Chapter 14. Identity: Integrating with Active Directory Through Cross-forest Trust (Technology Preview)

Kerberos implements a concept of a trust. In a trust, a principal from one Kerberos realm can request a ticket to a service in another Kerberos realm. Using this ticket, the principal can authenticate against resources on machines belonging to the other realm.

Kerberos also has the ability to create a relationship between two otherwise separate Kerberos realms: a cross-realm trust. Realms that are part of a trust use a shared pair of a ticket and key; a member of one realm then counts as a member of both realms.

Both Active Directory and Identity Management manage a variety of core services such as Kerberos, LDAP, DNS, or certificate services. Therefore, establishing Kerberos cross-realm trust is not enough to allow users from one realm to access resources in a different realm; support is required at other levels of communication as well. For this purpose, IdM enables configuring a cross-forest trust between an IdM domain and an AD domain. Cross-forest trust is a trust established between two separate forest root domains, allowing users and services from different forests to communicate.

In Red Hat Enterprise Linux 6, the cross-forest trust feature is offered as a Technology Preview. Note that Red Hat recommends to connect Red Hat Enterprise Linux 6 IdM clients to a Red Hat Enterprise Linux 7 IdM server for cross-forest trust capability. Trusts are fully supported on servers running Red Hat Enterprise Linux 7. Configuration with Red Hat Enterprise Linux 6 clients connected to a Red Hat Enterprise Linux 7 server for cross-forest trust is fully supported as well. In such setups, it is recommended to use the latest version of Red Hat Enterprise Linux 6 on the client side and the latest version of Red Hat Enterprise Linux 7 on the server side.

Red Hat will not upgrade the cross-forest trust feature within Red Hat Enterprise Linux 6 from the Technology Preview status to Supported. If a certain AD deployment does not work with cross-forest trust in Red Hat Enterprise Linux 6, consider trying the latest Red Hat Enterprise Linux 7 IdM version to identify whether a particular configuration requires improvement in Red Hat Enterprise Linux 7.

For documentation on cross-forest trust in Red Hat Enterprise Linux 7, including a more detailed description of what cross-forest trust is, see the Red Hat Enterprise Linux 7 Windows Integration Guide.

The cross-forest trust feature in Red Hat Enterprise Linux 6 includes the ability to:

The cross-forest trust feature in Red Hat Enterprise Linux 6 does not include the ability to:

Trusts and synchronization are fundamentally different approaches to integrating an IdM domain and an AD domain. Both approaches offer the advantage of managing Linux systems and policies related to those systems centrally while enabling users from AD domains to transparently access Linux systems and services.

For a comparison of the trust-based and synchronization-based solutions, see the Red Hat Enterprise Linux 7 Windows Integration Guide. For information on integrating with AD using synchronization in Red Hat Enterprise Linux 6, see Chapter 15, Identity: Integrating with Microsoft Active Directory Through Synchronization.