|
|
(23 intermediate revisions by 6 users not shown) |
Line 1: |
Line 1: |
| {{QA/Test_Case
| | #REDIRECT [[QA:Testcase_realmd_join_sssd]] |
| |description=Join the current machine to a FreeIPA domain. Domain accounts are available on the local machine once this is done.
| |
| |setup=
| |
| # [[Features/FreeIPA/TestBed|Verify that your FreeIPA domain access works]]. If you don't have a FreeIPA domain, you can [[Features/FreeIPA/TestBed|set one up]]. | |
| # You need a domain account, either a user or administrator. It's useful to test with both.
| |
| # '''Your machine must have a configured host name. Do not proceed if you host name is <code>localhost</code> or similar.'''
| |
| #: <pre>$ hostname</pre>
| |
| # Make sure you have realmd 0.13 or later installed.
| |
| #: <pre>$ yum list realmd</pre>
| |
| # Remove the following packages, they should be installed by realmd as necessary.
| |
| #: <pre>$ sudo yum remove sssd freeipa</pre>
| |
| |actions=
| |
| # Perform the join command. Use the <code>--user=xxx</code> argument to specify your domain account name.
| |
| #: <pre>$ realm join --user=User freeipa.example.com</pre>
| |
| #: You will be prompted for a password for the account.
| |
| #: You will be prompted for Policy Kit authorization.
| |
| #: On a successful join there will be no output.
| |
| #: This can take up to a few minutes depending on how far away your FreeIPA domain is.
| |
| | |
| |results=
| |
| # Check that the domain is now configured.
| |
| #: <pre>$ realm list</pre>
| |
| #: Make sure the domain is listed.
| |
| #: Make sure you have a <code>configured: kerberos-member</code> line in the output.
| |
| #: Make note of the login-formats line for the next command.
| |
| # Check that you can resolve domain accounts on the local computer.
| |
| #: <pre>$ getent passwd 'User@freeipa.example.com'</pre>
| |
| #: Make sure to use the quotes around the user name.
| |
| #: You should see an output line that looks like passwd(5) output. It should contain an appropriate home directory, and a shell.
| |
| #: Use the login-formats you saw above, to build a remote user name. It will be in the form of User@FULL-DOMAIN, where FULL-DOMAIN is your full Active Directory domain name (e.g. freeipa.example.com).
| |
| # Check that you have an appropriate entry in your hosts keytab.
| |
| #: <pre>sudo klist -k</pre>
| |
| #: You should see several lines, with your host name. For example <code>1 host/HOSTNAME@FREEIPA.EXAMPLE.COM</code>
| |
| # Check that you can use your keytab with kerberos
| |
| #: <pre>sudo kinit -k 'host/HOSTNAME@FREEIPA.EXAMPLE.COM'</pre>
| |
| #: Make sure to use quotes around the argument, because of the characters in there. Make sure the hostname and domain are capitalized.
| |
| #: Use the principal from the output of the <code>klist</code> command above. Use the one that's capitalized and looks like <code>host/HOSTNAME@FULL-DOMAIN</code>.
| |
| #: There should be no output from this command.
| |
| # If you have console access to the FreeIPA server, you can use the FreeIPA Web UI to see if the computer account was created under the ''Hosts'' section.
| |
| }}
| |
| | |
| == Troubleshooting ==
| |
| | |
| Use the <code>--verbose</code> argument to see details of what's being done during a join. Include verbose output in any bug reports.
| |
| | |
| <pre>
| |
| $ realm join --verbose freeipa.example.com
| |
| </pre>
| |
| | |
| The selinux profile for realmd isn't yet stable, so you may want turn off enforcement. Please do still file bugs for the SElinux AVC notifications you see.
| |
| | |
| '''Known Issue [[https://bugzilla.redhat.com/show_bug.cgi?id=867873 Selinux]]:''' You need to turn off selinux to complete the join. Please do:
| |
| | |
| <pre>
| |
| $ sudo setenforce 0
| |
| </pre>
| |
| | |
| Please file all realmd AVC's at this bug: https://bugzilla.redhat.com/show_bug.cgi?id=867873
| |
| | |
| <pre>
| |
| $ sudo grep realmd /var/log/audit/audit.log
| |
| </pre>
| |
| | |
| [[Category:Active_Directory_Test_Cases]]
| |