Description

Leave a FreeIPA domain by deconfiguring it locally.

Setup

1. If you haven't already, run through the test case to join the domain.

How to test

1. Perform the leave command.

   $ realm leave ipa.example.org

   You will be prompted for Policy Kit authorization.

   You will not be prompted for a password.

   This should proceed quickly, not take more that 10 seconds.

   On a successful leave there will be no output.

Expected Results

1. Check that the domain is no longer configured.

   $ realm list

   Make sure the domain is not listed.

2. Check that you cannot resolve domain accounts on the local computer.

   $ getent passwd admin@ipa.example.org

   There should be no output.

3. Check that there is no machine account for the domain in the keytab.

   sudo klist -k

   You should see no lines referring to the domain in the table, or an error message saying that the keytab does not exist.

4. If you have set up the FreeIPA Web UI, you can see that computer account has not been deleted (under the Hosts section)

Troubleshooting

Use the --verbose argument to see details of what's being done during a leave. Include verbose output in any bug reports.

$ realm leave --verbose ipa.example.org

Known Issue [Selinux]: You need to turn off selinux to complete the join. Please do:

$ sudo setenforce 0

Please file all realmd AVC's at this bug: https://bugzilla.redhat.com/show_bug.cgi?id=952830

$ sudo grep realmd /var/log/audit/audit.log