Testing Fedora 18 Active Directory Integration
realmd is a DBus based management service that configures membership of realms/domains on the local machine.
realmd documentation: http://www.freedesktop.org/software/realmd/docs/index.html
In addition many bugs and brittleness have been fixed in krb5. This documentation involves some testing of that as well.
Preparation
In order to test realmd with Active Directory, you need the following.
An Active Directory domain to test against. You should have credentials for an administrative account on this domain. For deeper testing you should be able to access the domain and create accounts.
Obviously for real life testing using an already deployed Active Directory domain is desirable. But if you don't have access to an Active Directory domain, here's how to install Windows Server 2008 for free and set one up: http://stef.thewalter.net/2012/08/how-to-create-active-directory-domain.html
Note that the Active Directory will need to be appropriately discoverable via DNS, as it would be "in real life". If DNS is not setup for your Active Directory domain, you can also use steps 8 and 9 in the linked setup instructions above to make DNS work appropriately on your test machine for your domain.
In the following documentation we'll use ad.example.com
when referring to the domain.
To install realmd from source:
$ sudo yum install realmd
To build and install realmd from source, do something like this:
$ git clone git://anongit.freedesktop.org/realmd/realmd $ cd realmd $ sh autogen.sh --prefix=/usr --sysconfdir=/etc --libdir=/usr/lib64 --enable-debug $ make $ sudo make install $ sudo restorecon -Rv /etc/dbus-1 /usr/bin/realm /usr/lib64/realmd /usr/share/dbus-1 /usr/share/polkit-1
If you wish to later go back to the Fedora 18 version of realmd, just reinstall realmd:
$ sudo yum reinstall realmd
Test using domain without krb5.conf
Work has been done to make krb5.conf configurationless, and unbreak the default /etc/krb5.conf
that was distributed with Fedora 17 and earlier.
Move /etc/krb5.conf
away.
$ sudo mv /etc/krb5.conf /etc/krb5.conf.bak
If you wish to test with a default neutral /etc/krb5.conf
file, use the following file, as included in the krb5-libs
package:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true # default_realm = EXAMPLE.COM [realms] # EXAMPLE.COM = { # kdc = kerberos.example.com # admin_server = kerberos.example.com # } [domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM
But again, it is not required to have a /etc/krb5.conf
at all.
Now do a kinit
against your Active Directory domain:
$ kinit Administrator@AD.EXAMPLE.COM $ klist -e
You should see kerberos tickets listed.
Possible non-systemic problems:
- Make sure the domain is capitalized as above. This is the kerberos realm name for the Active Directory domain.
- Make sure that the domain can be resolved via DNS:
$ host -t SRV _kerberos._udp.ad.example.com
Test realmd Discovery
realmd discovers domains and what kind of domain they are. To test this use the realm
command to drive realmd.
Against an Active Directory domain the output should look like this:
$ realm discover --verbose ad.example.com * Searching for kerberos SRV records for domain: _kerberos._udp.ad.example.com * Searching for MSDCS SRV records on domain: _kerberos._tcp.dc._msdcs.ad.example.com * dc.ad.example.com:88 * Found kerberos DNS records for: ad.example.com * Found AD style DNS records for: ad.example.com * Successfully discovered: ad.example.com AD.EXAMPLE.COM configured: no type: active-directory realm-name: AD.EXAMPLE.COM domain-name: ad.example.com
Against an IPA domain the output should look something like this:
$ realm --verbose discover ipa.example.com * Searching for kerberos SRV records for domain: _kerberos._udp.ipa.example.com * Searching for MSDCS SRV records on domain: _kerberos._tcp.dc._msdcs.ipa.example.com * dc.ipa.example.com:88 * Trying to retrieve IPA certificate from dc.ipa.example.com ! Couldn't read certificate via HTTP: No PEM-encoded certificate found ! Couldn't discover IPA KDC: No PEM-encoded certificate found * Found kerberos DNS records for: ipa.example.com * Successfully discovered: ipa.example.com NULLROUTE.EU.ORG configured: no type: freeipa realm-name: IPA.EXAMPLE.COM domain-name: ipa.example.com
Against a generic kerberos domain, such as redhat.com, or nullroute.eu.org, it should look something like this:
$ realm discover --verbose nullroute.eu.org * Searching for kerberos SRV records for domain: _kerberos._udp.nullroute.eu.org * Searching for MSDCS SRV records on domain: _kerberos._tcp.dc._msdcs.nullroute.eu.org * virgule.cluenet.org:88 panther.nathan7.eu:88 * Trying to retrieve IPA certificate from virgule.cluenet.org * Trying to retrieve IPA certificate from panther.nathan7.eu ! Couldn't read certificate via HTTP: No PEM-encoded certificate found ! Couldn't discover IPA KDC: No PEM-encoded certificate found * Found kerberos DNS records for: nullroute.eu.org * Successfully discovered: nullroute.eu.org NULLROUTE.EU.ORG configured: no type: kerberos realm-name: NULLROUTE.EU.ORG domain-name: nullroute.eu.org