Red Hat Summit10장. Troubleshooting setting up a cross-forest trust
Learn more about troubleshooting the process of configuring a cross-forest trust between your Identity Management (IdM) environment and an Active Directory (AD) forest.
10.1. Sequence of events when establishing a cross-forest trust with AD
When you use the ipa trust-add command to establish a cross-forest trust with an Active Directory (AD) Domain Controller (DC), the command operates on behalf of the user who ran the command and performs the following actions on the IdM server. If you have trouble establishing a cross-forest trust, you can use this list to help narrow down and troubleshoot your issue.
- Part 1: The command verifies settings and inputs
- Verify that the IdM server has the Trust Controller role.
-
Validate the options passed to the
ipa trust-addcommand. -
Validate the ID range associated with a trusted forest root domain. If you did not specify the ID range type and properties as options to the
ipa trust-addcommand, they are discovered from Active Directory.
- Part 2: The command attempts to establish a trust to an Active Directory domain
- Create a separate trust object for each trust direction. Each of the objects get created on both sides (IdM and AD). If you are establishing a one-way trust, only one object is created on each side.
The IdM server uses the Samba suite to handle domain controller capabilities for Active Directory and creates a trust object on the target AD PDC:
-
The IdM server establishes a secure connection to the
IPC$share on the target DC. Since RHEL 8.4, the connection requires at least the SMB3 protocol with Windows Server 2012 and above to ensure the connection is sufficiently secure with AES-based encryption used for the session. -
The IdM server queries for the presence of the trusted domain object (TDO) using an
LSA QueryTrustedDomainInfoByNamecall. If the TDO is already present, remove it with an
LSA DeleteTrustedDomaincall.참고This call fails if the AD user account used to establish the trust does not have full Enterprise Admin (EA) or Domain Admin (DA) privileges for the forest root, such as members of the Incoming Forest Trust Builders group. If the old TDO is not automatically removed, an AD Administrator must manually remove it from AD.
-
The IdM server creates a new TDO with an
LSA CreateTrustedDomainEx2call. The TDO credentials are randomly generated using a Samba-provided password generator with 128 random characters. The new TDO is then modified with an
LSA SetInformationTrustedDomaincall to make sure encryption types supported by the trust are set properly:-
The
RC4_HMAC_MD5encryption type is enabled, even if there are no RC4 keys in use, due to how Active Directory is designed. -
AES128_CTS_HMAC_SHA1_96andAES256_CTS_HMAC_SHA1_96encryption types are enabled.
-
The
-
The IdM server establishes a secure connection to the
-
For a forest trust, verify that in-forest domains can be reached transitively with an
LSA SetInformationTrustedDomaincall. Add trust topology information about the other forest (IdM in the case of communicating with AD, AD in the case of communicating with IdM) using an
LSA RSetForestTrustInformationcall.참고This step might cause a conflict for one of three reasons:
-
A SID namespace conflict, reported as an
LSA_SID_DISABLED_CONFLICTerror. This conflict cannot be resolved. -
A NetBIOS namespace conflict, reported as an
LSA_NB_DISABLED_CONFLICTerror. This conflict cannot be resolved. -
A DNS namespace conflict with a top level name (TLN), reported as an
LSA_TLN_DISABLED_CONFLICTerror. The IdM server can automatically resolve a TLN conflict if it is caused by another forest.
To resolve a TLN conflict, the IdM server performs the following steps:
- Retrieve forest trust information for the conflicting forest.
- Add an exclusion entry for the IdM DNS namespace to the AD forest.
- Set forest trust information for the forest we conflict on.
- Re-try establishing the trust to the original forest.
The IdM server can only resolve these conflicts if you authenticated the
ipa trust-addcommand with the privileges of an AD administrator that can change forest trusts. If you do not have access to those privileges, the administrator of the original forest must manually perform the steps above in the Active Directory Domains and Trusts section of the Windows UI.-
A SID namespace conflict, reported as an
- If it does not exist, create the ID range for the trusted domain.
- For a forest trust, query Active Directory domain controllers from the forest root for details about the forest topology. The IdM server uses this information to create additional ID ranges for any additional domains from the trusted forest.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}