From Fedora Project Wiki

Revision as of 13:58, 29 April 2013 by Stefw (talk | contribs) (Add about mismatched domain and realm)

Description

realmd automatically discovers information about kerberos realms, and determines whether they are Active Directory domains or other types of kerberos realms.

Setup

  1. Fulfill the prerequisites and make sure your Active Directory domain access works. realmd 0.14.0+ and adcli 0.6+ are required.

How to test

  1. Perform a discovery command against your active directory domain.
    $ realm discover ad.example.com
    The output should contain one realm listed. The domain name on the first line, and the also contain the line server-software: active-directory
  2. Perform a discovery command against a generic kerberos domain, such as nullroute.eu.org.
    $ realm discover nullroute.eu.org
    The output should contain one realm listed. The domain name on the first line, and the also contain the line type: kerberos
  3. Perform a discovery command against an IPA domain, if you have access to one.
    $ realm discover ipa.example.com
    The output should contain one realm listed. The domain name on the first line, and the also contain the line type: freeipa

Expected Results

  1. The realms should be discoverable, and should contain the appropriate type: lines.
    The realm-name: and domain-name: should be as expected for the domain



More: List all realm instances

By passing the --all argument, you can list the various forms that a realm can take. The discovery usually only returns the most relevant result.

$ realm discover --all ad.example.com

The above command should return three domain instances.

  • The first will (by default) have a client-software: sssd line.
  • The second will have a client-software: winbind line.
  • The third will not have client-software or server-software

More: Restricting by software

By passing a --client-software or --server-software one can affect the results returned.

For an active directory domain, one can specify --client-software=winbind. The client-software in the result should be winbind rather than the sssd default value.

$ realm discover --client-software=winbind ad.example.com

One can also restrict via --server-software to only match certain types of domains. For if the following is run against an active directory server, no results should be returned.

$ realm discover --server-software=freeipa ad.example.com

More: Discovery timeout

Run the discovery against a domain for which the servers listed but are off or unreachable. The discovery should timeout after about 15 seconds.

More: Cancellation

Pressing Ctrl-C during a discovery should cancel the discovery immediately. If it does not, then this is a bug. There may be cases where the results are returned before the cancellation takes effect.

More: Mismatched domain and kerberos realm

Setup a FreeIPA server where the kerberos realm is different than the upper cased domain name. When discovered, the domain name and kerberos name should be as expected

Troubleshooting

Use the --verbose argument to see details of what's being done during discovery. You can see output like this:

$ realm discover --verbose nullroute.eu.org
 * Resolving: _ldap._tcp.dc._msdcs.nullroute.eu.org
 * Resolving: _ldap._tcp.nullroute.eu.org
 * Performing LDAP DSE lookup on: 2001:41d0:2:bb58:dead:beef:28c7:49b8
 ! Can't contact LDAP server
 * Performing LDAP DSE lookup on: 176.31.156.245
 * Performing LDAP DSE lookup on: 2a01:7e00::f03c:91ff:fe96:5efd
 ! Can't contact LDAP server
 * Performing LDAP DSE lookup on: 109.74.192.129
 * Performing LDAP DSE lookup on: 2604:2880::d71e:a1a4
 ! Can't contact LDAP server
 * Performing LDAP DSE lookup on: 198.147.23.79
 * Performing LDAP DSE lookup on: 2001:41d0:2:a128:dead:beef:84f3:3a85
 ! Can't contact LDAP server
 * Performing LDAP DSE lookup on: 2001:470:1f0f:112c::1
 ! Can't contact LDAP server
 ! Couldn't find default naming context on LDAP server
 * Performing LDAP DSE lookup on: 70.85.16.91
 ! Couldn't find default naming context on LDAP server
 * Performing LDAP DSE lookup on: 46.105.138.8
 ! Couldn't find default naming context on LDAP server
 ! Couldn't find default naming context on LDAP server
 ! Couldn't find default naming context on LDAP server
nullroute.eu.org
  type: kerberos
  realm-name: NULLROUTE.EU.ORG
  domain-name: nullroute.eu.org
  configured: no