From Fedora Project Wiki

(make it a redirect to the combined AD/freeipa test case)
(24 intermediate revisions by 6 users not shown)
Line 1: Line 1:
#REDIRECT [[QA:Testcase_realmd_join_sssd]]
|description=Join the current machine to a FreeIPA domain. Domain accounts are available on the local machine once this is done.
# [[Features/FreeIPA/TestBed|Verify that your FreeIPA domain access works]]. If you don't have a FreeIPA domain, you can [[Features/FreeIPA/TestBed|set one up]].
# You need a domain account, either a user or administrator. It's useful to test with both.
# '''Your machine must have a configured host name. Do not proceed if you host name is <code>localhost</code> or similar.'''
#: <pre>$ hostname</pre>
# Make sure you have realmd 0.13 or later installed.
#: <pre>$ yum list realmd</pre>
# Remove the following packages, they should be installed by realmd as necessary.
#: <pre>$ sudo yum remove sssd freeipa</pre>
# Perform the join command. Use the <code>--user=xxx</code> argument to specify your domain account name.
#: <pre>$ realm join --user=User</pre>
#: You will be prompted for a password for the account.
#: You will be prompted for Policy Kit authorization.
#: On a successful join there will be no output.
#: This can take up to a few minutes depending on how far away your FreeIPA domain is.
# Check that the domain is now configured.
#: <pre>$ realm list</pre>
#: Make sure the domain is listed.
#: Make sure you have a <code>configured: kerberos-member</code> line in the output.
#: Make note of the login-formats line for the next command.
# Check that you can resolve domain accounts on the local computer.
#: <pre>$ getent passwd ''</pre>
#: Make sure to use the quotes around the user name.
#: You should see an output line that looks like passwd(5) output. It should contain an appropriate home directory, and a shell.
#: Use the login-formats you saw above, to build a remote user name. It will be in the form of User@FULL-DOMAIN, where FULL-DOMAIN is your full Active Directory domain name (e.g.
# Check that you have an appropriate entry in your hosts keytab.
#: <pre>sudo klist -k</pre>
#: You should see several lines, with your host name. For example <code>1 HOSTNAME$@FREEIPA.EXAMPLE.COM</code>
# Check that you can use your keytab with kerberos
#: <pre>sudo kinit -k 'HOSTNAME$@FREEIPA.EXAMPLE.COM'</pre>
#: Make sure to use quotes around the argument, because of the characters in there. Make sure the hostname and domain are capitalized.
#: Use the principal from the output of the <code>klist</code> command above. Use the one that's capitalized and looks like <code>HOSTNAME$@FULL-DOMAIN</code>.
#: There should be no output from this command.
# If you have console access to the FreeIPA server, you can use the FreeIPA Web UI to see if the computer account was created under the ''Hosts'' section.
== Troubleshooting ==
Use the <code>--verbose</code> argument to see details of what's being done during a join. Include verbose output in any bug reports.
$ realm join --verbose
The selinux profile for realmd isn't yet stable, so you may want turn off enforcement. Please do still file bugs for the SElinux AVC notifications you see.
'''Known Issue [[ Selinux]]:''' You need to turn off selinux to complete the join. Please do:
$ sudo setenforce 0
Please file all realmd AVC's at this bug:
$ sudo grep realmd /var/log/audit/audit.log

Latest revision as of 02:59, 25 November 2014