The FreeIPA Master Class - Part 8

The FreeIPA Master Class - Part 8

Published March 10, 2025, 5:25 a.m. by dwest

Integrating FreeIPA with Active Directory

One of the most common questions people ask when first learning about FreeIPA is why they would ever need to integrate it with Active Directory. After all, both systems are directory services that manage users, groups, computers, and authentication. At first glance, they appear to solve the same problem.

In reality, most organizations do not have the luxury of choosing one or the other. Windows dominates the desktop world, while Linux powers a large percentage of servers, applications, containers, and cloud infrastructure. It is very common to find environments where Windows administrators manage users through Active Directory while Linux administrators manage servers through FreeIPA. Without some form of integration, users end up with separate accounts, separate passwords, and separate identities in each environment.

A trust relationship allows Active Directory and FreeIPA to share identity information without requiring administrators to duplicate users between systems. An employee can log into their Windows workstation using an Active Directory account and then use the same credentials to access Linux servers, Samba shares, web applications, and other services managed by FreeIPA. This reduces administrative overhead, improves security, and provides a better user experience.

Trusts are particularly useful during migrations. Many organizations begin with Active Directory and later introduce Linux systems that are better managed through FreeIPA. Others start with FreeIPA and later acquire another company that uses Active Directory. Rather than performing a disruptive migration, a trust relationship allows both environments to coexist while sharing authentication and authorization information.

In this section, we will explore how FreeIPA and Active Directory establish trust relationships, the different trust models that are available, and how to configure them in a production environment.

Trust Architectures

There are two common architectures for FreeIPA and Active Directory integration: One-Way Trust and Two-Way Trust. Below is a breakdown for how they work and when you would want to use them.

  • One-Way Trust (AD trusts FreeIPA)
    • Rare
    • AD users can access FreeIPA resources.
    • FreeIPA users cannot access AD resources.
    • Usually used during migrations.
  • One-Way Trust (FreeIPA trusts AD)
    • Most common
    • AD remains the authoritative identity source.
    • AD users can access Linux resources managed by FreeIPA.
    • No need to duplicate accounts.
    • Common in enterprises.
  • Two-Way Trust
    • More complex
    • Both domains trust each other
    • AD users can access FreeIPA resources
    • FreeIPA users can access AD resources
    • Requires more careful security planning
    • Usually seen in larger organizations or mergers

If you’re integrating FreeIPA with an existing Windows environment, you probably want a one-way trust where FreeIPA trusts Active Directory.

FreeIPA Requirements

Before creating a trust, make sure you have the ipa-adtrust-install package installed on all FreeIPA Replicas. Newer versions of FreeIPA install this by default, but older installs might not have it.

Run the adtrust tool on just one of the FreeIPA Masters. Preferably, the master that will be handling the trust integration with Active Directory

ipa-adtrust-install

This tool performs the following :

  • Configures Samba
  • Creates SID mappings
  • Enables trust services
  • Opens the required LDAP/Kerberos functionality

Verify it initialized correctly

ipa trustconfig-show

Creating a One-Way Trust to Active Directory

For this tutorial, we are just going to establish a one-way trust, where FreeIPA trusts Active Directory.

  1. Create an AD administrator account that can establish trusts. This part needs to be done within Active Directory on the Windows domain controller
  2. Create the trust using that AD account 
    ipa trust-add ad.example.com \
    --type=ad \
    --admin Administrator
    You’ll be prompted for the AD administrator password.
  3. Verify the trust exists 
    ipa trust-find
  4. Verify the trust details 
    ipa trust-show ad.example.com
  5. Test it by doing an identity lookup 
    id administrator@ad.example.com

    getent passwd administrator@ad.example.com

If those return user information, the trust is working.

Troubleshooting Trust Issues

Common problems include:

  • DNS Misconfiguration. Both domains must resolve each other.
    • Test using: 
      dig corp.example.com
  • Kerberos Issues
    • Verify tickets 
      klist
  • Time Synchronization. Kerberos requires synchronized clocks.
    • Verify time status 
      timedatectl status
  • Firewall Restrictions. Ensure required ports are open between domains.
    • Common ports include:
      • 88 (Kerberos)
      • 389 (LDAP)
      • 445 (SMB)
      • 636 (LDAPS)

Why AD Integration Matters

Active Directory integration allows organizations to:

  • Maintain existing Windows infrastructure
  • Provide centralized authentication for Linux systems
  • Avoid duplicating user accounts
  • Enable single sign-on across platforms

FreeIPA effectively becomes the Linux identity provider within a broader enterprise identity architecture.

What’s Next?

In the next part of the FreeIPA Master Class, we will cover:

Troubleshooting FreeIPA

Topics will include:

  • Debugging authentication failures
  • Diagnosing Kerberos problems
  • Fixing replication issues
  • Recovering broken replicas
  • Common FreeIPA administrative pitfalls

Understanding how to troubleshoot FreeIPA is essential for maintaining a reliable identity infrastructure.

Next: The FreeIPA Master Class - Part 9

Share this post

Similar posts

The FreeIPA Master Class - Part 7

The FreeIPA Master Class - Part 6

The FreeIPA Master Class - Part 5

The FreeIPA Master Class - Part 4

0 comments

There are no comments.

Add a new comment

Search
Categories
Popular Posts