Red Hat SummitChapter 7. Configuring DNS and realm settings for a trust
Before establishing a trust between Identity Management (IdM) and Active Directory (AD), you must ensure that both environments can mutually resolve domain names correctly.
To configure DNS resolution between an IdM server, using an integrated DNS server and a Certification Authority (CA), and an AD Domain Controller, perform the following tasks:
- Prepare the IdM environment: configure the necessary DNS zones and resource records.
- Enable cross-domain resolution: configure conditional DNS forwarding on the AD server to point to IdM.
- Validate connectivity: verify the DNS configuration to ensure seamless communication between realms.
7.1. Unique primary DNS domains
For a successful Identity Management (IdM) to Active Directory (AD) trust, each environment must occupy a unique, dedicated DNS domain and Kerberos realm. This separation allows Active Directory to route authentication requests correctly via name suffix routing.
Each system must have its own unique primary DNS domain configured. For example:
-
ad.example.comfor AD andidm.example.comfor IdM -
example.comfor AD andidm.example.comfor IdM -
ad.example.comfor AD andexample.comfor IdM
The most convenient management solution is an environment where each DNS domain is managed by integrated DNS servers, but it is possible to use any other standard-compliant DNS server as well.
- Kerberos realm names as upper-case versions of primary DNS domain names
-
Kerberos realm names must match the primary DNS domain names, with all letters uppercase. For example, if the domain names are
ad.example.comfor AD andidm.example.comfor IdM, the Kerberos realm names are required to beAD.EXAMPLE.COMandIDM.EXAMPLE.COM. - DNS records resolvable from all DNS domains in the trust
- All machines must resolve DNS records from all DNS domains involved in the trust relationship.
- IdM and AD DNS Domains
- Systems joined to IdM can be distributed over multiple DNS domains. Deploy IdM clients in a DNS zone separate from those managed by Active Directory. The primary IdM DNS domain must have proper SRV records to support AD trusts.
In some environments with trusts between IdM and AD, you can install an IdM client on a host that is part of the Active Directory DNS domain. The host can then benefit from the Linux-focused features of IdM. This is not a recommended configuration and has some limitations.
You can acquire a list of the required SRV records specific to your system setup by running the following command:
$ ipa dns-update-system-records --dry-runThe generated list can look for example like this:
IPA DNS records:
_kerberos-master._tcp.idm.example.com. 86400 IN SRV 0 100 88 server.idm.example.com.
_kerberos-master._udp.idm.example.com. 86400 IN SRV 0 100 88 server.idm.example.com.
_kerberos._tcp.idm.example.com. 86400 IN SRV 0 100 88 server.idm.example.com.
_kerberos._tcp.idm.example.com. 86400 IN SRV 0 100 88 server.idm.example.com.
_kerberos.idm.example.com. 86400 IN TXT "IDM.EXAMPLE.COM"
_kpasswd._tcp.idm.example.com. 86400 IN SRV 0 100 464 server.idm.example.com.
_kpasswd._udp.idm.example.com. 86400 IN SRV 0 100 464 server.idm.example.com.
_ldap._tcp.idm.example.com. 86400 IN SRV 0 100 389 server.idm.example.com.
_ipa-ca.idm.example.com. 86400 IN A 192.168.122.2For other DNS domains that are part of the same IdM realm, it is not required for the SRV records to be configured when the trust to AD is configured. The reason is that AD domain controllers do not use SRV records to discover KDCs but rather base the KDC discovery on name suffix routing information for the trust.
7.2. Configuring a DNS forward zone in the IdM Web UI
Use the Identity Management (IdM) Web UI to configure DNS forward zones. This allows the IdM server to route queries for external domains, such as an Active Directory environment, to their respective DNS servers.
Prerequisites
- Access to the IdM Web UI with a user account that has administrator rights.
- Correctly configured DNS server.
Procedure
- Log in to the IdM Web UI with administrator privileges.
- Click the Network Services tab.
- Click the DNS tab.
In the drop down menu, click DNS Forward Zones.
- Click the Add button.
- In the Add DNS forward zone dialog box, add a zone name.
- In the Zone forwarders item, click the Add button.
- In the Zone forwarders field, add the IP address of the server for which you want to create the forward zone.
Click the Add button.
The forwarded zone has been added to the DNS settings and you can verify it in the DNS Forward Zones settings. The Web UI informs you about success with the following pop-up message: DNS Forward Zone successfully added.
NoteAfter adding a forward zone to the configuration, the Web UI might display a warning about a DNSSEC validation failure.
DNSSEC (Domain Name System Security Extensions) secures DNS data with a digital signature to protect DNS from attacks. This service is enabled by default in the IdM server. The warning appears because the remote DNS server does not use DNSSEC. Enable DNSSEC on the remote DNS server.
If you cannot enable DNSSEC validation on the remote server, you can disable DNSSEC in the IdM server:
-
Open the
/etc/named/ipa-options-ext.conffile on your IdM server. Add the following DNSSEC parameters:
dnssec-validation no;- Save and close the configuration file.
Restart the DNS service:
# systemctl restart named
Note that DNSSEC is only available as Technology Preview in IdM.
-
Open the
Verification
Use the
nslookupcommand with the name of the remote DNS server:$ nslookup ad.example.comServer: 192.168.122.2 Address: 192.168.122.2#53 No-authoritative answer: Name: ad.example.com Address: 192.168.122.3If you configured the domain forwarding correctly, the IP address of the remote DNS server is displayed.
7.3. Configuring a DNS forward zone in the CLI
Use the Identity Management (IdM) CLI to configure DNS forward zones. This allows the IdM server to route queries for external domains, such as an Active Directory environment, to their respective DNS servers.
Prerequisites
- Access to the CLI with a user account that has administrator rights.
- Correctly configured DNS server.
Procedure
Create a DNS forward zone for the AD domain, and specify the IP address of the remote DNS server with the
--forwarderoption:# ipa dnsforwardzone-add ad.example.com --forwarder=192.168.122.3 --forward-policy=firstNoteYou might see a warning about a DNSSEC validation failure in the
/var/log/messagessystem logs after adding a new forward zone to the configuration:named[2572]: no valid DS resolving 'host.ad.example.com/A/IN': 192.168.100.25#53DNSSEC (Domain Name System Security Extensions) secures DNS data with a digital signature to protect DNS from attacks. This service is enabled by default in the IdM server. The warning appears because the remote DNS server does not use DNSSEC. Enable DNSSEC on the remote DNS server.
If you cannot enable DNSSEC validation on the remote server, you can disable DNSSEC in the IdM server:
-
Open the
/etc/named/ipa-options-ext.conffile on your IdM server. Add the following DNSSEC parameters:
dnssec-validation no;- Save and close the configuration file.
Restart the DNS service:
# systemctl restart named
Note that DNSSEC is only available as Technology Preview in IdM.
-
Open the
Verification
Use the
nslookupcommand with the name of the remote DNS server:$ nslookup ad.example.comServer: 192.168.122.2 Address: 192.168.122.2#53 No-authoritative answer: Name: ad.example.com Address: 192.168.122.3If the domain forwarding is configured correctly, the
nslookuprequest displays an IP address of the remote DNS server.
7.4. Configuring DNS forwarding in AD
Configure a conditional forwarder in Active Directory (AD) to enable the Windows environment to resolve the Identity Management (IdM) domain. This is essential for AD to locate IdM Kerberos and LDAP services.
Prerequisites
- Windows Server with AD installed.
- DNS port open on both servers.
Procedure
- Log in to the Windows Server.
- Open Server Manager.
- Open DNS Manager.
In Conditional Forwarders, add a new forwarder and enter:
-
DNS Domain: The fully qualified domain name, for example,
server.idm.example.com - IP Address: The IP address of the IdM DNS server.
-
DNS Domain: The fully qualified domain name, for example,
- Save the settings.
7.5. Verifying the DNS configuration
Verify that both Identity Management (IdM) and Active Directory (AD) can resolve their own service records and those of the peer domain. Ensure successful bidirectional resolution before establishing the trust relationship.
Prerequisites
-
You are logged in with an account that has
sudopermissions.
Procedure
Run a DNS query for the Kerberos over UDP and LDAP over TCP service records.
[admin@server ~]# dig +short -t SRV _kerberos._udp.idm.example.com.0 100 88 server.idm.example.com.[admin@server ~]# dig +short -t SRV _ldap._tcp.idm.example.com.0 100 389 server.idm.example.com.The commands return the SRV records for the IdM servers.
Run a DNS query for the TXT record with the IdM Kerberos realm name. The returned value should match the Kerberos realm you specified when installing IdM.
[admin@server ~]# dig +short -t TXT _kerberos.idm.example.com."IDM.EXAMPLE.COM"If the previous steps did not return all the expected records, update the DNS configuration with the missing records:
If your IdM environment uses an integrated DNS server, enter the
ipa dns-update-system-recordscommand without any options to update your system records:[admin@server ~]$ ipa dns-update-system-recordsIf your IdM environment does not use an integrated DNS server:
On the IdM server, export the IdM DNS records into a file:
[admin@server ~]$ ipa dns-update-system-records --dry-run --out dns_records_file.nsupdateThe command creates a file named dns_records_file.nsupdate with the relevant IdM DNS records.
-
Submit a DNS update request to your DNS server using the
nsupdateutility and thedns_records_file.nsupdatefile. For more information, see Updating External DNS Records Using nsupdate in RHEL 7 documentation. Alternatively, refer to your DNS server documentation for adding DNS records.
Verify that IdM is able to resolve service records for AD with a command that runs a DNS query for Kerberos and LDAP over TCP service records:
[admin@server ~]# dig +short -t SRV _kerberos._tcp.dc._msdcs.ad.example.com.0 100 88 addc1.ad.example.com.[admin@server ~]# dig +short -t SRV _ldap._tcp.dc._msdcs.ad.example.com.0 100 389 addc1.ad.example.com.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}