From Fedora Project Wiki
(Categories) |
(Update troubleshooting for selinux package and nsswitch issue) |
||
| Line 33: | Line 33: | ||
</pre> | </pre> | ||
''' | * {{bz|952830}} If you see '''SELinux issues''', it's because you don't have [http://koji.fedoraproject.org/koji/buildinfo?buildID=412505 selinux-policy-3.12.1-32] or later. | ||
** Please do this and report all AVC's to the above bug. | |||
<pre> | <pre> | ||
$ sudo setenforce | $ sudo setenforce permissive | ||
... do the test | |||
$ sudo grep realmd /var/log/audit/audit.log | |||
</pre> | </pre> | ||
* {{bz|953453}} ipa-client-install incorrectly removes 'sss' from <code>/etc/nsswitch.conf</code> | |||
** This may cause errors when running other tests after this one. | |||
<pre> | ** A newly installed system will have this present. | ||
$ sudo | ** ''Workaround'': The following lines should have 'sss' on them in <code>/etc/nsswitch.conf</code> by default. You can restore this by doing the following, and then running through the tests again: | ||
</pre> | <pre>$ sudo mv /etc/nsswitch.conf /etc/nsswitch.conf.bak | ||
$ sudo yum reinstall glibc | |||
$ shutdown -r now</pre> | |||
[[Category:Realmd_Test_Cases]] [[Category:FreeIPA_Test_Cases]] | [[Category:Realmd_Test_Cases]] [[Category:FreeIPA_Test_Cases]] | ||
Revision as of 09:59, 18 April 2013
Description
Leave a FreeIPA domain by deconfiguring it locally.
Setup
- If you haven't already, run through the test case to join the domain.
How to test
- Perform the leave command.
$ realm leave ipa.example.org
- You will be prompted for Policy Kit authorization.
- You will not be prompted for a password.
- This should proceed quickly, not take more that 10 seconds.
- On a successful leave there will be no output.
Expected Results
- Check that the domain is no longer configured.
$ realm list
- Make sure the domain is not listed.
- Check that you cannot resolve domain accounts on the local computer.
$ getent passwd admin@ipa.example.org
- There should be no output.
- Check that there is no machine account for the domain in the keytab.
sudo klist -k
- You should see no lines referring to the domain in the table, or an error message saying that the keytab does not exist.
- If you have set up the FreeIPA Web UI, you can see that computer account has not been deleted (under the Hosts section)
Troubleshooting
Use the --verbose argument to see details of what's being done during a leave. Include verbose output in any bug reports.
$ realm leave --verbose ipa.example.org
- RHBZ #952830 If you see SELinux issues, it's because you don't have selinux-policy-3.12.1-32 or later.
- Please do this and report all AVC's to the above bug.
$ sudo setenforce permissive ... do the test $ sudo grep realmd /var/log/audit/audit.log
- RHBZ #953453 ipa-client-install incorrectly removes 'sss' from
/etc/nsswitch.conf- This may cause errors when running other tests after this one.
- A newly installed system will have this present.
- Workaround: The following lines should have 'sss' on them in
/etc/nsswitch.confby default. You can restore this by doing the following, and then running through the tests again:
$ sudo mv /etc/nsswitch.conf /etc/nsswitch.conf.bak $ sudo yum reinstall glibc $ shutdown -r now