust between an IPA domain and an advertising (Active Directory) domain.


  • FreeIPA 3.3.3 or later is preferred
  • Windows Server 2008 R2 or later on with configured advertisement DC and DNS installed locally in the DC

If you wish to install and configure advertisement DC for testing purposes, it is possible to follow article creating Active Directory domain for testing purposes.

IPv6 stack use

Suggested method for modern networking applications would be to just available IPv6 sockets for paying attention because IPv4 and IPv6 share the same slot range locally. FreeIPA makes use of Samba included in its Active Directory integration and Samba requires enabled IPv6 stack in the device.

Adding ipv6. Disable=1 towards the kernel demand line disables the IPv6 stack that is whole

Adding ipv6. Disable_ipv6=1 could keep the IPv6 stack functional but will likely not designate IPv6 details to virtually any of the system products. This might be suggested approach for situations whenever you do not utilize IPv6 networking.

Creating and increasing as an example /etc/sysctl. D/ipv6. Conf will avoid assigning IPv6 addresses to a particular community program

Where interface0 is the specialized program.

Remember that all we have been requiring is IPv6 stack is enabled in the kernel degree and this is preferred method to develop networking applications for a time that is long.

Trusts and Windows Server 2003 R2

As noted above, the necessity for trusts is Windows Server 2008 R2. While cross-forest trusts had been included with woodland level that is functional Server 2003, you will find extra needs imposed by usage of AES encryption kinds which need domain functional level Windows Server 2008. You can establish a trust from a FreeIPA server and Windows Server 2003 R2, with limited functionality with just RC4 and DES encryption kinds. Next paragraph defines the actions required to do this. Take note, but, that this will be unsupported, very experimental as well as extremely restricted value because of this poor encryption types for trusted domain objects which is often fairly simple cracked with present improvements in technology.

To be able to begin a trust from a FreeIPA host and a Windows Server 2003 R2, you will need to improve the forest functional degree to Windows Server 2003. To achieve this, available ‘Active Directory Domains and Trusts’ snap-in and right-click on ‘Active Directory Domains and Trusts’ root into the pane that is left. Then choose ‘Raise forest functional degree. ‘ and employ ‘Windows Server 2003’ given that known degree to boost.

Make certain this action is performed by you before developing a trust aided by the ‘ipa trust-add’ demand. All of those other setup is the same as compared to Windows Server 2008 R2.

Related post