From Fedora Project Wiki

No edit summary
(update a bit (fudge the version number and arch, drop use of no-longer-necessary updates.img, use mirrorservice, drop f19-beta specific stuff))
Line 5: Line 5:
#* realmd 0.14.0 or later
#* realmd 0.14.0 or later
#* adcli 0.7 or later
#* adcli 0.7 or later
#* A non-live installer image for the Fedora release you wish to test
# Verify that your [[QA:Testcase_Active_Directory_Setup|Active Directory domain access works, or set a domain up]].
# Verify that your [[QA:Testcase_Active_Directory_Setup|Active Directory domain access works, or set a domain up]].
# Precreate a computer account in the domain with a one time password using adcli:
# Precreate a computer account in the domain with a one time password using adcli:
Line 10: Line 11:
#: The computer name above must match the name in the ks.cfg file below.
#: The computer name above must match the name in the ks.cfg file below.
#: Replace your domain name.
#: Replace your domain name.
# Download this ISO file: [http://vpodzime.fedorapeople.org/realm_support_testing/boot.iso boot.iso]
# Create a new virtual machine with at least an 8GB disk and 1GB of RAM, using the installer image to boot from
# Create a new virtual machine withan 8G disk, 1G of RAM, and use the above file as the boot ISO.
# Prepare the kickstart file
# Prepare the kickstart file
#: Place the text below into a file, replacing your domain name into the <code>realm</code> command
#: Create a file based on the one below, replacing your domain name into the <code>realm</code> command and the correct Fedora version and architecture into the <code>url</code> command (and making any other adjustments as necessary)
#: Upload the ks.cfg file to your fedorapeople.org account or some other accessible http server.
#: Upload the kickstart file to your fedorapeople.org account or some other accessible http server (or use another method of kickstart deployment, whatever is most convenient)
<pre>bootloader --location=mbr
<pre>bootloader --location=mbr
network --bootproto=dhcp --hostname=anaconda1
network --bootproto=dhcp --hostname=anaconda1
url --url http://ftp.linux.cz/pub/linux/fedora/linux/development/19/i386/os/
url --url http://download.fedoraproject.org/pub/linux/fedora/linux/development/(version)/(arch)/os/
install
install
timezone Europe/Prague
timezone Europe/Prague
Line 31: Line 31:
|actions=
|actions=
# Start your new virtual machine you prepared above
# Start your new virtual machine you prepared above
# At the Fedora boot loader install prompt, use the arrow keys to select <i>Install Fedora 19</i> and press tab.
# At the Fedora boot loader install prompt, use the arrow keys to select <i>Install Fedora {{FedoraVersionNumber|next}}</i> and press tab.
# Add the following to the end of the command line
# Add the following to the end of the command line
#: <pre>updates=http://vpodzime.fedorapeople.org/realm_support_testing/iso_updates.img ks=http://path/to/the/ks.cfg</pre>
#: <pre>inst.ks=http://path/to/the/ks.cfg</pre>
#: Make sure to use the full path to the location you uploaded your custom ks.cfg file.
#: Make sure to use the full path to the location you uploaded your custom ks.cfg file (or adjust as necessary for any other kickstart deployment method).
# Press enter to boot and run the installation.
# Press enter to boot and run the installation.
|results=
|results=
# The boot should complete without prompting
# The boot should complete without prompting
Line 75: Line 74:
network --bootproto=static --ip=<vm-static-ip-address> --netmask=<vm-netmask> --gateway=<vm-gateway> --nameserver=<ad-dns-server-ip-address> --hostname=anaconda1
network --bootproto=static --ip=<vm-static-ip-address> --netmask=<vm-netmask> --gateway=<vm-gateway> --nameserver=<ad-dns-server-ip-address> --hostname=anaconda1
</pre>
</pre>
* {{bz|960887}} The sssd service is configured to start automatically after the installation completes. Workaround:
<pre>
$ sudo systemctl enable sssd.service
</pre>
* You currently need to use the boot.iso downloaded above, the standard Fedora beta will not work.


* If the <code>adcli preset-computer</code> command above complains about the computer account already existing, you can delete it with a command like this:
* If the <code>adcli preset-computer</code> command above complains about the computer account already existing, you can delete it with a command like this:

Revision as of 23:26, 7 July 2014

Description

Join the current machine to an Active Directory using Anaconda's kickstart.

Setup

  1. Make sure you have the required software:
    • realmd 0.14.0 or later
    • adcli 0.7 or later
    • A non-live installer image for the Fedora release you wish to test
  2. Verify that your Active Directory domain access works, or set a domain up.
  3. Precreate a computer account in the domain with a one time password using adcli:
    $ adcli preset-computer --one-time-password=MyPassword --domain=ad.example.com anaconda1
    The computer name above must match the name in the ks.cfg file below.
    Replace your domain name.
  4. Create a new virtual machine with at least an 8GB disk and 1GB of RAM, using the installer image to boot from
  5. Prepare the kickstart file
    Create a file based on the one below, replacing your domain name into the realm command and the correct Fedora version and architecture into the url command (and making any other adjustments as necessary)
    Upload the kickstart file to your fedorapeople.org account or some other accessible http server (or use another method of kickstart deployment, whatever is most convenient)
bootloader --location=mbr
network --bootproto=dhcp --hostname=anaconda1
url --url http://download.fedoraproject.org/pub/linux/fedora/linux/development/(version)/(arch)/os/
install
timezone Europe/Prague
lang en_US.UTF-8
clearpart --all
autopart
realm join --one-time-password=MyPassword ad.example.com
%packages
vim
%end
rootpw anaconda

How to test

  1. Start your new virtual machine you prepared above
  2. At the Fedora boot loader install prompt, use the arrow keys to select Install Fedora 42 and press tab.
  3. Add the following to the end of the command line
    inst.ks=http://path/to/the/ks.cfg
    Make sure to use the full path to the location you uploaded your custom ks.cfg file (or adjust as necessary for any other kickstart deployment method).
  4. Press enter to boot and run the installation.

Expected Results

  1. The boot should complete without prompting
    If you watch closely, before install you should see a status line saying that the realm is being discovered
    Again, after installation, you should see a status line joining the domain.
  2. Reboot the machine after installation
  3. Log in as root, using the root password in the ks.cfg
  4. Check if you are joined to the domain
    realm list
    The domain should be listed
    Make note of the login format
  5. Check that domain accounts can be resolved
    getent passwd 'AD\User'
    Make sure to use the quotes around the user name.
    You should see an output line that looks like passwd(5) output. It should contain an appropriate home directory, and a shell.
    Use the login-formats you saw above, to build a remote user name. It will be in the form of DOMAIN\User, where DOMAIN is the first part of your full Active Directory domain name.
  6. Check that you have an appropriate entry in your hosts keytab.
    sudo klist -k
  7. Check that you can use your keytab with kerberos
    sudo kinit -k 'HOSTNAME$@AD.EXAMPLE.COM'
    Make sure to use quotes around the argument, because of the characters in there. #: Make sure the hostname and domain are capitalized.
    Use the principal from the output of the klist command above. Use the one that's capitalized and looks like HOSTNAME$@DOMAIN.
    There should be no output from this command.
  8. Try to log into the machine as a domain account at the console.
    This should automatically create a new home directory for the user, and log into a shell prompt.



More: Try it with FreeIPA

Use a FreeIPA domain with kickstart.

Instead of the adcli preset-computer command, use the FreeIPA Web UI to precreate an account with the appropriate name.

Troubleshooting

  • If the domain is not resolvable by the DHCP/DNS server used by the virtual machine's virtual switch, you can configure network settings directly in the kickstart file using the "network" keyword. For example:
network --bootproto=static --ip=<vm-static-ip-address> --netmask=<vm-netmask> --gateway=<vm-gateway> --nameserver=<ad-dns-server-ip-address> --hostname=anaconda1
  • If the adcli preset-computer command above complains about the computer account already existing, you can delete it with a command like this:
$ adcli delete-computer --domain=ad.example.com anaconda1