Federating NethServer Active Directory

activedirectory
v7

(Derek Blechinger) #1

How would I go about federating two AD / DNS environments? Say I have abc.domain.com and xyz.domain.com - both Nethserver domains. Any way to federate them? Does federation via RSAT work (domains and trusts)?

Thanks!


(Davide Principi) #2

I never tried to achieve this! By now NSDC works as a standalone DC. There is a wiki page that explains how to join a DC to an existing domain

https://wiki.nethserver.org/doku.php?id=howto:add_ns7_samba_domain_controller_to_existing_active_directory

Do you have any pointer to Samba AD and inter-domain trust?


(Derek Blechinger) #3

Neat! I may attempt to do this in a lab. If so I’ll report back with what I find.

I have not yet attempted to join a second nsdc to the domain as a secondary DC. I intend to though! I expect it will work without issue.

I’m sorry. I’m not sure what you mean here (which probably means I do not have it!). Would you mind elaborating?


(Davide Principi) #4

I’m not sure I understood your question, and what do you mean by “federating” two AD.

Domains in AD can reciprocally trust each other, but I never encountered this scenario with NethServer.


(Derek Blechinger) #5

This is what I’m referring to:
https://msdn.microsoft.com/en-us/library/bb897402.aspx


(Davide Principi) #6

Thank you for the pointer! Can you describe the problem you want to solve? As far as I can understand…

ADFS (Active Directory Federation Services) is an SSO (Single Sign On) solution from Microsoft. It speaks several federated authentication protocols, such as WS-Federation and SAML.

What do you want to achieve with it?


(Rob Bosch) #7

I think @FMFREAK could give some extra info about introducing SAML. He has implemented a SAML based portal for several services for the secondary school he is working for,


(Jochem Van Den Anker) #8

We drive the SAML way. I think we better should use a SimpleSAMLphp server than ADFS. We have a setup to connect Google G suite for education, Office365, our timetable software and portal (Drupal) login.
Because our core directory service is an AD server, we connect our SimpleSAMLphp with LDAP with our AD. We could choose ADFS but SAML is the open source standard. It’s easier to get Open Source products to work with SAML than ADFS.
So, get a look at SimpleSAMLphp, try that and share your experiences…


(Derek Blechinger) #9

The end goal is to manage multiple AD/DNS domains from the same console / RSAT window.

For instance:

domain.example.internal ----+---- someDomain.example.internal
                            |
                  Federated AD Domains
                            |
                      someAdminUser

Where both domains are separate AD domains which have been federated via the Active Directory Federation Services snap-in AND where someAdminUser is a Domain Admin for domain.example.internal whose prviliges extend to someDomain.example.internal.

This is certainly not a “standard” use-case. It is a more advanced deployment of Active Directory, however; I consider this a necessary feature for a full MS Active Directory replacement.

Just curious if it’s possible yet or not. I still haven’t had the time to test this in my lab (but I intend to!).