From Fedora Project Wiki

Revision as of 02:42, 25 November 2014 by Adamwill (talk | contribs) (create template for domain enrolment results (not conditionalized, for now))
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

  1. Check that the domain is now configured: realm list
    Make sure the domain is listed
    Make sure you have a configured: kerberos-member line in the output
  2. Check that you can resolve domain accounts on the local computer
    For Active Directory:
    getent passwd 'AD\User' (make sure to use the quotes)
    For FreeIPA:
    getent passwd admin@domain (domain is the fully-qualified FreeIPA domain name, e.g. ipa.example.org)
    You should see an output line that looks like passwd output. It should contain an appropriate home directory, and a shell
  3. Check that you have an appropriate entry in your host's keytab: su -c 'klist -k'
    You should see several lines with your host name. For example 1 host/$hostname@$FQDN
  4. Check that you can use your keytab with kerberos: su -c 'kinit -k (principal)'
    Replace (principal) with the principal from the output of the klist command above. Use the one with the domain capitalized and that looks like host/hostname@DOMAIN) (FreeIPA) or HOSTNAME$@DOMAIN (Active Directory)
    There should be no output from this command
  5. If you are testing FreeIPA and have set up the FreeIPA Web UI, you can use it to see that the computer account was created under the Hosts section
  6. Optionally, move on to QA:Testcase_domain_client_authenticate to ensure you can log in with a domain account.
Retrieved from "https://fedoraproject.org/w/index.php?title=Template:Domain_client_enrol_results&oldid=395617"