From Fedora Project Wiki

(Initial template page)
 
(Rearrange installation instructions)
 
(9 intermediate revisions by 3 users not shown)
Line 2: Line 2:
|description=Join the current machine to an Active Directory using OpenLMI
|description=Join the current machine to an Active Directory using OpenLMI
|setup=
|setup=
# TODO TODO TODO TODO This page is not done
# We need to gather SELinux AVC's, be sure to gather all AVC's generated by this test case. See Troubleshooting section below
# Fulfill the [[QA:Testcase_realmd_prerequisites|prerequisites and make sure your Active Directory domain access works]].
#: <pre>$ sudo setenforce 0</pre>
# Precreate a computer account in the domain with a one time password using adcli:
# Install the components
#: <pre>$ adcli preset-computer --one-time-password=MyPassword --domain=ad.example.com anaconda1</pre>
#: <pre>$ sudo yum install tog-pegasus pywbem realmd</pre>
#: The computer name above must match the name in the ks.cfg file below.
# Download the realm CIM scriptlet
#: Replace your domain name.
#: <pre>$ sudo wget -O /usr/local/bin/realmd-cim http://jdennis.fedorapeople.org/realmd-cim</pre>
# Download this ISO file: [http://vpodzime.fedorapeople.org/realm_support_testing/boot.iso boot.iso]
# Make it executable
# Create a new virtual machine withan 8G disk, 1G of RAM, and use the above file as the boot ISO.
#: <pre>$ sudo chmod +x /usr/local/bin/realmd-cim</pre>
# Prepare the kickstart file
# Start the pgasus CIMOM
#: Place the text below into a file, replacing your domain name into the <code>realm</code> command
#: <pre>$ sudo systemctl start tog-pegasus.service</pre>
#: Upload the ks.cfg file to your fedorapeople.org account or some other accessible http server.
# Verify pegasus is running
<pre>bootloader --location=mbr
#: <pre>$ sudo systemctl status tog-pegasus</pre>
network --bootproto=dhcp --hostname=anaconda1
# Make sure you have other required software:
install
#* realmd 0.14.0 or later
timezone Europe/Prague
#* adcli 0.7 or later
lang en_US.UTF-8
#* openlmi-providers 0.21 or later
keyboard dvorak
#: <pre>$ sudo yum install realmd openlmi-providers openlmi-realmd</pre>
clearpart --all
# Verify the OpenLMI Realmd provider is properly registered
autopart
#:  <pre>$ sudo cimprovider -l</pre>
realm join --one-time-password=MyPassword ad.example.com
# If the previous command did not list cmpiLMI_Realmd register the provider manually
%packages
#: <pre>$ sudo openlmi-mof-register register /usr/share/openlmi-providers/60_LMI_Realmd.mof /usr/share/openlmi-providers/60_LMI_Realmd.reg</pre>
vim
# Set the pegasus password, in this example we'll use XXXX as the password
%end
#: <pre>$ sudo passwd pegasus</pre>
rootpw anaconda
# Verify that your [[QA:Testcase_Active_Directory_Setup|Active Directory domain access works, or set a domain up]].
 
|actions=
# Show joined domains
<pre>
$ realm list
$ realmd-cim -u pegasus -p XXXX list
</pre>
<code>realmd-cim</code> should show equivalent information as to what <code>realmd-cim</code> shows
 
# Join a domain
<pre>
$ realmd-cim -u pegasus -p XXXX join Administrator DomainPassword ad.example.com
</pre>
</pre>
|actions=
# Start your new virtual machine you prepared above
# At the Fedora boot loader install prompt, use the arrow keys to select <i>Install Fedora 19</i> and press tab.
# Add the following to the end of the command line
#: <pre>updates=http://vpodzime.fedorapeople.org/realm_support_testing/iso_updates.img ks=http://path/to/the/ks.cfg</pre>
#: Make sure to use the full path to the location you uploaded your custom ks.cfg file.
# Press enter to boot and run the installation.


|results=
|results=
# The boot should complete without prompting
#: If you watch closely, before install you should see a status line saying that the realm is being discovered
#: Again, after installation, you should see a status line joining the domain.
# Reboot the machine after installation
# Log in as root, using the root password in the ks.cfg
# Check if you are joined to the domain
# Check if you are joined to the domain
#: <pre>realm list</pre>
#: <pre>realm list</pre>
Line 60: Line 60:
#: This should automatically create a new home directory for the user, and log into a shell prompt.
#: This should automatically create a new home directory for the user, and log into a shell prompt.
}}
}}
=== More: Explore the realmd-cim script ===
Use <code>realmd-cim --help</code> to see how to leave a domain.


=== More: Try it with FreeIPA ===
=== More: Try it with FreeIPA ===


Use a FreeIPA domain with kickstart.
Use a FreeIPA domain with the OpenLMI join.
 
Instead of the <code>adcli preset-computer</code> command, use the FreeIPA Web UI to precreate an account with the appropriate name.


== Troubleshooting ==
== Troubleshooting ==


* {{bz|960887}} The sssd service is configured to start automatically after the installation completes. Workaround:
* {{bz|961207}} When you see SELinux AVC's report them AVC's to this bug.
<pre>
<pre>
$ sudo systemctl enable sssd.service
$ sudo setenforce permissive
... do the test
$ sudo less /var/log/audit/audit.log
</pre>
</pre>
* You currently need to use the boot.iso downloaded above, the standard Fedora beta will not work.
* If the <code>adcli preset-computer</code> command above complains about the computer account already existing, you can delete it with a command like this:
<pre>$ adcli delete-computer --domain=ad.example.com anaconda1</pre>


[[Category:Active_Directory_Test_Cases]] [[Category:Realmd_Test_Cases]]
[[Category:Active_Directory_Test_Cases]] [[Category:Realmd_Test_Cases]]

Latest revision as of 11:49, 14 May 2013

Description

Join the current machine to an Active Directory using OpenLMI

Setup

  1. We need to gather SELinux AVC's, be sure to gather all AVC's generated by this test case. See Troubleshooting section below 
    $ sudo setenforce 0
  2. Install the components 
    $ sudo yum install tog-pegasus pywbem realmd
  3. Download the realm CIM scriptlet 
    $ sudo wget -O /usr/local/bin/realmd-cim http://jdennis.fedorapeople.org/realmd-cim
  4. Make it executable 
    $ sudo chmod +x /usr/local/bin/realmd-cim
  5. Start the pgasus CIMOM 
    $ sudo systemctl start tog-pegasus.service
  6. Verify pegasus is running 
    $ sudo systemctl status tog-pegasus
  7. Make sure you have other required software:
    • realmd 0.14.0 or later
    • adcli 0.7 or later
    • openlmi-providers 0.21 or later
    $ sudo yum install realmd openlmi-providers openlmi-realmd
  8. Verify the OpenLMI Realmd provider is properly registered 
    $ sudo cimprovider -l
  9. If the previous command did not list cmpiLMI_Realmd register the provider manually 
    $ sudo openlmi-mof-register register /usr/share/openlmi-providers/60_LMI_Realmd.mof /usr/share/openlmi-providers/60_LMI_Realmd.reg
  10. Set the pegasus password, in this example we'll use XXXX as the password 
    $ sudo passwd pegasus
  11. Verify that your Active Directory domain access works, or set a domain up.

How to test

  1. Show joined domains
$ realm list
$ realmd-cim -u pegasus -p XXXX list

realmd-cim should show equivalent information as to what realmd-cim shows

  1. Join a domain
$ realmd-cim -u pegasus -p XXXX join Administrator DomainPassword ad.example.com

Expected Results

  1. Check if you are joined to the domain 
    realm list
    The domain should be listed
    Make note of the login format
  2. Check that domain accounts can be resolved 
    getent passwd 'AD\User'
    Make sure to use the quotes around the user name.
    You should see an output line that looks like passwd(5) output. It should contain an appropriate home directory, and a shell.
    Use the login-formats you saw above, to build a remote user name. It will be in the form of DOMAIN\User, where DOMAIN is the first part of your full Active Directory domain name.
  3. Check that you have an appropriate entry in your hosts keytab. 
    sudo klist -k
  4. Check that you can use your keytab with kerberos 
    sudo kinit -k 'HOSTNAME$@AD.EXAMPLE.COM'
    Make sure to use quotes around the argument, because of the characters in there. #: Make sure the hostname and domain are capitalized.
    Use the principal from the output of the klist command above. Use the one that's capitalized and looks like HOSTNAME$@DOMAIN.
    There should be no output from this command.
  5. Try to log into the machine as a domain account at the console.
    This should automatically create a new home directory for the user, and log into a shell prompt.



More: Explore the realmd-cim script

Use realmd-cim --help to see how to leave a domain.

More: Try it with FreeIPA

Use a FreeIPA domain with the OpenLMI join.

Troubleshooting

  • RHBZ #961207 When you see SELinux AVC's report them AVC's to this bug.
$ sudo setenforce permissive
... do the test
$ sudo less /var/log/audit/audit.log
Retrieved from "https://fedoraproject.org/w/index.php?title=QA:Testcase_realmd_join_openlmi&oldid=337071"