Versão avaliada: fedora 44 (Em desenvolvimento)
Instalação dos pacotes necessários:
# dnf install freeipa-server-trust-ad samba-client -y
Configuração do serviço:
# ipa-adtrust-install --add-sids --add-agents
The log file for this installation can be found in /var/log/ipaserver-adtrust-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.
This includes:
* Configure Samba
* Add trust related objects to IPA LDAP server
To accept the default shown in brackets, press the Enter key.
Configuring cross-realm trusts for IPA server requires password for user 'admin'.
This user is a regular system account used for IPA server administration.
admin password: <Insira o Password>
WARNING: The smb.conf already exists. Running ipa-adtrust-install will break your existing samba configuration.
Do you wish to continue? [no]: yes
Do you want to enable support for trusted domains in Schema Compatibility plugin?
This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.
Enable trusted domains support in slapi-nis? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring CIFS
[1/24]: validate server hostname
[2/24]: stopping smbd
[3/24]: adding RID bases
.....
[21/24]: adding Default Trust View
[22/24]: setting SELinux booleans
[23/24]: starting CIFS services
[24/24]: restarting smbd
Done configuring CIFS.
=============================================================================
Setup complete
You must make sure these network ports are open:
TCP Ports:
* 135: epmap
* 138: netbios-dgm
* 139: netbios-ssn
* 445: microsoft-ds
* 1024..1300: epmap listener range
* 3268: msft-gc
UDP Ports:
* 138: netbios-dgm
* 139: netbios-ssn
* 389: (C)LDAP
* 445: microsoft-ds
See the ipa-adtrust-install(1) man page for more details
=============================================================================
Reinicie o serviço FreeIPA:
# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
Restarting smb Service
Restarting winbind Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
Importante: Os usuários precisarão alterar suas senhas (ou você deve resetá-las), após a troca da senha o hash NT seja gerado e armazenado no FreeIPA
# kinit admin
Password for admin@IPA.DOMAIN.INTERNAL:
# ipa user-mod tiochico --password
Password:
Enter Password again to verify:
------------------------
Modified user "tiochico"
------------------------
User login: tiochico
First name: Tio
Last name: Chico
Home directory: /home/tiochico
Login shell: /bin/sh
Principal name: tiochico@IPA.DOMAIN.INTERNAL
Principal alias: tiochico@IPA.DOMAIN.INTERNAL
Email address: tiochico@ipa.domain.internal
UID: 1576800004
GID: 1576800004
Account disabled: False
Password: True
Member of groups: g_user_radius
Kerberos keys available: True
# ipa user-show tiochico --all | grep -i objectclass
objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys, mepOriginEntry, ipantuserattrs
# kinit admin
Password for admin@IPA.DOMAIN.INTERNAL:
# ipa user-mod tiochico --password
Password:
Enter Password again to verify:
------------------------
Modified user "tiochico"
------------------------
User login: tiochico
First name: Tio
Last name: Chico
Home directory: /home/tiochico
Login shell: /bin/sh
Principal name: tiochico@IPA.DOMAIN.INTERNAL
Principal alias: tiochico@IPA.DOMAIN.INTERNAL
Email address: tiochico@ipa.domain.internal
UID: 1576800028
GID: 1576800028
Account disabled: False
Password: True
Kerberos keys available: True
# ldapsearch -x -D "cn=directory manager" -W -b "cn=users,cn=accounts,dc=ipa,dc=domain,dc=internal" "(uid=tiochico)" ipaNTPassword
Enter LDAP Password:
# ipa user-show tiochico --all (# ipa user-show tiochico --all | grep ipaSID)
dn: uid=tiochico,cn=users,cn=accounts,dc=ipa,dc=domain,dc=internal
User login: tiochico
First name: Tio
Last name: Chico
Full name: Tio Chico
Display name: Tio Chico
Initials: TC
Home directory: /home/tiochico
GECOS: Tio Chico
Login shell: /bin/sh
Principal name: tiochico@IPA.DOMAIN.INTERNAL
Principal alias: tiochico@IPA.DOMAIN.INTERNAL
User password expiration: 20260514004658Z
Email address: tiochico@ipa.domain.internal
UID: 1576800004
GID: 1576800004
Account disabled: False
Preserved user: False
Password: True
Member of groups: g_user_radius
Kerberos keys available: True
ipantsecurityidentifier: S-1-5-21-571246508-3356410248-2851286094-1004
ipauniqueid: 114e76f0-456a-11f1-980b-bc2411ea4ac1
krbextradata: AAKCGwVqcm9vdC9hZG1pbkBJUEEuRE9NQUlOLklOVEVSTkFMAA==
krblastadminunlock: 20260511000828Z
krblastfailedauth: 20260514002510Z
krblastpwdchange: 20260514004658Z
krbloginfailedcount: 0
mepmanagedentry: cn=tiochico,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=internal
objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount,
krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys,
mepOriginEntry, ipantuserattrs
# ipa user-show tiochico --all | grep -i "objectclass"
# ldapsearch -x -D "cn=directory manager" -W -b "cn=plugins,cn=config" | grep -i nthash
# ldapsearch -x -D "cn=directory manager" -W -b "cn=plugins,cn=config" | grep -A 5 "NTHash"
# ldapsearch -x -D "cn=directory manager" -W -b "cn=plugins,cn=config" | grep -A 10 "nsslapd-pluginEnabled" | grep -B 10 "NTHash"
# ldapsearch -x -D "cn=directory manager" -W -b "cn=users,cn=accounts,dc=ipa,dc=domain,dc=internal" "(uid=tiochico)" "*" "+"
# ldapsearch -x -D "cn=directory manager" -W -b "cn=users,cn=accounts,dc=ipa,dc=domain,dc=internal" "(uid=tiochico)" ipaNTPassword
# ldapsearch -x -D "cn=directory manager" -W -b "cn=users,cn=accounts,dc=ipa,dc=domain,dc=internal" "(uid=tiochico)" ipaNTPassword +
# ldapsearch -x -D "cn=directory manager" -W -b "cn=plugins,cn=config" "cn=NTHash" nsslapd-pluginEnabled
# ldapsearch -x -D "cn=directory manager" -W -b "cn=plugins,cn=config" "cn=*Hash*" dn
# ldapsearch -x -D "cn=directory manager" -W -b "cn=plugins,cn=config" "cn=IPA Password Check"