From Fedora Project Wiki
No edit summary |
No edit summary |
||
| Line 6: | Line 6: | ||
# Verify that you are joined to the domain with the following command | # Verify that you are joined to the domain with the following command | ||
#: <pre>$ realm list</pre> | #: <pre>$ realm list</pre> | ||
#: Make sure you have a <code>configured: kerberos- | #: Make sure you have a <code>configured: kerberos-member</code> line in the output. | ||
#: Note the <code>login-formats:</code> line. | #: Note the <code>login-formats:</code> line. | ||
# Check that you can resolve domain accounts on the local computer. | # Check that you can resolve domain accounts on the local computer. | ||
#: Use the <code>login-formats</code> you saw above, to build a remote user name. It will be in the form of <code>DOMAIN | #: Use the <code>login-formats</code> you saw above, to build a remote user name. It will be in the form of <code>User@FULL-DOMAIN</code>, where FULL-DOMAIN is your full FreeIPA domain name (e.g. freeipa.example.com) | ||
#: <pre>$ getent passwd ' | #: <pre>$ getent passwd 'User@freeipa.example.com'</pre> | ||
|actions= | |actions= | ||
# Perform the leave command. | # Perform the leave command. | ||
#: <pre>$ realm leave | #: <pre>$ realm leave freeipa.example.com</pre> | ||
#: You will be prompted for Policy Kit authorization. | #: You will be prompted for Policy Kit authorization. | ||
#: You will not be prompted for a password. | #: You will not be prompted for a password. | ||
| Line 25: | Line 25: | ||
#: Make sure the domain is not listed. | #: Make sure the domain is not listed. | ||
# Check that you cannot resolve domain accounts on the local computer. | # Check that you cannot resolve domain accounts on the local computer. | ||
#: <pre>$ getent passwd ' | #: <pre>$ getent passwd 'User@freeipa.example.com'</pre> | ||
#: There should be no output. | #: There should be no output. | ||
# Check that there is no machine account for the domain in the keytab. | # Check that there is no machine account for the domain in the keytab. | ||
#: <pre>sudo klist -k</pre> | #: <pre>sudo klist -k</pre> | ||
#: You should see no lines referring to the domain in the table, or an error message saying that the keytab does not exist. | #: You should see no lines referring to the domain in the table, or an error message saying that the keytab does not exist. | ||
# If you have console access to a FreeIPA server, you can use the FreeIPA Web UI tool | # If you have console access to a FreeIPA server, you can use the FreeIPA Web UI tool see that the computer account was not deleted. | ||
}} | }} | ||
| Line 38: | Line 38: | ||
<pre> | <pre> | ||
$ realm leave --verbose | $ realm leave --verbose freeipa.example.com | ||
</pre> | </pre> | ||
Revision as of 20:43, 12 March 2013
Description
Leave a FreeIPA domain by deconfiguring it locally.
Setup
- Verify that your FreeIPA domain access works. If you don't have a FreeIPA domain, you can set one up.
- Run through the test case to join the domain.
- Verify that you are joined to the domain with the following command
$ realm list
- Make sure you have a
configured: kerberos-memberline in the output. - Note the
login-formats:line.
- Check that you can resolve domain accounts on the local computer.
- Use the
login-formatsyou saw above, to build a remote user name. It will be in the form ofUser@FULL-DOMAIN, where FULL-DOMAIN is your full FreeIPA domain name (e.g. freeipa.example.com) $ getent passwd 'User@freeipa.example.com'
- Use the
How to test
- Perform the leave command.
$ realm leave freeipa.example.com
- You will be prompted for Policy Kit authorization.
- You will not be prompted for a password.
- This should proceed quickly, not take more that 10 seconds.
- On a successful leave there will be no output.
Expected Results
- Check that the domain is no longer configured.
$ realm list
- Make sure the domain is not listed.
- Check that you cannot resolve domain accounts on the local computer.
$ getent passwd 'User@freeipa.example.com'
- There should be no output.
- Check that there is no machine account for the domain in the keytab.
sudo klist -k
- You should see no lines referring to the domain in the table, or an error message saying that the keytab does not exist.
- If you have console access to a FreeIPA server, you can use the FreeIPA Web UI tool see that the computer account was not deleted.
Troubleshooting
Use the --verbose argument to see details of what's being done during a leave. Include verbose output in any bug reports.
$ realm leave --verbose freeipa.example.com
Known Issue [Selinux]: You need to turn off selinux to complete the join. Please do:
$ sudo setenforce 0
Please file all realmd AVC's at this bug: https://bugzilla.redhat.com/show_bug.cgi?id=867873
$ sudo grep realmd /var/log/audit/audit.log