Integrating FreeIPA with Active Directory

Building Bridges

Considering or Ignoring POSIX Attributes

In a Windows AD schema it has been possible for some time to define POSIX attributes that can be enabled using the identity management for UNIX (IMU) – formerly known as Services for UNIX (SFU) – component. You can then enter the desired attributes in the properties of a Windows user (e.g., the UID and GID), as well as the desired home directory and other POSIX information.

FreeIPA recognizes this and would revert automatically to the attributes stored in the AD, instead of defining new attributes. When creating the trust, you can explicitly determine how FreeIPA should behave if POSIX attributes are already defined in the AD. Using

ipa trust-add --range-type=ipa-ad-trust-posix

you can determine what POSIX attributes stored in the AD should be used. However, the statement

ipa trust-add --range-type=ipa-ad-trust

says that these attributes are to be ignored and that SSSD should generate separate IDs instead..

Windows Groups and Security Rules

The FreeIPA framework uses group information for many security rules (e.g., sudo, SELinux, HBAC) to decide whether access for a specific user is allowed or not. However, because the framework isn't in the know about the Windows groups – after all, they're located externally and aren't stored on the FreeIPA systems – you need to use a little trick to be able to use them with the desired set of rules.

The trick consists of including all desired Windows groups in corresponding external (non-POSIX) groups; then, you can nest them in POSIX groups, which you can ultimately use in your set of rules. Listing 6 shows how you can nest all domain users from the Windows domain in a POSIX group via an external group from the FreeIPA server.

Listing 6

Using Windows Groups

### You need to use a few tricks to be able to use Windows groups on the FreeIPA.
# ipa group-add --desc='COE users external map'coe_domain_users_external --external
Added group "coe_domain_users_external"
    Group name: coe_domain_users_external
    Description: COE users external map
# ipa group-add --desc='COE users'coe_domain_users
Added group "coe_domain_users"
    Group name: coe_domain_users
    Description: COE users
    GID: 1691800008
# ipa group-add-member coe_domain_users_external --external 'COE\Domain Users'
[member user]:
[member group]:
    Group name: coe_domain_users_external
    Description: COE users external map
    External member: S-1-5-21-2960236960-1249552018-43539955-513
Number of members added 1
# ipa group-add-member coe_domain_users --groups coe_domain_users_external
    Group name: coe_domain_users
    Description: COE users
    GID: 1691800008
    Member groups: coe_domain_users_external
Number of members added 1

You can use the coe_domain_users group from now on to implement host-based access control rules, for example, and just grant members of this group access to certain systems. You can, of course, apply this procedure to all Windows groups.


FreeIPA provides a comprehensive integration of Linux environments in existing Windows AD structures. Unlike direct integration of Linux clients, the framework provides a native interface and makes it easy to access the Active Directory.

Using this interface, Linux clients can benefit from the usual security mechanisms and don't have to use a trimmed-down range of functions if they are made available via an AD domain controller. Another advantage of this form of integration is that Windows admins keep control of their domains, and Linux admins can provide their clients the necessary data via the FreeIPA framework.


  1. Integrating with Microsoft AD through synchronization:
  2. System Security Services Daemon:
  3. realmd:
  4. FreeIPA identity management framework:

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Migration from LDAP to FreeIPA
    The change from centralized user authentication on a vanilla LDAP server to the FreeIPA identity management solution is easier than many admins think. Given attention to a few points, the migration takes very little time and effort.
  • A REST interface for FreeIPA
    Access to the FreeIPA identity management framework is usually handled via a graphical web interface or a command-line tool, but the framework can also be queried directly via the JSON-RPC API.
  • Save money with Samba as the domain controller on a legacy Windows NT-style domain
    Samba can act as a PDC or BDC on a Windows NT4-style domain. Compared with a Windows-only solution, Samba saves money on licensing, and users can log in from Linux or OS X.
  • Linux configuration with OpenLMI
    One of the biggest hurdles for prospective Linux administrators is a lack of standards for configuring systems based on different Linux distributions. The Open Linux Management Infrastructure – OpenLMI – is looking to establish and define a standard approach to configuring such systems.
  • Samba 4 appliances by SerNet and Univention
    Shortly after the Samba team finalized Samba 4 in December 2012, SerNet and Univention integrated the new Samba into their appliances that give administrators an easy way to set up and test a Samba 4-based Active Directory domain controller.
comments powered by Disqus