From Fedora Project Wiki

Description

Deny any domain account permission to log in locally.

Setup

  1. If you are linked to your Active Directory domain via VPN, then this Test case will not work.
  2. Make sure you have other required software:
    • realmd 0.14.0 or later
  3. Verify that your Active Directory domain access works, or set a domain up.
  4. Run through the test case to join the domain.
  5. Run through the test case to login using domain account.
  6. Verify that you can log into as a domain account from GDM.
    Then log out of that user.

How to test

  1. Perform the permit command.
    $ realm deny --realm=ad.example.com --all
    Make sure to use the DOMAIN\User of the user you logged in as above.
    You will be prompted for Policy Kit authorization.
    You will not be prompted for a password.
    This should proceed quickly, not take more that 10 seconds.
    On a successful permit there will be no output.
  2. The user should no longer show up here:
    $ realm list
    Look at the permitted-logins: line.
    You should also see login-policy: deny-any-login.
  3. Go to GDM by logging out, or by Switch User from the user menu.
    On a Live CD if you get automatically logged in again, go to User Accounts and turn off Auto Login for the live cd user.
  4. Choose the Not Listed? option.
  5. Type DOMAIN\User in the box.
    The case of the domain and user should not matter, but they are separated by a backslash.
    The domain part is the part of your Active Directory domain prior to the first dot.
  6. Type the user domain password, and press enter.

Expected Results

  1. You should briefly see Permission denied and you should be unable to log in.



Troubleshooting

Try from a VT console, and see if there is any interesting output there.

If you are connected to your domain controller via VPN, the above test case will not work.

You can also use pamtester, available in the Fedora software repository.

$ pamtester login 'AD\User' authenticate