Features/ActiveDirectory/TestingRealmd

From FedoraProject

Jump to: navigation, search

Testing Fedora 18 Active Directory Integration

realmd is a DBus based management service that configures membership of realms/domains on the local machine.

realmd documentation: http://www.freedesktop.org/software/realmd/docs/index.html

In addition many bugs and brittleness have been fixed in krb5. This documentation involves some testing of that as well.

Preparation

In order to test realmd with Active Directory, you need the following.

An Active Directory domain to test against. You should have credentials for an administrative account on this domain. For deeper testing you should be able to access the domain and create accounts.

Obviously for real life testing using an already deployed Active Directory domain is desirable. But if you don't have access to an Active Directory domain, here's how to install Windows Server 2008 for free and set one up: http://stef.thewalter.net/2012/08/how-to-create-active-directory-domain.html

Note that the Active Directory will need to be appropriately discoverable via DNS, as it would be "in real life". If DNS is not setup for your Active Directory domain, you can also use steps 8 and 9 in the linked setup instructions above to make DNS work appropriately on your test machine for your domain.

In the following documentation we'll use ad.example.com when referring to the domain.

To install realmd from source:

$ sudo yum install realmd

To build and install realmd from source, do something like this:

$ git clone git://anongit.freedesktop.org/realmd/realmd
$ cd realmd
$ sh autogen.sh --prefix=/usr --sysconfdir=/etc --libdir=/usr/lib64 --enable-debug
$ make
$ sudo make install
$ sudo restorecon -Rv /etc/dbus-1 /usr/bin/realm /usr/lib64/realmd /usr/share/dbus-1 /usr/share/polkit-1

If you wish to later go back to the Fedora 18 version of realmd, just reinstall realmd:

$ sudo yum reinstall realmd

Test using domain without krb5.conf

Work has been done to make krb5.conf configurationless, and unbreak the default /etc/krb5.conf that was distributed with Fedora 17 and earlier.

Move /etc/krb5.conf away.

$ sudo mv /etc/krb5.conf /etc/krb5.conf.bak

If you wish to test with a default neutral /etc/krb5.conf file, use the following file, as included in the krb5-libs package:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
# default_realm = EXAMPLE.COM

[realms]
# EXAMPLE.COM = {
#  kdc = kerberos.example.com
#  admin_server = kerberos.example.com
# }

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM

But again, it is not required to have a /etc/krb5.conf at all.

Now do a kinit against your Active Directory domain:

$ kinit Administrator@AD.EXAMPLE.COM
$ klist -e

You should see kerberos tickets listed.

Possible non-systemic problems:

  • Make sure the domain is capitalized as above. This is the kerberos realm name for the Active Directory domain.
  • Make sure that the domain can be resolved via DNS.