From Fedora Project Wiki

(Add about polkit)
m (Fix typo)
Line 8: Line 8:
#: Make sure you have a <code>configured: kerberos-membership</code> line in the output.
#: Make sure you have a <code>configured: kerberos-membership</code> line in the output.
#: Note the <code>login-formats:</code> line.
#: Note the <code>login-formats:</code> line.
# Check that you cannot resolve domain accounts on the local computer.  
# Check that you can resolve domain accounts on the local computer.  
#: Use the <code>login-formats</code> you saw above, to build a remote user name. It will be in the form of <code>DOMAIN\User</code>, where DOMAIN is the first part of your full Active Directory domain name.
#: Use the <code>login-formats</code> you saw above, to build a remote user name. It will be in the form of <code>DOMAIN\User</code>, where DOMAIN is the first part of your full Active Directory domain name.
#: <pre>$ getent passwd 'AD\User'</pre>
#: <pre>$ getent passwd 'AD\User'</pre>

Revision as of 12:47, 18 October 2012

Description

Leave an active directory domain by deconfiguring it locally.

Setup

  1. Verify that your Active Directory domain access works. If you don't have an Active Directory domain, you can set one up.
  2. Run through the test case to join the domain.
  3. Verify that you are joined to the domain with the following command 
    $ realm list
    Make sure you have a configured: kerberos-membership line in the output.
    Note the login-formats: line.
  4. Check that you can resolve domain accounts on the local computer.
    Use the login-formats you saw above, to build a remote user name. It will be in the form of DOMAIN\User, where DOMAIN is the first part of your full Active Directory domain name.
    $ getent passwd 'AD\User'

How to test

  1. Perform the leave command. 
    $ realm leave ad.example.com
    You will be prompted for Policy Kit authorization.
    You will not be prompted for a password.
    This should proceed quickly, not take more that 10 seconds.
    On a successful leave there will be no output.

Expected Results

  1. Check that the domain is no longer configured. 
    $ realm list
    Make sure the domain is not listed.
  2. Check that you cannot resolve domain accounts on the local computer. 
    $ getent passwd 'AD\User'
    There should be no output.
    Use the login-formats you saw above, to build a remote user name. It will be in the form of DOMAIN\User, where DOMAIN is the first part of your full Active Directory domain name.
  3. Check that there is no machine account for the domain in the keytab. 
    sudo klist -k
    You should see no lines referring to the domain in the table, or an error message saying that the keytab does not exist.
  4. If you have console access to a domain controller, you can use the Active Directory Users and Computers tool to see if that the computer account was not deleted.



Troubleshooting

Use the --verbose argument to see details of what's being done during a leave. Include verbose output in any bug reports. 

$ realm leave --verbose ad.example.com
Retrieved from "https://fedoraproject.org/w/index.php?title=QA:Testcase_realmd_leave&oldid=307553"