Join the current machine to an Active Directory using OpenLMI
Install the components
sudo setenforce 0 sudo yum install sblim-sfcb tog-pegasus pywbem sudo yum install realmd openlmi-realmd wget http://jdennis.fedorapeople.org/realmd-cim chmod +x realmd-cim
Verify pegasus is running
sudo systemctl status tog-pegasus
Set the pegasus password, in this example we'll use XXXX as the password
sudo passwd pegasus
How to test
- Show joined domains
realm list ./realmd-cim -u pegasus -p XXXX list
realmd-cim should show equivalent information as to what
- Check if you are joined to the domain
- The domain should be listed
- Make note of the login format
- Check that domain accounts can be resolved
getent passwd 'AD\User'
- Make sure to use the quotes around the user name.
- You should see an output line that looks like passwd(5) output. It should contain an appropriate home directory, and a shell.
- Use the login-formats you saw above, to build a remote user name. It will be in the form of DOMAIN\User, where DOMAIN is the first part of your full Active Directory domain name.
- Check that you have an appropriate entry in your hosts keytab.
sudo klist -k
- Check that you can use your keytab with kerberos
sudo kinit -k 'HOSTNAME$@AD.EXAMPLE.COM'
- Make sure to use quotes around the argument, because of the characters in there. #: Make sure the hostname and domain are capitalized.
- Use the principal from the output of the klist command above. Use the one that's capitalized and looks like HOSTNAME$@DOMAIN.
- There should be no output from this command.
- Try to log into the machine as a domain account at the console.
- This should automatically create a new home directory for the user, and log into a shell prompt.
More: Try it with FreeIPA
Use a FreeIPA domain with the OpenLMI join.
- RHBZ #XXXXXX If you see SELinux issues see this bug for details.
- Please do this and report all AVC's to the above bug.
$ sudo setenforce permissive ... do the test $ sudo grep realmd /var/log/audit/audit.log