From Fedora Project Wiki

Fedora Test Days
Active Directory

Date 2012-10-18
Time all day

Website QA/Fedora_18_test_days
IRC #fedora-test-day (webirc)
Mailing list sssd-devel


Can't make the date?
If you come to this page before or after the test day is completed, your testing is still valuable, and you can use the information on this page to test, file any bugs you find at Bugzilla, and add your results to the results section. If this page is more than a month old when you arrive here, please check the current schedule and see if a similar but more recent Test Day is planned or has already happened.

What to test?[edit]

Today's installment of Fedora Test Day will focus on Active Directory, in particular using realmd to setup authentication using domain accounts, sssd to handle the active directory authentication, and other involved bits and pieces.

Who's available[edit]

The following cast of characters will be available testing, workarounds, bug fixes, and general discussion ...

Prerequisite for Test Day[edit]

You need the following before joining in on the test day.

How to test?[edit]

At a high level the following are being tested:

  • realmd used together with Active Directory
  • sssd used together with Active Directory
  • control-center GNOME control center used with Enterprise Logins
  • gnome-online-accounts used with a Kerberos account
  • gvfs used for SMB access with a Kerberos ticket

You can explore these, and their documentation. Or you can follow the test cases below.

Test Cases[edit]

Testcase Description Privileges Approx. time required
AD no krb5.conf Using Active Directory without krb5.conf Any 5 minutes
Discover AD Using realmd to discover information about an Active Directory domain Any 5 minutes
Join AD with sssd Using realmd to join an Active Directory domain with sssd as the client. Domain user 15 minutes
Leave AD Using realmd to leave an Active Directory domain. Domain user 15 minutes
Leave AD with remove Using realmd to leave an Active Directory domain, removing the computer account. Domain user 15 minutes
Join AD with winbind Using realmd to join an Active Directory domain with winbind as the client. Domain user 15 minutes
Login with AD account Using realmd permit one domain login, and then log in using that account Domain user 10 minutes
Deny login for AD account Using realmd deny one domain login. Domain user 10 minutes
Login with any AD account Using realmd permit any domain login, and then log in using an account Domain user 10 minutes
Deny login for any AD account Using realmd deny any domain login. Domain user 10 minutes
Join AD automatic Using realmd to join an active directory domain automatically Domain admin 20 minutes
Join AD with OTP Using realmd to join an Active Directory domain with a one time password. Domain admin 20 minutes
Control Center Enterprise Login Using Control Center to add an Enterprise Login (ie: a domain account), and testing login with that account. Domain user 20 minutes
GVfs access Using gvfs to access SMB shares with active kerberos ticket. Domain user 5 minutes

Test Results[edit]

Log issues and enhancements in one of these places:

User AD no krb5.conf AD discovery SSSD join Leave AD Leave AD and remove account winbind join login deny login permit any deny any autojoin OTP join control center gvfsd-smb References
Sample User
none
Pass pass
Warning warn
[1]
Fail fail
[2]
none
none
none
none
none
none
none
none
none
none
  1. Test pass, RHBZ #54321
  2. RHBZ #12345
mvadkert
Pass pass
Pass pass
Fail fail [1]
- realm crashes when computer-ou empty, [2], [3]
Fail fail
[4], works with disabled SELinux
Fail fail
[5], works with disabled SELinux
none
none
none
none
none
none
none
none
none
  1. RHBZ #867820
  2. RHBZ #867767 - SELinux denials
  3. RHBZ #867769 - man page typo
  4. RHBZ #867767 - SELinux denials preventing sssd to stop
  5. RHBZ #867767 - SELinux denials preventing sssd to stop
Maxim Burgerhout
Pass pass
Pass pass
Fail fail
[1]
Fail fail
[2]
Fail fail
[3]
Fail fail
[4]
Warning warn
[5]
Pass pass
[6]
Pass pass
[7]
Pass pass
[8]
Pass pass
[9]
Pass pass
[10]
none
Pass pass
  1. RHBZ #867765; works without SELinux
  2. same
  3. same
  4. Join works, but samba-client and samba-winbind packages are not installed RHBZ #867873
  5. Works, but group names are not resolved RHBZ #867874
  6. setenforce 0
  7. setenforce 0
  8. setenforce 0
  9. setenforce 0
  10. setenforce 0
omoris
Pass pass
Pass pass
none
none
none
none
none
none
none
none
none
none
none
none
Stijn
Pass pass
Pass pass
Fail fail
[1]
Warning warn
[2]
Warning warn
[3]
Warning warn
[4]
Warning warn
[5]
Pass pass
[6]
Pass pass
[7]
Pass pass
[8]
none
none
none
none
  1. AVC denials (RHBZ #867765), incorrect DNS registration (RHBZ #867864, RHBZ #867915), works with setenforce 0
  2. AVC denials (RHBZ #867765), works with setenforce 0
  3. AVC denials (RHBZ #867765), works with setenforce 0
  4. with workaroud (RHBZ #867873) tests pass, winbind warns about log file (RHBZ #867893)
  5. Works, but groups are not resolved RHBZ #867874
  6. with setenforce 0, I did not check audit logs
  7. with setenforce 0, I did not check audit logs
  8. with setenforce 0, I did not check audit logs
stefw
Pass pass
Pass pass
Fail fail [1]
Warning warn
[2]
Warning warn
[3]
Fail fail [4]
Warning warn [5]
Warning warn
[6]
Warning warn [5]
Warning warn
[7]
Fail fail
[8]
Warning warn
[9]
Fail fail
[10]
Pass pass
jpospisi
Pass pass
Pass pass
Warning warn
[1]
Pass pass
Pass pass
[2]
Warning warn [3]
none
none
none
none
none
none
none
none
  1. RHBZ #867873 all testcases past this one were tested with 'setenforce 0'
  2. I had access to the server. Checked that computer was successfully removed.
  3. RHBZ #867873
ksrot
Pass pass
Warning warn [1]
Fail fail [2] [3]
Fail fail [2]
Fail fail [4]
none
none
none
none
none
none
none
none
none
none
  1. RHBZ #867767
  2. 2.0 2.1 RHBZ #867765
  3. RHBZ #867807
  4. RHBZ #867873
jscotka
Pass pass
Pass pass
Fail fail [1]
Pass pass
Pass pass
Pass pass
but seems slow
none
none
none
none
none
none
none
none
none
  1. RHBZ #867873
psklenar
Pass pass
Fail fail [1]
none
none
none
none
none
none
none
none
none
none
none
none
none
  1. RHBZ #867820
tbzatek
Pass pass
Pass pass
Warning warn [1]
Warning warn [1]
Pass pass
Pass pass
Pass pass
Pass pass
Pass pass
Pass pass
Pass pass
Pass pass
Pass pass
none
none
  1. 1.0 1.1 RHBZ #867767
pkis
Pass pass
Pass pass
none
none
none
none
none
none
none
none
none
none
none
none
Adam Joseph Cook
Pass pass
Pass pass
Warning warn [1]
[2]
Warning warn
[3]
Warning warn
[4]
Warning warn
[5]
Warning warn [6] [7]
[8]
Inprogress inprogress
[9]
Inprogress inprogress
Inprogress inprogress
Inprogress inprogress
Inprogress inprogress
Inprogress inprogress
Inprogress inprogress
  1. RHBZ #867873
  2. Disabled SELinux (setenforce 0). Step 4 may be incorrect - system had to restarted to find keytab.
  3. Disabled SELinux (setenforce 0) - will not pass otherwise.
  4. Disabled SELinux (setenforce 0) - will not pass otherwise.
  5. Disabled SELinux (setenforce 0) - will not pass otherwise.
  6. RHBZ #825498
  7. RHBZ #867874
  8. Disabled SELinux (setenforce 0) - will not pass otherwise.
  9. Had to suspend testing, significant nouveau issues with FC18 - not related to AD. Will finish in coming days.
vpodzime

(all with setenforce 0)

Pass pass
Pass pass
Pass pass
Pass pass
Warning warn
[long 1]
Pass pass
Pass pass
Pass pass
Pass pass
Pass pass
Pass pass
[1]
Pass pass
Pass pass
[2]
Pass pass
  1. Some problems appeared during testing, but were caused by the leftovers from the previous testing.
  2. The user was listed in the GDM's list.

Long comments[edit]

  1. Computer not removed from the Active Directory, only a liitle arrow appeared in the computer icon screenshot