Integrating Linux systems into Active Directory
See Dmitri Pal's talk on devconf.cz on the subject of Active Directory Trusts. Sometimes, using FreeIPA trust with AD is codenamed as "Indirect integration with AD" because Linux systems are talking mostly to FreeIPA instead of directly talking to AD.
It dives into various options how to integrate classic POSIX and Active Directory worlds together (slides), compares them and explains advantages and disadvantages of each:
RHEL blog contains more guidance on when to use FreeIPA trust with AD. TextPlease note that FreeIPA is known under name "IdM" in the RHEL world.
Active Directory domain is a complex system. It includes logically structured set of resources (machines, users, services, ...) which belong to potentially multiple DNS domains. Multiple DNS domains can be part of the same AD domain. Multiple AD domains can be combined into a forest. The very first AD domain created in the forest is called forest root domain. The primary DNS domain of the AD domain is used as a basis for Kerberos realm.
IPA domain is a similarly complex system. It includes logically structured set of resources (machines, users, services, ...) which belong to potentially multiple DNS domains. Unlike Active Directory, we have a single IPA domain per deployment and for Active Directory this single IPA domain looks like a separate Active Directory forest. Active Directory considers DNS domain used as a basis for IPA Kerberos realm to be a forest root domain for IPA domain (like forest root domain for Active Directory).
IPA domain can be placed in any DNS domain which does not directly overlap with any domain in Active Directory forest. It could be, for example, ipa.example.com, if this DNS zone is not occupied by any other AD domain in the same forest. It could be ipa.ad.example.com too, it could be ipa-example.com as well -- as long as there are no overlaps on the same DNS zone level.
The trust between two Active Directory forests is always established as a trust between forest root domains of those forests. If IPA domain uses ipa.ad.example.com as the primary DNS zone, then we would be saying about establishing forest trust between Active Directory forest ad.example.com and IPA domain ipa.ad.example.com. If there are multiple DNS zones belonging to IPA domain, it is recommended to place appropriate service and TXT records pointing to the primary IPA domain in each of them for proper discovery of network resources by IPA clients.
We have improved documentation about trust to AD in Red Hat Enteprise Linux 7.2 and you can find comprehensive coverage of the feature in the corresponding chapter of the Windows Integration Guide
- Introducing Active Directory Trust Feature
- Serving legacy clients for AD Trusts
- Using POSIX attributes defined in AD
- Configurable SID Blacklists
- trust-config command
- Global Catalog Support