Reading Time: 3 minutes

These pages describes simple tips to setup and configure cross-forest trust between an IPA domain as well as a advertising (Active Directory) domain.


  • 1 Description
  • 2 Prerequisites
    • 2.1 IPv6 stack usage
    • 2.2 Trusts and Windows Server 2003 R2
  • 3 Assumptions
  • 4 Install and configure IPA server
    • 4.1 Be sure all packages are as much as date
    • 4.2 Install required packages
    • 4.3 Configure host title
    • 4.4 Install IPA server
    • 4.5 Login as admin
    • 4.6 Make sure IPA users can be obtained towards the operational system solutions
    • 4.7 Configure IPA host for cross-forest trusts
  • 5 Cross-forest trust list
    • 5.1 Date/time settings
    • 5.2 Firewall setup
      • 5.2.1 On AD DC
      • 5.2.2 On IPA host
        • Firewalld
        • iptables
    • 5.3 DNS setup
      • 5.3.1 Conditional DNS forwarders
      • 5.3.2 If AD is subdomain of IPA
      • 5.3.3 If IPA is subdomain of advertising
      • 5.3.4 Verify DNS setup
  • 6 Establish and verify cross-forest trust
    • 6.1 incorporate trust with advertisement domain
      • 6.1.1 Whenever advertising administrator qualifications can be obtained
      • 6.1.2 Whenever advertisement administrator qualifications are not available
    • 6.2 Edit /etc/krb5. Conf
    • 6.3 enable access for users from AD domain to protected resources
  • 7 Test cross-forest trust
    • 7.1 Making Use Of SSH
    • 7.2 Making use of Samba stocks
    • 7.3 Utilizing Kerberized internet applications
  • 8 trust that is debugging
    • 8.1 General debugging tips
    • 8.2 problems because of DNA that is exhausted range reproduction


These pages describes just how to setup and configure cross-forest trust between an IPA domain as well as a advertisement (Active Directory) domain.


  • FreeIPA 3.3.3 or later is advised
  • Windows Server 2008 R2 or later with configured advertisement DC and DNS installed locally from the DC

If you wish to install and configure advertisement DC for testing purposes, you are able to follow article starting Active Directory domain for testing purposes.

IPv6 stack usage

Suggested method for modern networking applications would be to just available IPv6 sockets for paying attention because IPv4 and IPv6 share the exact same slot range locally. FreeIPA utilizes Samba as an element of its Active Directory integration and Samba requires enabled IPv6 stack in the device.

Adding ipv6. Disable=1 to your kernel demand line disables the entire IPv6 stack

Adding ipv6. Disable_ipv6=1 could keep the IPv6 stack functional but will maybe not designate IPv6 details to your of the community products. This will be suggested approach for situations once you do not utilize IPv6 networking.

Creating and contributing to for instance /etc/sysctl. D/ipv6. Conf will avoid assigning IPv6 details to a network interface that is specific

Where interface0 is the specific user interface.

Observe that all our company is requiring is the fact that IPv6 stack is enabled in the kernel level and also this is advised method to develop networking applications for a time that is long.

Trusts and Windows Server 2003 R2

As noted above, the necessity for trusts is Windows Server 2008 R2. While cross-forest trusts had been included with woodland practical degree Windows Server 2003, you will find extra demands imposed by usage of AES encryption kinds which need domain functional degree Windows Server 2008. You can easily establish a trust from a FreeIPA server and Windows Server 2003 R2, with restricted functionality with just RC4 and DES encryption kinds. Next paragraph describes the actions required to carry out this. Please be aware, nonetheless, that this will be unsupported, extremely experimental and of extremely value that is limited regarding the poor encryption types for trusted domain objects which is often fairly simple cracked with present improvements in technology.

To be able to establish a trust between a FreeIPA host and a Windows Server 2003 R2, you'll want to enhance the forest functional degree to Windows Server 2003. For this, available 'Active Directory Domains and Trusts' snap-in and right-click on 'Active Directory Domains and Trusts' root when you look at the pane that is left. Then choose 'Raise forest functional degree. ' and employ 'Windows Server 2003' once the degree to boost.

Be sure this action is performed by you before developing a trust aided by the 'ipa trust-add' demand. All of those other setup is exactly the same as compared to Windows Server 2008 R2.