From Fedora Project Wiki
Description
Enrol the system in an Active Directory or FreeIPA domain using the GNOME Control Center.
Setup
- Deploy a correctly-configured FreeIPA or Active Directory domain controller. You can follow:
- QA:Testcase_Server_role_deploy with the Domain Controller role to deploy a FreeIPA domain controller on Fedora 28 or earlier
- QA:Testcase_freeipa_trust_server_installation to deploy a FreeIPA domain controller on Fedora 29 or later
- QA:Testcase_Active_Directory_Setup to deploy an Active Directory domain controller
- Create at least one domain account, either a user or administrator. It's useful to test with both
- Ensure the test client has a fully-qualified hostname (e.g. client.example.com). Do not proceed if running
hostname
returnslocalhost
or similar - Ensure GNOME is installed on the test client
How to test
- Open the GNOME Control Center (e.g. by clicking on the top-right menu and then clicking the screwdriver/wrench icon, or by running
gnome-control-center
from a terminal - this will allow you to see debugging output) - Choose the Users panel
- Click the Unlock button, if present
- You should get a PolicyKit authorization prompt.
- Click the add [+] button in the lower left
- Choose the Enterprise login pane
- Enter an invalid domain, invalid user, and invalid password for the account
- Click on Add. You should see a problem icon on the domain.
- Enter the valid domain, invalid user, and invalid password for the account
- Click on Add. You should see a problem icon on the user.
- Enter the valid domain, valid user, and invalid password for the account
- Click on Add. You should see a problem icon on the password.
- Enter the right password
- Click on Add
- If you use a non-administrative user, you should be prompted for administrative credentials.
Expected Results
- The user should now be listed in the User Accounts panel of the GNOME Control Center
- Check that the domain is now configured:
realm list
- Make sure the domain is listed
- Make sure you have a
configured: kerberos-member
line in the output
- Check that you can resolve domain accounts on the local computer
- For Active Directory:
getent passwd 'DOMAIN\User'
(DOMAIN is the netbios name, usually the first portion of the domain name, e.g. AD or SAMDOM; make sure to use the single quotes)- For FreeIPA:
getent passwd admin@domain
(domain is the fully-qualified FreeIPA domain name, e.g. example.ipa)- You should see an output line that looks like
passwd
output. It should contain an appropriate home directory, and a shell
- Check that you have an appropriate entry in your host's keytab:
su -c 'klist -k'
- You should see several lines with your host name. For example
1 host/$hostname$@FQDN
- You should see several lines with your host name. For example
- Check that you can use your keytab with kerberos:
su -c 'kinit -k (principal)'
- Replace (principal) with the principal from the output of the
klist
command above. Use the one with the domain capitalized and that looks likehost/hostname@DOMAIN)
(FreeIPA) orTRUNCATED_HOSTNAME$@DOMAIN
(Active Directory) - There should be no output from this command
- Replace (principal) with the principal from the output of the
- If you are testing FreeIPA and have set up the FreeIPA Web UI, you can use it to see that the computer account was created under the Hosts section
- If you have are testing Active Directory and have console access to the domain controller, you can use the Active Directory Users and Computers tool to see if that the computer account was created under the Computers section
- Optionally, move on to QA:Testcase_domain_client_authenticate to ensure you can log in with a domain account.
- Go to GDM by logging out, or by Switch User from the user menu
- Choose the Not Listed? option
- Verify that you can see the short name listed with a hint as to how to log in
- Type
user@domain
in the box- The case of the domain and user should not matter, but they are separated by the @ sign
- The domain part is the entire FreeIPA / AD domain name
- Type the user domain password, and press enter
- You should be logged into a Fedora Desktop.