From Fedora Project Wiki

Revision as of 12:43, 26 April 2013 by Stefw (talk | contribs) (Add about configuration)

Description

Join the current machine to an Active Directory, while creating a userPrincipalName.

Setup

  1. Fulfill the prerequisites and make sure your Active Directory domain access works. realmd 0.14.0+ and adcli 0.6+ are required.
  2. You need a domain account as an administrator.
  3. Leave realm(s) you are currently joined to.
  4. The user principal name is an additional kerberos principal which can be used to log in as the computer account. It should have the same capitalized realm portion (after the @ sign) as the domain.

How to test

  1. Join the domain specifying a user principal name
    $ realm join --user=Administrator --user-principal=host/Test@AD.EXAMPLE.COM ad.example.com
    The user principal name you choose must not be the name of another user or computer in the domain.
    Use your domain admin password when prompted. Specify a user other than Administrator if you have another domain administrative account.
    On a successful join there will be no output.

Expected Results

  1. Check that the domain is now configured.
    $ realm list
    Make sure the domain is listed.
    Make sure you have a configured: kerberos-member line in the output.
  2. Check that you have the upn entry in your hosts keytab.
    sudo klist -k
    You should see a line with the user principal you specified, such as 2 Test@AD.EXAMPLE.COM
  3. Check that you can use your keytab with the user principal
    sudo kinit -k host/Test@AD.EXAMPLE.COM
    Make sure the name is capitalized exactly as specified above.
    There should be no output from this command.



More: Automatically choose a user principal

If you specify the --user-principal without an argument a name is automatically generated in the form of host/shortname@DOMAIN

$ realm join --user=Administrator --user-principal= ad.example.com

The automatically generated name depends on your host name. If the current host name is server.example.com then the user principal chosen by the above command would be host/server@AD.EXAMPLE.COM

You can see the generated name by using:

$ sudo klist -k

More: Use with adcli membership software

Test the above commands with both the samba and adcli tools for joining a domain.

$ realm join --membership-software=samba --user-principal=host/Test@AD.EXAMPLE.COM ad.example.com
$ realm join --membership-software=samba --user-principal=host/Test@AD.EXAMPLE.COM ad.example.com

More: Preconfigure user principal

The user principal to use for a computer with a given domain can be configured in /etc/realmd.conf

[ad.example.com]
user-principal = yes

Make sure realmd is restarted:

$ sudo killall realmd

Now do the join without specifying a user principal.

$ realm join ad.example.com

Even though no user principal was specified, the above kinit and kinit command should work with the style of user principal as described above in the form of host/server@AD.EXAMPLE.COM

Troubleshooting

Use the --verbose argument to see details of what's being done during a join. Include verbose output in any bug reports.

$ realm join --verbose ad.example.com