From Fedora Project Wiki

(Update trequirements and do SElinux link)
No edit summary
Line 17: Line 17:
#* realmd 0.14.0 or later
#* realmd 0.14.0 or later
#* adcli 0.7 or later
#* adcli 0.7 or later
#* openlmi-providers 0.21 or later
# Verify that your [[QA:Testcase_Active_Directory_Setup|Active Directory domain access works, or set a domain up]].
# Verify that your [[QA:Testcase_Active_Directory_Setup|Active Directory domain access works, or set a domain up]].



Revision as of 06:27, 9 May 2013

Description

Join the current machine to an Active Directory using OpenLMI

Setup

  1. We need to gather SELinux AVC's, be sure to gather all AVC's generated by this test case. See Troubleshooting section below
    $ sudo setenforce 0
  2. Install the components
    $ sudo yum install sblim-sfcb tog-pegasus pywbem realmd openlmi-realmd
  3. Download the realm CIM scriptlet
    $ sudo wget -O /usr/local/bin/realmd-cim http://jdennis.fedorapeople.org/realmd-cim
  4. Make it executable
    $ sudo chmod +x /usr/local/bin/realmd-cim
  5. Verify pegasus is running
    $ sudo systemctl status tog-pegasus
  6. Set the pegasus password, in this example we'll use XXXX as the password
    $ sudo passwd pegasus
  7. Make sure you have other required software:
    • realmd 0.14.0 or later
    • adcli 0.7 or later
    • openlmi-providers 0.21 or later
  8. Verify that your Active Directory domain access works, or set a domain up.

How to test

  1. Show joined domains
realm list
./realmd-cim -u pegasus -p XXXX list

realmd-cim should show equivalent information as to what realmd-cim shows

  1. XXXX Test case incomplete

Expected Results

  1. Check if you are joined to the domain
    realm list
    The domain should be listed
    Make note of the login format
  2. Check that domain accounts can be resolved
    getent passwd 'AD\User'
    Make sure to use the quotes around the user name.
    You should see an output line that looks like passwd(5) output. It should contain an appropriate home directory, and a shell.
    Use the login-formats you saw above, to build a remote user name. It will be in the form of DOMAIN\User, where DOMAIN is the first part of your full Active Directory domain name.
  3. Check that you have an appropriate entry in your hosts keytab.
    sudo klist -k
  4. Check that you can use your keytab with kerberos
    sudo kinit -k 'HOSTNAME$@AD.EXAMPLE.COM'
    Make sure to use quotes around the argument, because of the characters in there. #: Make sure the hostname and domain are capitalized.
    Use the principal from the output of the klist command above. Use the one that's capitalized and looks like HOSTNAME$@DOMAIN.
    There should be no output from this command.
  5. Try to log into the machine as a domain account at the console.
    This should automatically create a new home directory for the user, and log into a shell prompt.



More: Try it with FreeIPA

Use a FreeIPA domain with the OpenLMI join.

Troubleshooting

  • RHBZ #961207 When you see SELinux AVC's report them AVC's to this bug.
$ sudo setenforce permissive
... do the test
$ sudo less /var/log/audit/audit.log