From Fedora Project Wiki

No edit summary
No edit summary
Line 3: Line 3:
|setup=
|setup=
# [[Features/FreeIPA/TestBed|Verify that your FreeIPA domain access works]]. If you don't have a FreeIPA domain, you can [[QA:Testcase_freeipav3_installation|set one up]].
# [[Features/FreeIPA/TestBed|Verify that your FreeIPA domain access works]]. If you don't have a FreeIPA domain, you can [[QA:Testcase_freeipav3_installation|set one up]].
# You need a domain account, either a user or administrator. It's useful to test with both.
# '''Your machine must have a configured host name. Do not proceed if your host name is <code>localhost</code> or similar.'''
# '''Your machine must have a configured host name. Do not proceed if you host name is <code>localhost</code> or similar.'''
#: <pre>$ hostname</pre>
#: <pre>$ hostname</pre>
# Make sure you have realmd 0.13 or later installed.
# Make sure you have realmd 0.13 or later installed.
#: <pre>$ yum list realmd</pre>
#: <pre>$ yum list realmd</pre>
# Remove the following packages, they should be installed by realmd as necessary.
#: <pre>$ sudo yum remove sssd freeipa</pre>
|actions=
|actions=
# Perform the join command. Use the <code>--user=xxx</code> argument to specify your domain account name.  
# Perform the join command using IPA's admin account.  
#: <pre>$ realm join --user=User freeipa.example.com</pre>
#: <pre>$ realm join --user=admin ipa.example.org</pre>
#: You will be prompted for a password for the account.
#: You will be prompted for a password for the account.
#: You will be prompted for Policy Kit authorization.
#: You will be prompted for Policy Kit authorization.
Line 25: Line 22:
#: Make note of the login-formats line for the next command.
#: Make note of the login-formats line for the next command.
# Check that you can resolve domain accounts on the local computer.  
# Check that you can resolve domain accounts on the local computer.  
#: <pre>$ getent passwd 'User@freeipa.example.com'</pre>
#: <pre>$ getent passwd 'admin@ipa.example.org'</pre>
#: Make sure to use the quotes around the user name.
#: Make sure to use the quotes around the user name.
#: You should see an output line that looks like passwd(5) output. It should contain an appropriate home directory, and a shell.
#: You should see an output line that looks like passwd(5) output. It should contain an appropriate home directory, and a shell.
#: Use the login-formats you saw above, to build a remote user name. It will be in the form of User@FULL-DOMAIN, where FULL-DOMAIN is your full Active Directory domain name (e.g. freeipa.example.com).
#: Use the login-formats you saw above, to build a remote user name. It will be in the form of User@FULL-DOMAIN, where FULL-DOMAIN is your full IPA domain name (e.g. ipa.example.org).
# Check that you have an appropriate entry in your hosts keytab.
# Check that you have an appropriate entry in your hosts keytab.
#: <pre>sudo klist -k</pre>
#: <pre>sudo klist -k</pre>
#: You should see several lines, with your host name. For example <code>1 host/HOSTNAME@FREEIPA.EXAMPLE.COM</code>
#: You should see several lines, with your host name. For example <code>1 host/HOSTNAME@IPA.EXAMPLE.ORG</code>
# Check that you can use your keytab with kerberos
# Check that you can use your keytab with kerberos
#: <pre>sudo kinit -k 'host/HOSTNAME@FREEIPA.EXAMPLE.COM'</pre>
#: <pre>sudo kinit -k 'host/HOSTNAME@IPA.EXAMPLE.ORG'</pre>
#: Make sure to use quotes around the argument, because of the characters in there. Make sure the hostname and domain are capitalized.
#: Make sure to use quotes around the argument, because of the characters in there. Make sure the hostname and domain are capitalized.
#: Use the principal from the output of the <code>klist</code> command above. Use the one that's capitalized and looks like <code>host/HOSTNAME@FULL-DOMAIN</code>.
#: Use the principal from the output of the <code>klist</code> command above. Use the one that's capitalized and looks like <code>host/HOSTNAME@FULL-DOMAIN</code>.
#: There should be no output from this command.
#: There should be no output from this command.
# If you have console access to the FreeIPA server, you can use the FreeIPA Web UI to see if the computer account was created under the ''Hosts'' section.
# If you have set up the FreeIPA Web UI, you can use it to see if the computer account was created under the ''Hosts'' section.
}}
}}


Line 45: Line 42:


<pre>
<pre>
$ realm join --verbose freeipa.example.com
$ realm join --verbose ipa.example.org
</pre>
</pre>


Revision as of 23:05, 15 April 2013

Description

Join the current machine to a FreeIPA domain. Domain accounts are available on the local machine once this is done.

Setup

  1. Verify that your FreeIPA domain access works. If you don't have a FreeIPA domain, you can set one up.
  2. Your machine must have a configured host name. Do not proceed if your host name is localhost or similar. 
    $ hostname
  3. Make sure you have realmd 0.13 or later installed. 
    $ yum list realmd

How to test

  1. Perform the join command using IPA's admin account. 
    $ realm join --user=admin ipa.example.org
    You will be prompted for a password for the account.
    You will be prompted for Policy Kit authorization.
    On a successful join there will be no output.
    This can take up to a few minutes depending on how far away your FreeIPA domain is.

Expected Results

  1. Check that the domain is now configured. 
    $ realm list
    Make sure the domain is listed.
    Make sure you have a configured: kerberos-member line in the output.
    Make note of the login-formats line for the next command.
  2. Check that you can resolve domain accounts on the local computer. 
    $ getent passwd 'admin@ipa.example.org'
    Make sure to use the quotes around the user name.
    You should see an output line that looks like passwd(5) output. It should contain an appropriate home directory, and a shell.
    Use the login-formats you saw above, to build a remote user name. It will be in the form of User@FULL-DOMAIN, where FULL-DOMAIN is your full IPA domain name (e.g. ipa.example.org).
  3. Check that you have an appropriate entry in your hosts keytab. 
    sudo klist -k
    You should see several lines, with your host name. For example 1 host/HOSTNAME@IPA.EXAMPLE.ORG
  4. Check that you can use your keytab with kerberos 
    sudo kinit -k 'host/HOSTNAME@IPA.EXAMPLE.ORG'
    Make sure to use quotes around the argument, because of the characters in there. Make sure the hostname and domain are capitalized.
    Use the principal from the output of the klist command above. Use the one that's capitalized and looks like host/HOSTNAME@FULL-DOMAIN.
    There should be no output from this command.
  5. If you have set up the FreeIPA Web UI, you can use it to see if the computer account was created under the Hosts section.



Troubleshooting

Use the --verbose argument to see details of what's being done during a join. Include verbose output in any bug reports. 

$ realm join --verbose ipa.example.org

The selinux profile for realmd isn't yet stable, so you may want turn off enforcement. Please do still file bugs for the SElinux AVC notifications you see.

Known Issue [Selinux]: You need to turn off selinux to complete the join. Please do: 

$ sudo setenforce 0

Please file all realmd AVC's at this bug: https://bugzilla.redhat.com/show_bug.cgi?id=867873 

$ sudo grep realmd /var/log/audit/audit.log
Retrieved from "https://fedoraproject.org/w/index.php?title=QA:Testcase_FreeIPA_realmd_join&oldid=330969"