From Fedora Project Wiki

(Categories)
No edit summary
 
(4 intermediate revisions by one other user not shown)
Line 2: Line 2:
|description=Leave an active directory domain by deconfiguring it locally.
|description=Leave an active directory domain by deconfiguring it locally.
|setup=
|setup=
# [[Features/ActiveDirectory/TestBed|Verify that your Active Directory domain access works]]. If you don't have an Active Directory domain, you can [[Features/ActiveDirectory/TestBed|set one up]].
# Make sure you have other required software:
#* realmd 0.14.0 or later
# Verify that your [[QA:Testcase_Active_Directory_Setup|Active Directory domain access works, or set a domain up]].
# Run through the [[QA:Testcase_Active_Directory_realmd_join_sssd|test case to join the domain]].
# Run through the [[QA:Testcase_Active_Directory_realmd_join_sssd|test case to join the domain]].
# Verify that you are joined to the domain with the following command
# Verify that you are joined to the domain with the following command
Line 15: Line 17:
# Perform the leave command.
# Perform the leave command.
#: <pre>$ realm leave ad.example.com</pre>
#: <pre>$ realm leave ad.example.com</pre>
#: You will be prompted for Policy Kit authorization.
#: You will be prompted for Policy Kit authorization, because you're not running this as root.
#: You will not be prompted for a password.
#: You will not be prompted for a password.
#: This should proceed quickly, not take more that 10 seconds.
#: This should proceed quickly, not take more that 10 seconds.
Line 27: Line 29:
#: <pre>$ getent passwd 'AD\User'</pre>
#: <pre>$ getent passwd 'AD\User'</pre>
#: There should be no output.
#: There should be no output.
#: Use the <code>login-formats</code> you saw above, to build a remote user name. It will be in the form of <code>DOMAIN\User</code>, where DOMAIN is the first part of your full Active Directory domain name.
# Check that there is no machine account for the domain in the keytab.
# Check that there is no machine account for the domain in the keytab.
#: <pre>sudo klist -k</pre>
#: <pre>sudo klist -k</pre>
#: You should see no lines referring to the domain in the table, or an error message saying that the keytab does not exist.
#: You should see no lines referring to the domain in the table, or an error message saying that the keytab does not exist.
# If you have console access to a domain controller, you can use the ''Active Directory Users and Computers'' tool to see if that the computer account was not deleted.
# If you have console access to a domain controller, you can use the ''Active Directory Users and Computers'' tool to see if that the computer account was '''not''' deleted.
}}
}}


Line 42: Line 43:
</pre>
</pre>


'''Known Issue [[https://bugzilla.redhat.com/show_bug.cgi?id=867873 Selinux]]:''' You need to turn off selinux to complete the join. Please do:
Leave currently does not works under non-root user [[https://bugzilla.redhat.com/show_bug.cgi?id=867807]].
 
<pre>
$ sudo setenforce 0
</pre>
 
Please file the all realmd AVC's at this bug: https://bugzilla.redhat.com/show_bug.cgi?id=867873
 
<pre>
$ sudo grep realmd /var/log/audit/audit.log
</pre>


[[Category:Active_Directory_Test_Cases]] [[Category:Realmd_Test_Cases]]
[[Category:Active_Directory_Test_Cases]] [[Category:Realmd_Test_Cases]]

Latest revision as of 11:50, 9 May 2013

Description

Leave an active directory domain by deconfiguring it locally.

Setup

  1. Make sure you have other required software:
    • realmd 0.14.0 or later
  2. Verify that your Active Directory domain access works, or set a domain up.
  3. Run through the test case to join the domain.
  4. Verify that you are joined to the domain with the following command 
    $ realm list
    Make sure you have a configured: kerberos-membership line in the output.
    Note the login-formats: line.
  5. Check that you can resolve domain accounts on the local computer.
    Use the login-formats you saw above, to build a remote user name. It will be in the form of DOMAIN\User, where DOMAIN is the first part of your full Active Directory domain name.
    $ getent passwd 'AD\User'

How to test

  1. Perform the leave command. 
    $ realm leave ad.example.com
    You will be prompted for Policy Kit authorization, because you're not running this as root.
    You will not be prompted for a password.
    This should proceed quickly, not take more that 10 seconds.
    On a successful leave there will be no output.

Expected Results

  1. Check that the domain is no longer configured. 
    $ realm list
    Make sure the domain is not listed.
  2. Check that you cannot resolve domain accounts on the local computer. 
    $ getent passwd 'AD\User'
    There should be no output.
  3. Check that there is no machine account for the domain in the keytab. 
    sudo klist -k
    You should see no lines referring to the domain in the table, or an error message saying that the keytab does not exist.
  4. If you have console access to a domain controller, you can use the Active Directory Users and Computers tool to see if that the computer account was not deleted.



Troubleshooting

Use the --verbose argument to see details of what's being done during a leave. Include verbose output in any bug reports. 

$ realm leave --verbose ad.example.com

Leave currently does not works under non-root user [[1]].

Retrieved from "https://fedoraproject.org/w/index.php?title=QA:Testcase_realmd_leave&oldid=336369"