Log in

No account? Create an account

Previous Entry | Next Entry


One of the newer features of FreeIPA is the ability to set up a cross-realm trust with Windows Active Directory (AD). This allows Windows users to authenticate directly to Linux machines. This is the preferred long-term solution, to replace the current Windows Synchronization/Password Synchronization solution. Horizon is an OpenStack project that provides a web based GUI "dashboard" for other OpenStack components. I will outline the steps necessary to create Windows users and authenticate to Horizon with those user credentials, via FreeIPA.


Most of the below steps can be automated. I have started a github project called ipa-ad-trust-demo which contains the scripts and config files used. I have tested the script on Fedora 20 using libvirt/kvm/qemu for virtualization. The script depends on two other of my github projects:

  • auto-win-vm-ad - This handles the creation of the Windows VM, the unattended set up of an Active Directory Domain, unattended set up of MS Certificate Services, and DNS configuration. The entry point is the shell script make-ad-vm.sh.

  • setupvm.sh - This is just a wrapper around virt-install, kickstart, and cloud-init that simplifies virtual machine creation using shell script based config files.

The demo is run using the ipa-ad-demo.sh script like this:
$ cd /path/to/ipa-ad-trust-demo
$ PATH=$PATH:/path/to/scripts:/path/to/auto-win-vm-ad:. ./ipa-ad-setup.sh global.conf ad1.conf ipa1.conf

At the end of the run, you will have a Windows VM running AD, and a Fedora 20 VM running FreeIPA. Windows users will be able to authenticate to FreeIPA. The script demonstrates an AD user doing a kinit against FreeIPA, and also demonstrates using those credentials to do ldapsearch -Y GSSAPI to search against AD.

Automation Pre-requisites

You will need the following packages:
# yum -y install unar qemu-img qemu-kvm libvirt virt-manager libguestfs-tools

You will need to manually download the Fedora 20 cloud image from http://download.fedoraproject.org/pub/fedora/linux/updates/20/Images/x86_64/Fedora-x86_64-20-20140407-sda.qcow2 and put it in your libvirt images directory (/var/lib/libvirt/images):
# cd /var/lib/libvirt/images
# wget http://download.fedoraproject.org/pub/fedora/linux/updates/20/Images/x86_64/Fedora-x86_64-20-20140407-sda.qcow2

Then edit ipa1.conf to use this as the VM_DISKFILE_BACKING. However, if you plan to do many iterations of testing/vm creation/vm destruction, I strongly encourage you to first create a VM using the standard image, then update it, then install all of the packages required for FreeIPA and trust (and optionally the GNOME Desktop), and use this pre-prepared image as your VM_DISKFILE_BACKING image. See the Fedora 20 and FreeIPA section below for more information. The difference is stark - using the standard image, it takes about 100 minutes - using a pre-prepared image, it takes about 8 minutes.

Both setupvm.sh and make-ad-vm.sh should be in the PATH. Using "." in PATH allows the config files to be sourced as
. $file

where $file is something like global.conf rather than ./global.conf or /path/to/global.conf.

The script should be run as a regular user, not root, and the system should be set up to allow this user to use sudo with no password access e.g. in /etc/sudoers:

You should set SUDOCMD=sudo in global.conf to use sudo. The use of SUDOCMD instead of hard-coding "sudo" allows the use of sudo flags or even other commands.

The settings in global.conf apply to all VMs. This where to set things like the virtual network name, IP address base/range, VM disk image directory, and SUDOCMD.

Automation Notes

The script vm-post-cloud-init.sh does all of the setup work - ipa setup, trust setup with AD, testing trust using kinit and ldapsearch -Y GSSAPI, etc. This is launched as a cloud-init runcmd. By default, ipa-server-install and other ipa command line tools do not work from a cloud-init runcmd due to SELinux. This is mostly due to the fact that the runcmd runs with an unexpected context cloud_init_t. After the first run which failed, I used audit2allow to create the cloudinit.pp module, which is now loaded before doing ipa-server-install.

ipa-adtrust-install will restart 389, which causes named to lose the connection, and by default it will not attempt to reconnect for 60 seconds. The script has a 60 second sleep here which should be sufficient time.

Windows and Active Directory

For manual setup/install, you must install Windows and set up Active Directory first, before installing and setting up FreeIPA. Otherwise, you will have to coordinate so that ipa-adtrust-install and ipa trust-add are not run until after AD is available.

Microsoft provides virtual disk images of Windows Server 2008. NOTE: These images are to be used for evaluation and demo purposes only. DO NOT use them for any other purpose, especially in production. The EULA for the evaulation images is quite specific about this. The FreeIPA website documents the procedure for downloading the images, converting to qemu/kvm/RHEV format (qcow2), creating a VM, and setting up an Active Directory domain, using the GUI.

Finally, follow the Windows steps listed at http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup.

Windows Notes

For all of the gory details about how make-ad-vm.sh works, see https://raw.githubusercontent.com/richm/auto-win-vm-ad/master/README. The make-ad-vm.sh script also works with ISOs, but the ipa-ad-setup.sh script expects to use the evaluation disk images.

I was not able to use the windows image as VM_DISKFILE_BACKING in conjunction with VM_WAIT_FILE. It seems that writing to the disk image file somehow corrupts the Windows registry, in the SOFTWARE hive, that causes virt-ls and virt-cat to fail. The way that the script detects that the Windows VM setup is complete is by writing a file to C:\ (VM_WAIT_FILE), and using virt-cat to test for existence of the file. The script just makes a copy of the original Windows disk image for the new VM. This is slower but more robust.

Fedora 20 and FreeIPA

I use the Fedora 20 cloud image provided by Fedora. This is cloud-init enabled which makes it easy to do automated install and setup. The demo uses FreeIPA running on Fedora 20, but Red Hat Enterprise Linux version 7 (RHEL 7) with the built-in Identity Management (IdM) could be used just as well. Note that the image by now is quite old (in Fedora standards), so if you plan to do a lot of iterative testing (e.g. create vm/test/destroy vm/repeat) with this image, you should plan to first install a "base" VM, then do a yum update, plus install all of the FreeIPA packages necessary:
# yum -y update
# yum -y install freeipa-server freeipa-server-trust-ad \
  bind-dyndb-ldap bind bind-utils samba4-winbind-clients \
  samba4-winbind samba4-client openldap-clients rng-tools

In order to get a graphical desktop (e.g. if you want to run Horizon in a VM), you will also need to:
# yum -y groupinstall "GNOME Desktop"

Then follow the instructions about how to enable graphical login.

FreeIPA set up requires a lot of entropy from /dev/random. It is possible for ipa-server-install to hang during Kerberos server setup. To avoid this issue, create the VM with a virtual RNG e.g.
$ sudo virt-install --rng /dev/random --name ipa ...

This should create the /dev/hwrng device in the VM. Then, in the VM, install the rng-tools package, and make sure to run rngd -r /dev/hwrng before running ipa-server-install. This should supply plenty of entropy to /dev/random in the VM from the host, and avoid the hang, and make setup run much faster. The ipa-ad-setup.sh script takes care of this.