From Fedora Project Wiki

(make it a redirect to the combined AD/freeipa test case)
(20 intermediate revisions by 5 users not shown)
Line 1: Line 1:
#REDIRECT [[QA:Testcase_realmd_join_sssd]]
|description=Join the current machine to a FreeIPA domain. Domain accounts are available on the local machine once this is done.
# This testcase assumes you have already set up a FreeIPA domain (name "IPA.EXAMPLE.ORG"). If you haven't, you can [[QA:Testcase_freeipav3_installation|set one up]].
# '''Your machine must have a configured host name. Do not proceed if your host name is <code>localhost</code> or similar.'''
#: <pre>$ hostname</pre>
# Make sure you have realmd 0.13 or later installed.
#: <pre>$ yum list realmd</pre>
# Perform the join command using IPA's admin account.
#: <pre>$ realm join --user=admin</pre>
#: You will be prompted for a password for the account.
#: You will be prompted for Policy Kit authorization.
#: On a successful join there will be no output.
#: This can take up to a few minutes depending on how far away your FreeIPA domain is.
# Check that the domain is now configured.
#: <pre>$ realm list</pre>
#: Make sure the domain is listed.
#: Make sure you have a <code>configured: kerberos-member</code> line in the output.
#: Make note of the login-formats line for the next command.
# Check that you can resolve domain accounts on the local computer.
#: <pre>$ getent passwd ''</pre>
#: Make sure to use the quotes around the user name.
#: You should see an output line that looks like passwd(5) output. It should contain an appropriate home directory, and a shell.
#: Use the login-formats you saw above, to build a remote user name. It will be in the form of User@FULL-DOMAIN, where FULL-DOMAIN is your full IPA domain name (e.g.
# Check that you have an appropriate entry in your hosts keytab.
#: <pre>sudo klist -k</pre>
#: You should see several lines, with your host name. For example <code>1 host/HOSTNAME@IPA.EXAMPLE.ORG</code>
# Check that you can use your keytab with kerberos
#: <pre>sudo kinit -k 'host/HOSTNAME@IPA.EXAMPLE.ORG'</pre>
#: Make sure to use quotes around the argument, because of the characters in there. Make sure the hostname and domain are capitalized.
#: Use the principal from the output of the <code>klist</code> command above. Use the one that's capitalized and looks like <code>host/HOSTNAME@FULL-DOMAIN</code>.
#: There should be no output from this command.
# If you have set up the FreeIPA Web UI, you can use it to see if the computer account was created under the ''Hosts'' section.
== Troubleshooting ==
Use the <code>--verbose</code> argument to see details of what's being done during a join. Include verbose output in any bug reports.
$ realm join --verbose
The selinux profile for realmd isn't yet stable, so you may want turn off enforcement. Please do still file bugs for the SElinux AVC notifications you see.
'''Known Issue [[ Selinux]]:''' You need to turn off selinux to complete the join. Please do:
$ sudo setenforce 0
Please file all realmd AVC's at this bug:
$ sudo grep realmd /var/log/audit/audit.log

Latest revision as of 02:59, 25 November 2014