From Fedora Project Wiki

(Update version of realmd)
 
(8 intermediate revisions by 2 users not shown)
Line 2: Line 2:
 
|description=realmd automatically discovers information about kerberos realms, and determines whether they are Active Directory domains or other types of kerberos realms.
 
|description=realmd automatically discovers information about kerberos realms, and determines whether they are Active Directory domains or other types of kerberos realms.
 
|setup=
 
|setup=
# [[Features/ActiveDirectory/TestBed|Verify that your Active Directory domain access works]]. If you don't have an Active Directory domain, you can [[Features/ActiveDirectory/TestBed|set one up]].
+
# Make sure you have the required software:
# Make sure you have [https://admin.fedoraproject.org/updates/FEDORA-2012-16542/realmd-0.10-1.fc18 realmd 0.10] or later installed.
+
#* realmd 0.14.0
#: <pre>$ yum list realmd</pre>
+
# Verify that your [[QA:Testcase_Active_Directory_Setup|Active Directory domain access works, or set a domain up]].
 
|actions=
 
|actions=
 
# Perform a discovery command against your active directory domain.
 
# Perform a discovery command against your active directory domain.
 
#: <pre>$ realm discover ad.example.com</pre>
 
#: <pre>$ realm discover ad.example.com</pre>
#: The output should contain one realm listed. The domain name on the first line, and the also contain the line <code>type: active-directory</code>
+
#: The output should contain one realm listed. The domain name on the first line, and the also contain the line <code>server-software: active-directory</code>
 
# Perform a discovery command against a generic kerberos domain, such as <code>nullroute.eu.org</code>.
 
# Perform a discovery command against a generic kerberos domain, such as <code>nullroute.eu.org</code>.
 
#: <pre>$ realm discover nullroute.eu.org</pre>
 
#: <pre>$ realm discover nullroute.eu.org</pre>
#: The output should contain one realm listed. The domain name on the first line, and the also contain the line <code>type: kerberos</code>
+
#: The output should contain one realm listed. The domain name on the first line, and the also contain the line <code>type: kerberos</code> and not have any <code>server-software:</code> listed.
 
# Perform a discovery command against an IPA domain, if you have access to one.
 
# Perform a discovery command against an IPA domain, if you have access to one.
 
#: <pre>$ realm discover ipa.example.com</pre>
 
#: <pre>$ realm discover ipa.example.com</pre>
#: The output should contain one realm listed. The domain name on the first line, and the also contain the line <code>type: freeipa</code>
+
#: The output should contain one realm listed. The domain name on the first line, and the also contain the line <code>server-software: freeipa</code>
  
 
|results=
 
|results=
# The realms should be discoverable, and should contain the appropriate <code>type:</code> lines.
+
# The realms should be discoverable, and should contain the appropriate <code>server-software:</code> lines.
 +
#: The <code>realm-name:</code> and <code>domain-name:</code> should be as expected for the domain
 
}}
 
}}
 +
 +
=== More: List all realm instances ===
 +
 +
By passing the <code>--all</code> argument, you can list the various forms that a realm can take. The discovery usually only returns the most relevant result.
 +
 +
<pre>$ realm discover --all ad.example.com</pre>
 +
 +
The above command should return three domain instances.
 +
* The first will (by default) have a <code>client-software: sssd</code> line.
 +
* The second will have a <code>client-software: winbind</code> line.
 +
* The third will not have <code>client-software</code> or <code>server-software</code> (optional record)
 +
 +
=== More: Restricting by software ===
 +
 +
By passing a <code>--client-software</code> or <code>--server-software</code> one can affect the results returned.
 +
 +
For an active directory domain, one can specify <code>--client-software=winbind</code>. The <code>client-software</code> in the result should be <code>winbind</code> rather than the <code>sssd</code> default value.
 +
 +
<pre>$ realm discover --client-software=winbind ad.example.com</pre>
 +
 +
One can also restrict via <code>--server-software</code> to only match certain types of domains. For if the following is run against an active directory server, no results should be returned.
 +
 +
<pre>$ realm discover --server-software=freeipa ad.example.com</pre>
 +
 +
=== More: Discovery timeout ===
 +
 +
Run the discovery against a domain for which the servers listed but are off or unreachable. The discovery should timeout after about 15 seconds.
 +
 +
=== More: Cancellation ===
 +
 +
Pressing Ctrl-C during a discovery should cancel the discovery immediately. If it does not, then this is a bug. There may be cases where the results are returned before the cancellation takes effect.
 +
 +
=== More: Mismatched domain and kerberos realm ===
 +
 +
Setup a FreeIPA server where the kerberos realm is different than the upper cased domain name. When discovered, the domain name and kerberos name should be as expected
  
 
== Troubleshooting ==
 
== Troubleshooting ==
Line 26: Line 62:
 
<pre>
 
<pre>
 
$ realm discover --verbose nullroute.eu.org
 
$ realm discover --verbose nullroute.eu.org
  * Searching for kerberos SRV records for domain: _kerberos._udp.nullroute.eu.org
+
  * Resolving: _ldap._tcp.dc._msdcs.nullroute.eu.org
  * Searching for MSDCS SRV records on domain: _kerberos._tcp.dc._msdcs.nullroute.eu.org
+
  * Resolving: _ldap._tcp.nullroute.eu.org
  * virgule.cluenet.org:88 panther.nathan7.eu:88
+
  * Performing LDAP DSE lookup on: 2001:41d0:2:bb58:dead:beef:28c7:49b8
  * Trying to retrieve IPA certificate from virgule.cluenet.org
+
! Can't contact LDAP server
  * Trying to retrieve IPA certificate from panther.nathan7.eu
+
* Performing LDAP DSE lookup on: 176.31.156.245
  ! Couldn't read certificate via HTTP: No PEM-encoded certificate found
+
* Performing LDAP DSE lookup on: 2a01:7e00::f03c:91ff:fe96:5efd
  ! Couldn't discover IPA KDC: No PEM-encoded certificate found
+
! Can't contact LDAP server
  * Found kerberos DNS records for: nullroute.eu.org
+
* Performing LDAP DSE lookup on: 109.74.192.129
  * Successfully discovered: nullroute.eu.org
+
* Performing LDAP DSE lookup on: 2604:2880::d71e:a1a4
...
+
! Can't contact LDAP server
</pre>
+
  * Performing LDAP DSE lookup on: 198.147.23.79
 
+
  * Performing LDAP DSE lookup on: 2001:41d0:2:a128:dead:beef:84f3:3a85
The complete output for the discovery of an Active Directory domain (which is not configured locally) should look something like:
+
  ! Can't contact LDAP server
 
+
* Performing LDAP DSE lookup on: 2001:470:1f0f:112c::1
<pre>$ realm discover ad.example.com
+
! Can't contact LDAP server
ad.example.com
+
  ! Couldn't find default naming context on LDAP server
 +
  * Performing LDAP DSE lookup on: 70.85.16.91
 +
! Couldn't find default naming context on LDAP server
 +
  * Performing LDAP DSE lookup on: 46.105.138.8
 +
! Couldn't find default naming context on LDAP server
 +
! Couldn't find default naming context on LDAP server
 +
! Couldn't find default naming context on LDAP server
 +
nullroute.eu.org
 +
  type: kerberos
 +
  realm-name: NULLROUTE.EU.ORG
 +
  domain-name: nullroute.eu.org
 
   configured: no
 
   configured: no
  server-software: active-directory
 
  client-software: sssd
 
  type: kerberos
 
  realm-name: AD.EXAMPLE.COM
 
  domain-name: ad.example.com
 
 
</pre>
 
</pre>
  
[[Category:Active_Directory_Test_Cases]]
+
[[Category:Active_Directory_Test_Cases]] [[Category:Realmd_Test_Cases]]

Latest revision as of 11:36, 9 May 2013

Description

realmd automatically discovers information about kerberos realms, and determines whether they are Active Directory domains or other types of kerberos realms.

Setup

  1. Make sure you have the required software:
    • realmd 0.14.0
  2. Verify that your Active Directory domain access works, or set a domain up.

How to test

  1. Perform a discovery command against your active directory domain.
    $ realm discover ad.example.com
    The output should contain one realm listed. The domain name on the first line, and the also contain the line server-software: active-directory
  2. Perform a discovery command against a generic kerberos domain, such as nullroute.eu.org.
    $ realm discover nullroute.eu.org
    The output should contain one realm listed. The domain name on the first line, and the also contain the line type: kerberos and not have any server-software: listed.
  3. Perform a discovery command against an IPA domain, if you have access to one.
    $ realm discover ipa.example.com
    The output should contain one realm listed. The domain name on the first line, and the also contain the line server-software: freeipa

Expected Results

  1. The realms should be discoverable, and should contain the appropriate server-software: lines.
    The realm-name: and domain-name: should be as expected for the domain



More: List all realm instances

By passing the --all argument, you can list the various forms that a realm can take. The discovery usually only returns the most relevant result.

$ realm discover --all ad.example.com

The above command should return three domain instances.

  • The first will (by default) have a client-software: sssd line.
  • The second will have a client-software: winbind line.
  • The third will not have client-software or server-software (optional record)

More: Restricting by software

By passing a --client-software or --server-software one can affect the results returned.

For an active directory domain, one can specify --client-software=winbind. The client-software in the result should be winbind rather than the sssd default value.

$ realm discover --client-software=winbind ad.example.com

One can also restrict via --server-software to only match certain types of domains. For if the following is run against an active directory server, no results should be returned.

$ realm discover --server-software=freeipa ad.example.com

More: Discovery timeout

Run the discovery against a domain for which the servers listed but are off or unreachable. The discovery should timeout after about 15 seconds.

More: Cancellation

Pressing Ctrl-C during a discovery should cancel the discovery immediately. If it does not, then this is a bug. There may be cases where the results are returned before the cancellation takes effect.

More: Mismatched domain and kerberos realm

Setup a FreeIPA server where the kerberos realm is different than the upper cased domain name. When discovered, the domain name and kerberos name should be as expected

Troubleshooting

Use the --verbose argument to see details of what's being done during discovery. You can see output like this:

$ realm discover --verbose nullroute.eu.org
 * Resolving: _ldap._tcp.dc._msdcs.nullroute.eu.org
 * Resolving: _ldap._tcp.nullroute.eu.org
 * Performing LDAP DSE lookup on: 2001:41d0:2:bb58:dead:beef:28c7:49b8
 ! Can't contact LDAP server
 * Performing LDAP DSE lookup on: 176.31.156.245
 * Performing LDAP DSE lookup on: 2a01:7e00::f03c:91ff:fe96:5efd
 ! Can't contact LDAP server
 * Performing LDAP DSE lookup on: 109.74.192.129
 * Performing LDAP DSE lookup on: 2604:2880::d71e:a1a4
 ! Can't contact LDAP server
 * Performing LDAP DSE lookup on: 198.147.23.79
 * Performing LDAP DSE lookup on: 2001:41d0:2:a128:dead:beef:84f3:3a85
 ! Can't contact LDAP server
 * Performing LDAP DSE lookup on: 2001:470:1f0f:112c::1
 ! Can't contact LDAP server
 ! Couldn't find default naming context on LDAP server
 * Performing LDAP DSE lookup on: 70.85.16.91
 ! Couldn't find default naming context on LDAP server
 * Performing LDAP DSE lookup on: 46.105.138.8
 ! Couldn't find default naming context on LDAP server
 ! Couldn't find default naming context on LDAP server
 ! Couldn't find default naming context on LDAP server
nullroute.eu.org
  type: kerberos
  realm-name: NULLROUTE.EU.ORG
  domain-name: nullroute.eu.org
  configured: no