From Fedora Project Wiki
Description
Setup an FreeIPA domain account login via the GNOME Control Center.
Setup
- You need control-center 3.6.x version or later.
- You need a configured FreeIPA domain. The realm name must match the domain name (upper cased).
- You need a FreeIPA domain user account and administrator account, or both. If you have both, enter the use account as the user you're going to add below.
- Your machine must have a configured host name. Do not proceed if you host name is
localhost
or similar.$ hostname
- Make sure you have realmd 0.13.3-2 or later installed.
$ yum list realmd
- Make sure you have selinux-policy-3.12.1-32 or later installed.
$ yum list selinux-policy
- Remove the following packages, they should be installed by realmd as necessary.
$ sudo yum remove freeipa-client
- Make sure you are not joined to a domain. Use
realm list
to check, andrealm leave
to leave.
How to test
- Run
gnome-control-center
from a terminal. - Choose the Users panel.
- Click the Unlock button.
- You should get a Policy Kit authorization prompt.
- Click the add [+] button in the lower left.
- Choose the Enterprise login pane.
- Enter an invalid domain, invalid user, and invalid password for the account.
- Click on Add. You should see a problem icon on the domain.
- Enter the valid domain, invalid user, and invalid password for the account.
- Click on Add. You should see a problem icon on the user.
- Enter the valid domain, valid user, and invalid password for the account.
- Click on Add. You should see a problem icon on the password.
- Enter the right password.
- Click on Add
- If you use a non-administrative user, you should be prompted for administrative credentials.
Expected Results
- The user should now be listed in the User Accounts panel of the GNOME Control Center.
- Check that the domain is now configured.
$ realm list
- Make sure the domain is listed.
- Make sure you have a
configured: kerberos-membership
line in the output. - Make note of the
login-formats
line for the next command.
- Check that you can resolve domain accounts on the local computer.
$ getent passwd 'user@domain'
- Make sure to use the quotes around the user name.
- You should see an output line that looks like passwd(5) output. It should contain an appropriate home directory, and a shell.
- Use the
login-formats
you saw above, to build a remote user name. It will be in the form ofuser@domain
, where domain is the your full FreeIPA domain name.
- Check that you have an appropriate entry in your hosts keytab.
sudo klist -k
- You should see several lines, with your host name. For example
2 HOSTNAME$@IPA.EXAMPLE.COM
- Check that you can use your keytab with kerberos
sudo kinit -k 'HOSTNAME$@IPA.EXAMPLE.COM'
- Make sure to use quotes around the argument, because of the characters in there. Make sure the hostname and domain are capitalized.
- Use the principal from the output of the
klist
command above. Use the one that's capitalized and looks likeHOSTNAME$@DOMAIN
. - There should be no output from this command.
- The user should show up here:
$ realm list
- Look at the
permitted-logins:
line. - You should also see
login-policy: allow-permitted-logins
.
- Go to GDM by logging out, or by Switch User from the user menu.
- Choose the Not Listed? option.
- Verify that you can see the short name listed with a hint as to how to log in.
- Type
user@domain
in the box.- The case of the domain and user should not matter, but they are separated by a at sign.
- The domain part is the entire domain name for your FreeIPA domain.
- Type the user domain password, and press enter.
- You should be logged into a Fedora Desktop.
Troubleshooting
- You can see verbose output in the terminal that you started gnome-control-center from.
- RHBZ #952830 If you see SELinux issues, it's because you don't have selinux-policy-3.12.1-32 or later.
- Please do, this and report all AVC's to the above bug.
$ sudo setenforce permissive ... do the test $ sudo grep realmd /var/log/audit/audit.log
- RHBZ #953445 If you see the message Decrypt integrity check failed that means you typed the wrong password. It is a bug that this is message is displayed directly, and the password field not merely flagged.
- RHBZ #953453 If you see the message No user with the name user@domain found then this is because 'sss' was not in your
/etc/nsswitch.conf
when the tests were started.- A newly installed system will have this present. However
ipa-client-install --uninstall
incorrectly removes it. - This may have happened if you ran earlier tests that performed this command.
- Workaround: The following lines should have 'sss' on them in
/etc/nsswitch.conf
by default. You can restore this by doing the following, and then running through the tests again:
- A newly installed system will have this present. However
$ sudo mv /etc/nsswitch.conf /etc/nsswitch.conf.bak $ sudo yum reinstall glibc $ shutdown -r now