Free IPA / ADS Users &
Password Sync Document
IPA Server (ipaserver.gai.local)
: 10.1.5.159 DNS1: 10.1.5.159CentOS 6
ADS Server (ad1.gai.local) :
10.1.5.158 DNS: 127.0.0.1 Windows 2008 R2
Step 1# Install IPA Server
- # ipa-server-install
- Enter the hostname. This is determined automatically using
reverse DNS.
Server host name [ipaserver.gai.local]:
- Enter the domain name. This is determined automatically
based on the hostname.
Please confirm the domain name [gai.local]:
- The script then reprints the hostname, IP address, and
domain name.
The IPA Master Server will be configured with
Hostname: ipaserver.gai.local
IP address: 10.1.5.159
Domain name: gai.local
- Enter the new Kerberos realm name. This is usually based
on the domain name.
Please provide a realm name [gai.local]:
- Enter the password for the Directory Server superuser,
cn=Directory Manager. There are password strength requirements for this password, including a minimum password length.
Directory Manager password:
Password (confirm):
- Enter the password for the FreeIPA system user account,
admin. This user is created on the machine.
IPA admin password:
Password (confirm):
- After that, the script configures all of the associated
services for FreeIPA, with task counts and progress bars.
Configuring ntpd
[1/4]: stopping ntpd
...
done configuring ntpd.
Configuring directory server for the CA: Estimated time 30 seconds
[1/3]: creating directory server user
...
done configuring pkids.
Configuring certificate server: Estimated time 6 minutes
[1/17]: creating certificate server user
....
done configuring pki-cad.
Configuring directory server: Estimated time 1 minute
[1/32]: creating directory server user
...
done configuring dirsrv.
Configuring Kerberos KDC: Estimated time 30 seconds
[1/14]: setting KDC account password
...
done configuring krb5kdc.
Configuring ipa_kpasswd
[1/2]: starting ipa_kpasswd
[2/2]: configuring ipa_kpasswd to start on boot
done configuring ipa_kpasswd.
Configuring the web interface: Estimated time 1 minute
[1/12]: disabling mod_ssl in httpd
...
done configuring httpd.
Setting the certificate subject base
restarting certificate server
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Restarting the web server
Sample zone file for bind has been created in /tmp/sample.zone.ygzij5.db
==============================================================================
Setup complete
- Restart the
SSHservice to retrieve the Kerberos principal and to refresh the name server switch (NSS) configuration file:
# service sshd restart
- Authenticate to the Kerberos realm using the admin user's
credentials to ensure that the user is properly configured and the
Kerberos realm is accessible.
# kinit admin
Password for admin@gai.local:
- Test the FreeIPA configuration by running a command like
ipa user-find. For example:
# ipa user-find admin
--------------
1 user matched
--------------
User login: admin
Last name: Administrator
Home directory: /home/admin
Login shell: /bin/bash
Account disabled: False
Member of groups: admins
----------------------------
Number of entries returned 1
----------------------------
Step 2# Install ADS Server
Hostname:
ad1.gai.local
IP :
10.1.5.158 (IP Should be static)
Domain Name:
gai.local
Step 2.1# ADS Installation
Start-->Server
Manager-->Roles-->Add Roles--> Select Active Directory
Domain Services --> Next --> Next (Intro for ADS)-->Install
Step 2.2# Reboot
Reboot Server
After Installation
Step 2.3# ADS configuration
Start--> dcpromo.exe -->
Enter--> Next (Welcome ADS Wizard) --> Next(OS compatibily)
-->Select Create a new domain in new forest -->Next -->Enter
domain as “gai.local” -->Next-->Select Forest functional
level as “Windows Server 2008” --> Next--> Ticket DNS
Server --> Next-->A delegation prompt will come click
YES-->Next (for c:\windows\ directory location)->enter password
for ads administrator account --> Next --> Next (Summary)
Step 2.4# Reboot
Reboot Server
After dcpromo Configuration
Step 2.5# Creating CA Certificate
for ADS
Start-->Server
Manager-->Roles-->Add Roles-->Active Directoy
Certificate Services -->Next-->Next-->Select Certificate
Authoriy-->Next-->Select Enterprise-->Next-->Select Root
CA-->Next-->Create a new private key-->Next(algorithm
selection)-->10 Years -->Next-->Next-->Install
Step 2.6# Reboot
Reboot Server
After dcpromo Configuration
Step 2.7# Export ADS CA
Start-->Certificate
Authority-->Select AD1.gai.local CA -->Right
Click-->Properties-->View Certificate-->Details-->Copy to
File-->Next(export Wizard)-->Select Base-64 encoded
x.509(.CER)-->Next-->Browse (give any file location with file
name example: c:\temp\ADCA) -->Next-->Save-->
Step 2.8# Install IPA
(.crt) Certificate in ADS
Copy
IPA:/etc/ipa/ca.crt to ADS:c\tmp\
Go to
ADS:c:\tmp\ Right Click on ca.crt-->Install
Certificate-->Next-->Select Place all certificates in the
following store-->Browse-->Select Trusted Root Certification
Authorities-->Ok-->Next-->Finish-->Yes-->Ok (Import
was successfull)
Step 2.8# Tranfer AD CA to
IPA
copy
ADS:c:\temp\ADCA.cer to IPA:/etc/openldap/cacerts
(mkdir /etc/openldap/cacerts if not exists)
copy
IPA:/etc/ipa/ca.crt to to IPA:/etc/openldap/cacerts
#cacertdir_rehash
/etc/openldap/cacerts
#vim
/etc/openldap/ldap.conf
#Add the
below line
TLS_CACERTDIR
/etc/openldap/cacerts
TLS_REQCERT
allow
Step 2.9 # DNS
Resolve
From ADS#
ping ipaserver.gai.local should ping successfully (10.1.5.159)
From ADS#
ping ad1.gai.local should ping successfully (10.1.5.158)
From IPA#
ping ipaserver.gai.local should ping successfully (10.1.5.159)
From IPA#
ping ad1.gai.local should ping successfully (10.1.5.158)
Step 2.10 # Search ADS Ldap users
from IPA (so that the we can confirm the connection from IPA to ADS)
ldapsearch -x
-D "cn=administrator,cn=users,dc=gai,dc=local" -h
ad1.gai.local -W -b dc=gai,dc=local
Enter LDAP
Password: (Enter ADS administrator password)
#Connection
check via TLS (-ZZ)
ldapsearch -x
-D "cn=administrator,cn=users,dc=gai,dc=local" -h
ad1.gai.local -W -b dc=gai,dc=local -ZZ
Enter LDAP
Password: (Enter ADS administrator password)
Step 3# Creating Users in ADS
before sync
ADS: Go to
-->Active Directory Users & Computers --> Go to Users -->
Rightclick --> New--> User -- > Create User here (Please
note that First Name & Last Name should be entered because IPA
Will replicate only First Name & Last Name present users only
from ADS)
Step 4# Start Replication between
IPA & AD
#ipa-replica-manage
connect --winsync --binddn cn=administrator,cn=users,dc=gai,dc=local
--bindpw Desk13@ga! --passsync secretpwd
--cacert /etc/openldap/cacerts/ADCA.cer ad1.gai.local -v
Result:
Added
CA certificate /etc/openldap/cacerts/ADCA.cer to
certificate database for ipaserver.gai.local
ipa: INFO: AD Suffix is: DC=gai,DC=local
The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=gai,dc=local
ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 0: end: 0
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
Update succeeded
Connected 'ipaserver.gai.local' to 'ad1.gai.local'
ipa: INFO: AD Suffix is: DC=gai,DC=local
The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=gai,dc=local
ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 0: end: 0
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
Update succeeded
Connected 'ipaserver.gai.local' to 'ad1.gai.local'
Note: Note
above –passsync password which is useful when doing password
sync setup in ADS & user for the
Windows PassSync service. Both highlighted
in Red Color
Step 5# Check the above
Created ADS User is replicated to IPA or not
#ipa
user-show username_above_created
Step 6# Trust the IPA ca.crt
certificate in ADS Password Sync services
Start-->cmd-->Open
as administrator
Go to below
location cd “C:\Program Files\Red Hat Directory Password
Synchronization\”
C:\Program
Files\Red Hat Directory Password Synchronization>
certutil.exe -A -d . -i “c:\tmp\ca.crt”
-n “IPA CA” -t CT,,
To list the
certificate: certutil.exe -L -d .
Passsync log
file: C:\Program Files\Red Hat Directory Password
Synchronization\Passsync.txt
Step 6.1# Install
RedHat-PassSync-1.1.5-x86_64.msi in ADS and start the Password Sync
Service
Install
the RedHat-PassSync-1.1.5-x86_64.msi
1. Host Name:
Give IPA Server hostname
2. Port : 636
3. User Name:
You should find this from ipa-replica-mange command result and paste
it here directly
4. Password:
Password is secretpwd which you give above ipa-replica-mange command
–passsync 'secretpwd'
5. Cert Token
: Leave blank
6. Search
Base: Use as above cn=users,cn=accounts,dc=gai,dc=local
Step 6.2 # Reboot the ADS Server
Step 7 # Reset the Password in
ADS and check it via login IPA client
Configure IPA
client in one linux machine and login it via IPA username/password
then change the password for the same user in ADS, then again login
the ipa client with new password.
