|
|
| (11 intermediate revisions by 4 users not shown) |
| Line 1: |
Line 1: |
| {{QA/Test_Case
| | #REDIRECT [[QA:Testcase_realmd_join_sssd]] |
| |description=Join the current machine to a FreeIPA domain. Domain accounts are available on the local machine once this is done.
| |
| |setup=
| |
| # This testcase assumes you have already set up a FreeIPA domain (named "ipa.example.org"). If you haven't, you can [[QA:Testcase_freeipav3_installation|set one up]]. | |
| # '''Your machine must have a configured host name. Do not proceed if your host name is <code>localhost</code> or similar.'''
| |
| #: <pre>$ hostname</pre>
| |
| # Make sure you have realmd-0.13.3-2 or later installed.
| |
| #: <pre>$ yum list realmd</pre>
| |
| |actions=
| |
| # Perform the join command using IPA's admin account.
| |
| #: <pre>$ realm join --user=admin ipa.example.org</pre>
| |
| #: You will be prompted for a password for the account.
| |
| #: You will be prompted for Policy Kit authorization.
| |
| #: On a successful join there will be no output.
| |
| #: This can take up to a few minutes depending on how far away your FreeIPA domain is.
| |
| | |
| |results=
| |
| # Check that the domain is now configured.
| |
| #: <pre>$ realm list</pre>
| |
| #: Make sure the domain is listed.
| |
| #: Make sure you have a <code>configured: kerberos-member</code> line in the output.
| |
| #: Make note of the login-formats line for the next command.
| |
| # Check that you can resolve domain accounts on the local computer.
| |
| #: <pre>$ getent passwd admin@ipa.example.org</pre>
| |
| #: You should see an output line that looks like passwd(5) output. It should contain an appropriate home directory, and a shell.
| |
| #: Use the login-formats you saw above, to build a remote user name. It will be in the form of $user@$fqdn, where fqdn is your fully qualified IPA domain name (e.g. ipa.example.org).
| |
| # Check that you have an appropriate entry in your hosts keytab.
| |
| #: <pre>sudo klist -k</pre>
| |
| #: You should see several lines, with your host name. For example <code>1 host/$hostname@$FQDN</code>
| |
| # Check that you can use your keytab with kerberos
| |
| #: <pre>sudo kinit -k host/client.ipa.example.org@IPA.EXAMPLE.ORG</pre>
| |
| #: Make sure the domain name is capitalized.
| |
| #: Use the principal from the output of the <code>klist</code> command above. Use the one that's capitalized and looks like <code>host/$hostname@$FQDN</code>.
| |
| #: There should be no output from this command.
| |
| # If you have set up the FreeIPA Web UI, you can use it to see that the computer account was created under the ''Hosts'' section.
| |
| }}
| |
| | |
| == Troubleshooting ==
| |
| | |
| Use the <code>--verbose</code> argument to see details of what's being done during a join. Include verbose output in any bug reports.
| |
| | |
| <pre>
| |
| $ realm join --verbose ipa.example.org
| |
| </pre>
| |
| | |
| '''Known Issue [[https://bugzilla.redhat.com/show_bug.cgi?id=952830 Selinux]]:''' You need to turn off selinux to complete the join. Please do:
| |
| | |
| <pre>
| |
| $ sudo setenforce 0
| |
| </pre>
| |
| | |
| The selinux profile for realmd isn't yet stable, so you may want turn off enforcement. Please do still file bugs for the SElinux AVC notifications you see.
| |
| | |
| Please file all realmd AVC's at this bug: https://bugzilla.redhat.com/show_bug.cgi?id=952830
| |
| | |
| <pre>
| |
| $ sudo grep realmd /var/log/audit/audit.log
| |
| </pre>
| |
| | |
| '''Known Issue [[https://bugzilla.redhat.com/show_bug.cgi?id=953116 cannot change the password for new user]]:''' This is a bug probably in authconfig. The workaround is available in the bug [[https://bugzilla.redhat.com/show_bug.cgi?id=953116 Bug 953116]]
| |
| | |
| | |
| [[Category:Active_Directory_Test_Cases]]
| |
