Permit a domain account to log in locally, and then test that login.
- If you are linked to your Active Directory domain via VPN, then this Test case will not work.
- Make sure you have other required software:
- realmd 0.14.0 or later
- Verify that your Active Directory domain access works, or set a domain up.
- Run through the test case to join the domain.
- Verify that you are joined to the domain with the following command
$ realm list
- Make sure you have a
configured: kerberos-membershipline in the output.
- Note the
- Check that you can resolve domain accounts on the local computer.
- Use the
login-formatsyou saw above, to build a remote user name. It will be in the form of
DOMAIN\User, where DOMAIN is the first part of your full Active Directory domain name.
$ getent passwd 'AD\User'
- Use the
How to test
- Perform the permit command.
$ realm permit --realm=ad.example.com 'AD\User'
- You will be prompted for Policy Kit authorization.
- You will not be prompted for a password.
- This should proceed quickly, not take more that 10 seconds.
- On a successful permit there will be no output.
- The user should show up here:
$ realm list
- Look at the
- You should also see
- Go to GDM by logging out, or by Switch User from the user menu.
- On a Live CD if you get automatically logged in again, go to User Accounts and turn off Auto Login for the live cd user.
- Choose the Not Listed? option.
DOMAIN\Userin the box.
- The case of the domain and user should not matter, but they are separated by a backslash.
- The domain part is the part of your Active Directory domain prior to the first dot.
- Type the user domain password, and press enter.
- You should be logged into the Fedora desktop.
- Open a terminal, and type:
- Look at the output to verify that you are logged in as a domain user.
If the above explodes, try to log in from a VT console, and see if there is any interesting output there.
If you are connected to your domain controller via VPN, the above test case will not work.
If login not works, you can try to use workaround. Open the /etc/sssd/sssd.conf file and put the following into the [domain/$DOMNAME] section:
service sssd restart
Try login again.
You can use pamtester to play with authentication:
$ sudo yum install pamtester $ pamtester system-auth 'DOMAIN\User' authenticate Password: xxxx
You can increase the sssd debug log level, and check log files:
$ sudo sss_debuglevel 0x00F0 ... do the thing here ... $ sudo less /var/log/sssd/sssd_xxx.log