From Fedora Project Wiki

(Add about looking at AD.)
 
(8 intermediate revisions by one other user not shown)
Line 2: Line 2:
 
|description=Leave an active directory domain by deconfiguring it locally.
 
|description=Leave an active directory domain by deconfiguring it locally.
 
|setup=
 
|setup=
# [[Features/ActiveDirectory/TestBed|Verify that your Active Directory domain access works]]. If you don't have an Active Directory domain, you can [[Features/ActiveDirectory/TestBed|set one up]].
+
# Make sure you have other required software:
 +
#* realmd 0.14.0 or later
 +
# Verify that your [[QA:Testcase_Active_Directory_Setup|Active Directory domain access works, or set a domain up]].
 
# Run through the [[QA:Testcase_Active_Directory_realmd_join_sssd|test case to join the domain]].
 
# Run through the [[QA:Testcase_Active_Directory_realmd_join_sssd|test case to join the domain]].
 
# Verify that you are joined to the domain with the following command
 
# Verify that you are joined to the domain with the following command
Line 8: Line 10:
 
#: Make sure you have a <code>configured: kerberos-membership</code> line in the output.
 
#: Make sure you have a <code>configured: kerberos-membership</code> line in the output.
 
#: Note the <code>login-formats:</code> line.
 
#: Note the <code>login-formats:</code> line.
# Check that you cannot resolve domain accounts on the local computer.  
+
# Check that you can resolve domain accounts on the local computer.  
 
#: Use the <code>login-formats</code> you saw above, to build a remote user name. It will be in the form of <code>DOMAIN\User</code>, where DOMAIN is the first part of your full Active Directory domain name.
 
#: Use the <code>login-formats</code> you saw above, to build a remote user name. It will be in the form of <code>DOMAIN\User</code>, where DOMAIN is the first part of your full Active Directory domain name.
 
#: <pre>$ getent passwd 'AD\User'</pre>
 
#: <pre>$ getent passwd 'AD\User'</pre>
Line 15: Line 17:
 
# Perform the leave command.
 
# Perform the leave command.
 
#: <pre>$ realm leave ad.example.com</pre>
 
#: <pre>$ realm leave ad.example.com</pre>
 +
#: You will be prompted for Policy Kit authorization, because you're not running this as root.
 
#: You will not be prompted for a password.
 
#: You will not be prompted for a password.
 
#: This should proceed quickly, not take more that 10 seconds.
 
#: This should proceed quickly, not take more that 10 seconds.
Line 26: Line 29:
 
#: <pre>$ getent passwd 'AD\User'</pre>
 
#: <pre>$ getent passwd 'AD\User'</pre>
 
#: There should be no output.
 
#: There should be no output.
#: Use the <code>login-formats</code> you saw above, to build a remote user name. It will be in the form of <code>DOMAIN\User</code>, where DOMAIN is the first part of your full Active Directory domain name.
 
 
# Check that there is no machine account for the domain in the keytab.
 
# Check that there is no machine account for the domain in the keytab.
 
#: <pre>sudo klist -k</pre>
 
#: <pre>sudo klist -k</pre>
 
#: You should see no lines referring to the domain in the table, or an error message saying that the keytab does not exist.
 
#: You should see no lines referring to the domain in the table, or an error message saying that the keytab does not exist.
# If you have console access to a domain controller, you can use the ''Active Directory Users and Computers'' tool to see if that the computer account was not deleted.
+
# If you have console access to a domain controller, you can use the ''Active Directory Users and Computers'' tool to see if that the computer account was '''not''' deleted.
 
}}
 
}}
  
Line 41: Line 43:
 
</pre>
 
</pre>
  
[[Category:Active_Directory_Test_Cases]]
+
Leave currently does not works under non-root user [[https://bugzilla.redhat.com/show_bug.cgi?id=867807]].
 +
 
 +
[[Category:Active_Directory_Test_Cases]] [[Category:Realmd_Test_Cases]]

Latest revision as of 11:50, 9 May 2013

Description

Leave an active directory domain by deconfiguring it locally.

Setup

  1. Make sure you have other required software:
    • realmd 0.14.0 or later
  2. Verify that your Active Directory domain access works, or set a domain up.
  3. Run through the test case to join the domain.
  4. Verify that you are joined to the domain with the following command
    $ realm list
    Make sure you have a configured: kerberos-membership line in the output.
    Note the login-formats: line.
  5. Check that you can resolve domain accounts on the local computer.
    Use the login-formats you saw above, to build a remote user name. It will be in the form of DOMAIN\User, where DOMAIN is the first part of your full Active Directory domain name.
    $ getent passwd 'AD\User'

How to test

  1. Perform the leave command.
    $ realm leave ad.example.com
    You will be prompted for Policy Kit authorization, because you're not running this as root.
    You will not be prompted for a password.
    This should proceed quickly, not take more that 10 seconds.
    On a successful leave there will be no output.

Expected Results

  1. Check that the domain is no longer configured.
    $ realm list
    Make sure the domain is not listed.
  2. Check that you cannot resolve domain accounts on the local computer.
    $ getent passwd 'AD\User'
    There should be no output.
  3. Check that there is no machine account for the domain in the keytab.
    sudo klist -k
    You should see no lines referring to the domain in the table, or an error message saying that the keytab does not exist.
  4. If you have console access to a domain controller, you can use the Active Directory Users and Computers tool to see if that the computer account was not deleted.



Troubleshooting

Use the --verbose argument to see details of what's being done during a leave. Include verbose output in any bug reports.

$ realm leave --verbose ad.example.com

Leave currently does not works under non-root user [[1]].