Permit a domain account to log in locally, and then test that login.
- Due to this bug with discussion here, you need to have
/etc/nsswitch.confwhen you last booted you system. To do so run this:
$ sudo authconfig --update --enablesssd; sudo shutdown -r now
- If you are linked to your Active Directory domain via VPN, then this Test case will not work.
- Verify that your Active Directory domain access works. If you don't have an Active Directory domain, you can set one up.
- Run through the test case to join the domain.
- Verify that you are joined to the domain with the following command
$ realm list
- Make sure you have a
configured: kerberos-membershipline in the output.
- Note the
- Check that you can resolve domain accounts on the local computer.
- Use the
login-formatsyou saw above, to build a remote user name. It will be in the form of
DOMAIN\User, where DOMAIN is the first part of your full Active Directory domain name.
$ getent passwd 'AD\User'
- Use the
How to test
- Perform the permit command.
$ realm permit --realm=ad.example.com 'AD\User'
- You will be prompted for Policy Kit authorization.
- You will not be prompted for a password.
- This should proceed quickly, not take more that 10 seconds.
- On a successful permit there will be no output.
- The user should show up here:
$ realm list
- Look at the
- You should also see
- Go to GDM by logging out, or by Switch User from the user menu.
- On a Live CD if you get automatically logged in again, go to User Accounts and turn off Auto Login for the live cd user.
- Choose the Not Listed? option.
- Verify that you can see the short name listed with a hint as to how to log in.
DOMAIN\Userin the box.
- The case of the domain and user should not matter, but they are separated by a backslash.
- The domain part is the part of your Active Directory domain prior to the first dot.
- Type the user domain password, and press enter.
- You should be logged into the Fedora desktop.
- Open a terminal, and type:
- Look at the output to verify that you are logged in as a domain user.
If the above explodes, try to log in from a VT console, and see if there is any interesting output there.
If you can log into a VT, but cannot log into GNOME, then you may have run into this bug. See the top of the Setup part of this test case for a solution.
If you are connected to your domain controller via VPN, the above test case will not work.
Known Issue [Group Names]: Group names for the logged in user are not resolved correctly
Known Issue [Selinux]: You need to turn off selinux to complete the permit action. Please do:
$ sudo setenforce 0
Please file the all realmd AVC's at this bug: https://bugzilla.redhat.com/show_bug.cgi?id=867873
$ sudo grep realmd /var/log/audit/audit.log