From Fedora Project Wiki

m (Stefw moved page QA:Testcase Active Directory realmd discovery to QA:Testcase realmd discovery: Not active directory specific)
(Adapt page for new discovery methods)
Line 2: Line 2:
 
|description=realmd automatically discovers information about kerberos realms, and determines whether they are Active Directory domains or other types of kerberos realms.
 
|description=realmd automatically discovers information about kerberos realms, and determines whether they are Active Directory domains or other types of kerberos realms.
 
|setup=
 
|setup=
# [[Features/ActiveDirectory/TestBed|Verify that your Active Directory domain access works]]. If you don't have an Active Directory domain, you can [[Features/ActiveDirectory/TestBed|set one up]].
+
# Fulfill the [[QA:Testcase_realmd_prerequisites|prerequisites and make sure your Active Directory domain access works]]. realmd 0.14.0+ and adcli 0.6+ are required.
# Make sure you have [https://admin.fedoraproject.org/updates/FEDORA-2012-16542/realmd-0.10-1.fc18 realmd 0.10] or later installed.
 
#: <pre>$ yum list realmd</pre>
 
 
|actions=
 
|actions=
 
# Perform a discovery command against your active directory domain.
 
# Perform a discovery command against your active directory domain.
Line 18: Line 16:
 
|results=
 
|results=
 
# The realms should be discoverable, and should contain the appropriate <code>type:</code> lines.
 
# The realms should be discoverable, and should contain the appropriate <code>type:</code> lines.
 +
#: The <code>realm-name:</code> and <code>domain-name:</code> should be as expected for the domain
 
}}
 
}}
 +
 +
=== More: List all realm instances ===
 +
 +
By passing the <code>--all</code> argument, you can list the various forms that a realm can take. The discovery usually only returns the most relevant result.
 +
 +
<pre>$ realm discover --all ad.example.com</pre>
 +
 +
The above command should return three domain instances.
 +
* The first will (by default) have a <code>client-software: sssd</code> line.
 +
* The second will have a <code>client-software: winbind</code> line.
 +
* The third will not have <code>client-software</code> or <code>server-software</code>
 +
 +
=== More: Restricting by software ===
 +
 +
By passing a <code>--client-software</code> or <code>--server-software</code> one can affect the results returned.
 +
 +
For an active directory domain, one can specify <code>--client-software=winbind</code>. The <code>client-software</code> in the result should be <code>winbind</code> rather than the <code>sssd</code> default value.
 +
 +
<pre>$ realm discover --client-software=winbind ad.example.com</pre>
 +
 +
One can also restrict via <code>--server-software</code> to only match certain types of domains. For if the following is run against an active directory server, no results should be returned.
 +
 +
<pre>$ realm discover --server-software=freeipa ad.example.com</pre>
 +
 +
=== More: Discovery timeout ===
 +
 +
Run the discovery against a domain for which the servers listed but are off or unreachable. The discovery should timeout after about 15 seconds.
 +
 +
=== More: Cancellation ===
 +
 +
Pressing Ctrl-C during a discovery should cancel the discovery immediately. If it does not, then this is a bug. There may be cases where the results are returned before the cancellation takes effect.
  
 
== Troubleshooting ==
 
== Troubleshooting ==
Line 26: Line 56:
 
<pre>
 
<pre>
 
$ realm discover --verbose nullroute.eu.org
 
$ realm discover --verbose nullroute.eu.org
  * Searching for kerberos SRV records for domain: _kerberos._udp.nullroute.eu.org
+
  * Resolving: _ldap._tcp.dc._msdcs.nullroute.eu.org
  * Searching for MSDCS SRV records on domain: _kerberos._tcp.dc._msdcs.nullroute.eu.org
+
  * Resolving: _ldap._tcp.nullroute.eu.org
  * virgule.cluenet.org:88 panther.nathan7.eu:88
+
  * Performing LDAP DSE lookup on: 2001:41d0:2:bb58:dead:beef:28c7:49b8
  * Trying to retrieve IPA certificate from virgule.cluenet.org
+
! Can't contact LDAP server
  * Trying to retrieve IPA certificate from panther.nathan7.eu
+
* Performing LDAP DSE lookup on: 176.31.156.245
  ! Couldn't read certificate via HTTP: No PEM-encoded certificate found
+
* Performing LDAP DSE lookup on: 2a01:7e00::f03c:91ff:fe96:5efd
  ! Couldn't discover IPA KDC: No PEM-encoded certificate found
+
! Can't contact LDAP server
  * Found kerberos DNS records for: nullroute.eu.org
+
* Performing LDAP DSE lookup on: 109.74.192.129
  * Successfully discovered: nullroute.eu.org
+
* Performing LDAP DSE lookup on: 2604:2880::d71e:a1a4
...
+
! Can't contact LDAP server
</pre>
+
  * Performing LDAP DSE lookup on: 198.147.23.79
 
+
  * Performing LDAP DSE lookup on: 2001:41d0:2:a128:dead:beef:84f3:3a85
The complete output for the discovery of an Active Directory domain (which is not configured locally) should look something like:
+
  ! Can't contact LDAP server
 
+
* Performing LDAP DSE lookup on: 2001:470:1f0f:112c::1
<pre>$ realm discover ad.example.com
+
! Can't contact LDAP server
ad.example.com
+
  ! Couldn't find default naming context on LDAP server
 +
  * Performing LDAP DSE lookup on: 70.85.16.91
 +
! Couldn't find default naming context on LDAP server
 +
  * Performing LDAP DSE lookup on: 46.105.138.8
 +
! Couldn't find default naming context on LDAP server
 +
! Couldn't find default naming context on LDAP server
 +
! Couldn't find default naming context on LDAP server
 +
nullroute.eu.org
 +
  type: kerberos
 +
  realm-name: NULLROUTE.EU.ORG
 +
  domain-name: nullroute.eu.org
 
   configured: no
 
   configured: no
  server-software: active-directory
 
  client-software: sssd
 
  type: kerberos
 
  realm-name: AD.EXAMPLE.COM
 
  domain-name: ad.example.com
 
 
</pre>
 
</pre>
  
 
[[Category:Active_Directory_Test_Cases]] [[Category:Realmd_Test_Cases]]
 
[[Category:Active_Directory_Test_Cases]] [[Category:Realmd_Test_Cases]]

Revision as of 13:06, 29 April 2013

Description

realmd automatically discovers information about kerberos realms, and determines whether they are Active Directory domains or other types of kerberos realms.

Setup

  1. Fulfill the prerequisites and make sure your Active Directory domain access works. realmd 0.14.0+ and adcli 0.6+ are required.

How to test

  1. Perform a discovery command against your active directory domain.
    $ realm discover ad.example.com
    The output should contain one realm listed. The domain name on the first line, and the also contain the line server-software: active-directory
  2. Perform a discovery command against a generic kerberos domain, such as nullroute.eu.org.
    $ realm discover nullroute.eu.org
    The output should contain one realm listed. The domain name on the first line, and the also contain the line type: kerberos
  3. Perform a discovery command against an IPA domain, if you have access to one.
    $ realm discover ipa.example.com
    The output should contain one realm listed. The domain name on the first line, and the also contain the line type: freeipa

Expected Results

  1. The realms should be discoverable, and should contain the appropriate type: lines.
    The realm-name: and domain-name: should be as expected for the domain



More: List all realm instances

By passing the --all argument, you can list the various forms that a realm can take. The discovery usually only returns the most relevant result.

$ realm discover --all ad.example.com

The above command should return three domain instances.

  • The first will (by default) have a client-software: sssd line.
  • The second will have a client-software: winbind line.
  • The third will not have client-software or server-software

More: Restricting by software

By passing a --client-software or --server-software one can affect the results returned.

For an active directory domain, one can specify --client-software=winbind. The client-software in the result should be winbind rather than the sssd default value.

$ realm discover --client-software=winbind ad.example.com

One can also restrict via --server-software to only match certain types of domains. For if the following is run against an active directory server, no results should be returned.

$ realm discover --server-software=freeipa ad.example.com

More: Discovery timeout

Run the discovery against a domain for which the servers listed but are off or unreachable. The discovery should timeout after about 15 seconds.

More: Cancellation

Pressing Ctrl-C during a discovery should cancel the discovery immediately. If it does not, then this is a bug. There may be cases where the results are returned before the cancellation takes effect.

Troubleshooting

Use the --verbose argument to see details of what's being done during discovery. You can see output like this:

$ realm discover --verbose nullroute.eu.org
 * Resolving: _ldap._tcp.dc._msdcs.nullroute.eu.org
 * Resolving: _ldap._tcp.nullroute.eu.org
 * Performing LDAP DSE lookup on: 2001:41d0:2:bb58:dead:beef:28c7:49b8
 ! Can't contact LDAP server
 * Performing LDAP DSE lookup on: 176.31.156.245
 * Performing LDAP DSE lookup on: 2a01:7e00::f03c:91ff:fe96:5efd
 ! Can't contact LDAP server
 * Performing LDAP DSE lookup on: 109.74.192.129
 * Performing LDAP DSE lookup on: 2604:2880::d71e:a1a4
 ! Can't contact LDAP server
 * Performing LDAP DSE lookup on: 198.147.23.79
 * Performing LDAP DSE lookup on: 2001:41d0:2:a128:dead:beef:84f3:3a85
 ! Can't contact LDAP server
 * Performing LDAP DSE lookup on: 2001:470:1f0f:112c::1
 ! Can't contact LDAP server
 ! Couldn't find default naming context on LDAP server
 * Performing LDAP DSE lookup on: 70.85.16.91
 ! Couldn't find default naming context on LDAP server
 * Performing LDAP DSE lookup on: 46.105.138.8
 ! Couldn't find default naming context on LDAP server
 ! Couldn't find default naming context on LDAP server
 ! Couldn't find default naming context on LDAP server
nullroute.eu.org
  type: kerberos
  realm-name: NULLROUTE.EU.ORG
  domain-name: nullroute.eu.org
  configured: no