|
|
| (10 intermediate revisions by 2 users not shown) |
| Line 7: |
Line 7: |
| In addition many bugs and brittleness have been fixed in krb5. This documentation involves some testing of that as well. | | In addition many bugs and brittleness have been fixed in krb5. This documentation involves some testing of that as well. |
|
| |
|
| == Preparation == | | Report bugs here: https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=realmd |
|
| |
|
| In order to test realmd with Active Directory, you need the following.
| | == Test Day == |
|
| |
|
| An Active Directory domain to test against. You should have credentials for an administrative account on this domain. For deeper testing you should be able to access the domain and create accounts.
| | There's a test day going on which you can see here: |
|
| |
|
| Obviously for real life testing using an already deployed Active Directory domain is desirable. But if you don't have access to an Active Directory domain, here's how to install Windows Server 2008 for free and set one up: http://stef.thewalter.net/2012/08/how-to-create-active-directory-domain.html
| | [[Test_Day:2012-10-18_Active_Directory|2012-10-18_Active_Directory]] |
|
| |
|
| Note that the Active Directory will need to be appropriately discoverable via DNS, as it would be "in real life". If DNS is not setup for your Active Directory domain, you can also use steps 8 and 9 in the linked setup instructions above to make DNS work appropriately on your test machine for your domain.
| | The various test cases can be seen here: |
|
| |
|
| In the following documentation we'll use <code>ad.example.com</code> when referring to the domain.
| | [[:Category:Active_Directory_Test_Cases]] |
| | |
| To install realmd from source:
| |
| | |
| <pre>
| |
| $ sudo yum install realmd
| |
| </pre>
| |
| | |
| To build and install realmd from source, do something like this:
| |
| | |
| <pre>
| |
| $ git clone git://anongit.freedesktop.org/realmd/realmd
| |
| $ cd realmd
| |
| $ sh autogen.sh --prefix=/usr --sysconfdir=/etc --libdir=/usr/lib64 --enable-debug
| |
| $ make
| |
| $ sudo make install
| |
| $ sudo restorecon -Rv /etc/dbus-1 /usr/bin/realm /usr/lib64/realmd /usr/share/dbus-1 /usr/share/polkit-1
| |
| </pre>
| |
| | |
| If you wish to later go back to the Fedora 18 version of realmd, just reinstall realmd:
| |
| | |
| <pre>
| |
| $ sudo yum reinstall realmd
| |
| </pre>
| |
| | |
| == Test using domain without krb5.conf ==
| |
| | |
| Work has been done to make krb5.conf configurationless, and unbreak the default <code>/etc/krb5.conf</code> that was distributed with Fedora 17 and earlier.
| |
| | |
| Move <code>/etc/krb5.conf</code> away.
| |
| | |
| <pre>
| |
| $ sudo mv /etc/krb5.conf /etc/krb5.conf.bak
| |
| </pre>
| |
| | |
| If you wish to test with a default neutral <code>/etc/krb5.conf</code> file, use the following file, as included in the <code>krb5-libs</code> package:
| |
| | |
| <pre>
| |
| [logging] | |
| default = FILE:/var/log/krb5libs.log
| |
| kdc = FILE:/var/log/krb5kdc.log
| |
| admin_server = FILE:/var/log/kadmind.log
| |
| | |
| [libdefaults]
| |
| dns_lookup_realm = false
| |
| ticket_lifetime = 24h
| |
| renew_lifetime = 7d
| |
| forwardable = true
| |
| # default_realm = EXAMPLE.COM
| |
| | |
| [realms]
| |
| # EXAMPLE.COM = {
| |
| # kdc = kerberos.example.com
| |
| # admin_server = kerberos.example.com
| |
| # }
| |
| | |
| [domain_realm]
| |
| # .example.com = EXAMPLE.COM
| |
| # example.com = EXAMPLE.COM
| |
| </pre>
| |
| | |
| But again, it is not required to have a <code>/etc/krb5.conf</code> at all.
| |
| | |
| Now do a <code>kinit</code> against your Active Directory domain:
| |
| | |
| <pre>
| |
| $ kinit Administrator@AD.EXAMPLE.COM
| |
| $ klist -e
| |
| </pre>
| |
| | |
| You should see kerberos tickets listed.
| |
| | |
| Possible non-systemic problems:
| |
| * Make sure the domain is capitalized as above. This is the kerberos realm name for the Active Directory domain.
| |
| * Make sure that the domain can be resolved via DNS: <code>$ host -t SRV _kerberos._udp.ad.example.com</code>
| |
| | |
| == Test realmd Discovery ==
| |
| | |
| realmd discovers domains and what kind of domain they are. To test this use the <code>realm</code> command to drive realmd.
| |
| | |
| Against an Active Directory domain the output should look like this:
| |
| | |
| <pre>
| |
| $ realm discover --verbose ad.example.com
| |
| * Searching for kerberos SRV records for domain: _kerberos._udp.ad.example.com
| |
| * Searching for MSDCS SRV records on domain: _kerberos._tcp.dc._msdcs.ad.example.com
| |
| * dc.ad.example.com:88
| |
| * Found kerberos DNS records for: ad.example.com
| |
| * Found AD style DNS records for: ad.example.com
| |
| * Successfully discovered: ad.example.com
| |
| AD.EXAMPLE.COM
| |
| configured: no
| |
| type: active-directory
| |
| realm-name: AD.EXAMPLE.COM
| |
| domain-name: ad.example.com
| |
| </pre>
| |
| | |
| Against an IPA domain the output should look something like this:
| |
| <pre>
| |
| $ realm --verbose discover ipa.example.com
| |
| * Searching for kerberos SRV records for domain: _kerberos._udp.ipa.example.com
| |
| * Searching for MSDCS SRV records on domain: _kerberos._tcp.dc._msdcs.ipa.example.com
| |
| * dc.ipa.example.com:88
| |
| * Trying to retrieve IPA certificate from dc.ipa.example.com
| |
| ! Couldn't read certificate via HTTP: No PEM-encoded certificate found
| |
| ! Couldn't discover IPA KDC: No PEM-encoded certificate found
| |
| * Found kerberos DNS records for: ipa.example.com
| |
| * Successfully discovered: ipa.example.com
| |
| NULLROUTE.EU.ORG
| |
| configured: no
| |
| type: freeipa
| |
| realm-name: IPA.EXAMPLE.COM
| |
| domain-name: ipa.example.com
| |
| </pre>
| |
| | |
| Against a generic kerberos domain, such as redhat.com, or nullroute.eu.org, it should look something like this:
| |
| | |
| <pre>
| |
| $ realm discover --verbose nullroute.eu.org
| |
| * Searching for kerberos SRV records for domain: _kerberos._udp.nullroute.eu.org
| |
| * Searching for MSDCS SRV records on domain: _kerberos._tcp.dc._msdcs.nullroute.eu.org
| |
| * virgule.cluenet.org:88 panther.nathan7.eu:88
| |
| * Trying to retrieve IPA certificate from virgule.cluenet.org
| |
| * Trying to retrieve IPA certificate from panther.nathan7.eu
| |
| ! Couldn't read certificate via HTTP: No PEM-encoded certificate found
| |
| ! Couldn't discover IPA KDC: No PEM-encoded certificate found
| |
| * Found kerberos DNS records for: nullroute.eu.org
| |
| * Successfully discovered: nullroute.eu.org
| |
| NULLROUTE.EU.ORG
| |
| configured: no
| |
| type: kerberos
| |
| realm-name: NULLROUTE.EU.ORG
| |
| domain-name: nullroute.eu.org
| |
| </pre>
| |
