From Fedora Project Wiki

(Add known issues)
(Update realmd and control-center versions)
Line 4: Line 4:
# Due to [https://bugzilla.redhat.com/show_bug.cgi?id=867473 this bug] with [http://lists.fedoraproject.org/pipermail/devel/2012-October/172688.html discussion here], you need to have <code>sss</code> in your <code>/etc/nsswitch.conf</code> when you last booted you system. To do so run this:
# Due to [https://bugzilla.redhat.com/show_bug.cgi?id=867473 this bug] with [http://lists.fedoraproject.org/pipermail/devel/2012-October/172688.html discussion here], you need to have <code>sss</code> in your <code>/etc/nsswitch.conf</code> when you last booted you system. To do so run this:
#: <pre>$ sudo authconfig --update --enablesssd; sudo shutdown -r now</pre>
#: <pre>$ sudo authconfig --update --enablesssd; sudo shutdown -r now</pre>
# Unfortunately you need gnome-control-center from git master (or the future to be released 3.6.2 version). This can be [http://developer.gnome.org/jhbuild/unstable/getting-started.html.en built with jhbuild], but takes several hours:
# You need control-center 3.6.2 version.
#: <pre>$ jhbuild build gnome-control-center</pre>
# [[Features/ActiveDirectory/TestBed|Verify that your Active Directory domain access works]]. If you don't have an Active Directory domain, you can [[Features/ActiveDirectory/TestBed|set one up]].
# [[Features/ActiveDirectory/TestBed|Verify that your Active Directory domain access works]]. If you don't have an Active Directory domain, you can [[Features/ActiveDirectory/TestBed|set one up]].
# You need a domain user account and administrator account, or both. If you have both, enter the use account as the user you're going to add below.
# You need a domain user account and administrator account, or both. If you have both, enter the use account as the user you're going to add below.
# Your machine must have a configured host name. Do not proceed if you host name is <code>localhost</code> or similar.
# Your machine must have a configured host name. Do not proceed if you host name is <code>localhost</code> or similar.
#: <pre>$ hostname</pre>
#: <pre>$ hostname</pre>
# Make sure you have [https://admin.fedoraproject.org/updates/FEDORA-2012-16388/realmd-0.9-1.fc18 realmd 0.9] or later installed.
# Make sure you have [https://admin.fedoraproject.org/updates/FEDORA-2012-16542/realmd-0.10-1.fc18 realmd 0.10] or later installed.
#: <pre>$ yum list realmd</pre>
#: <pre>$ yum list realmd</pre>
# Remove the following packages, they should be installed by realmd as necessary.
# Remove the following packages, they should be installed by realmd as necessary.
Line 82: Line 81:
$ sudo grep realmd /var/log/audit/audit.log
$ sudo grep realmd /var/log/audit/audit.log
</pre>
</pre>
'''Known Issue [[https://bugzilla.gnome.org/show_bug.cgi?id=686390 Timeout]]:''' Timeout reached while adding Enterprise login.
You need this patch: http://bugzilla-attachments.gnome.org/attachment.cgi?id=226752


[[Category:Active_Directory_Test_Cases]]
[[Category:Active_Directory_Test_Cases]]

Revision as of 08:03, 29 October 2012

Description

Join the current machine to an Active Directory domain using sssd as an AD client, without entering administrative credentials.

Setup

  1. Due to this bug with discussion here, you need to have sss in your /etc/nsswitch.conf when you last booted you system. To do so run this: 
    $ sudo authconfig --update --enablesssd; sudo shutdown -r now
  2. You need control-center 3.6.2 version.
  3. Verify that your Active Directory domain access works. If you don't have an Active Directory domain, you can set one up.
  4. You need a domain user account and administrator account, or both. If you have both, enter the use account as the user you're going to add below.
  5. Your machine must have a configured host name. Do not proceed if you host name is localhost or similar. 
    $ hostname
  6. Make sure you have realmd 0.10 or later installed. 
    $ yum list realmd
  7. Remove the following packages, they should be installed by realmd as necessary. 
    $ yum remove sssd samba-client adcli
  8. Make sure you are not joined to a domain. Use realm list to check, and realm leave to leave.

How to test

  1. Run gnome-control-center from a terminal.
  2. Choose the User Accounts panel.
  3. Click the Unlock button.
    You should get a Policy Kit authorization prompt.
  4. Click the add [+] button in the lower left.
  5. Choose the Enterprise login pane.
  6. Enter an invalid domain, invalid user, and invalid password for the account.
    Click on Add. You should see a problem icon on the domain.
  7. Enter the valid domain, invalid user, and invalid password for the account.
    Click on Add. You should see a problem icon on the user.
  8. Enter the valid domain, valid user, and invalid password for the account.
    Click on Add. You should see a problem icon on the password.
  9. Enter the right password.
  10. Click on Add
    If you user a non-administrative user, you may be prompted for administrative credentials. It is tricky to duplicate this at times. Active Directory is an odd one like that :)

Expected Results

  1. The user should now be listed in the User Accounts panel of the GNOME Control Center.
  2. Check that the domain is now configured. 
    $ realm list
    Make sure the domain is listed.
    Make sure you have a configured: kerberos-membership line in the output.
    Make note of the login-formats line for the next command.
  3. Check that you can resolve domain accounts on the local computer. 
    $ getent passwd 'AD\User'
    Make sure to use the quotes around the user name.
    You should see an output line that looks like passwd(5) output. It should contain an appropriate home directory, and a shell.
    Use the login-formats you saw above, to build a remote user name. It will be in the form of DOMAIN\User, where DOMAIN is the first part of your full Active Directory domain name.
  4. Check that you have an appropriate entry in your hosts keytab. 
    sudo klist -k
    You should see several lines, with your host name. For example 2 HOSTNAME$@AD.EXAMPLE.COM
  5. Check that you can use your keytab with kerberos 
    sudo kinit -k 'HOSTNAME$@AD.EXAMPLE.COM'
    Make sure to use quotes around the argument, because of the characters in there. Make sure the hostname and domain are capitalized.
    Use the principal from the output of the klist command above. Use the one that's capitalized and looks like HOSTNAME$@DOMAIN.
    There should be no output from this command.
  6. The user should show up here: 
    $ realm list
    Look at the permitted-logins: line.
    You should also see login-policy: allow-permitted-logins.
  7. Go to GDM by logging out, or by Switch User from the user menu.
  8. Choose the Not Listed? option.
    Verify that you can see the short name listed with a hint as to how to log in.
  9. Type DOMAIN\User in the box.
    The case of the domain and user should not matter, but they are separated by a backslash.
    The domain part is the part of your Active Directory domain prior to the first dot.
  10. Type the user domain password, and press enter.
  11. You should be logged into a Fedora Desktop.



Troubleshooting

You can see verbose output in the terminal that you started gnome-control-center from.

Known Issue [Selinux]: You need to turn off selinux to complete the permit action. Please do: 

$ sudo setenforce 0

Please file the all realmd AVC's at this bug: https://bugzilla.redhat.com/show_bug.cgi?id=867873 

$ sudo grep realmd /var/log/audit/audit.log
Retrieved from "https://fedoraproject.org/w/index.php?title=QA:Testcase_realmd_control_center&oldid=309034"