From Fedora Project Wiki
No edit summary |
No edit summary |
||
| Line 2: | Line 2: | ||
|description=Leave a FreeIPA domain by deconfiguring it locally. | |description=Leave a FreeIPA domain by deconfiguring it locally. | ||
|setup= | |setup= | ||
# Run through the [[QA:Testcase_FreeIPA_realmd_join_sssd|test case to join the domain]]. | # Run through the [[QA:Testcase_FreeIPA_realmd_join_sssd|test case to join the domain]]. | ||
# Verify that you are joined to the domain with the following command | # Verify that you are joined to the domain with the following command | ||
| Line 9: | Line 8: | ||
#: Note the <code>login-formats:</code> line. | #: Note the <code>login-formats:</code> line. | ||
# Check that you can resolve domain accounts on the local computer. | # Check that you can resolve domain accounts on the local computer. | ||
#: Use the <code>login-formats</code> you saw above, to build a remote user name. It will be in the form of <code>User@FULL-DOMAIN</code>, where FULL-DOMAIN is your full FreeIPA domain name (e.g. | #: Use the <code>login-formats</code> you saw above, to build a remote user name. It will be in the form of <code>User@FULL-DOMAIN</code>, where FULL-DOMAIN is your full FreeIPA domain name (e.g. ipa.example.org) | ||
#: <pre>$ getent passwd ' | #: <pre>$ getent passwd 'admin@ipa.example.org'</pre> | ||
|actions= | |actions= | ||
# Perform the leave command. | # Perform the leave command. | ||
#: <pre>$ realm leave | #: <pre>$ realm leave ipa.example.org</pre> | ||
#: You will be prompted for Policy Kit authorization. | #: You will be prompted for Policy Kit authorization. | ||
#: You will not be prompted for a password. | #: You will not be prompted for a password. | ||
| Line 25: | Line 24: | ||
#: Make sure the domain is not listed. | #: Make sure the domain is not listed. | ||
# Check that you cannot resolve domain accounts on the local computer. | # Check that you cannot resolve domain accounts on the local computer. | ||
#: <pre>$ getent passwd ' | #: <pre>$ getent passwd 'admin@ipa.example.org'</pre> | ||
#: There should be no output. | #: There should be no output. | ||
# Check that there is no machine account for the domain in the keytab. | # Check that there is no machine account for the domain in the keytab. | ||
#: <pre>sudo klist -k</pre> | #: <pre>sudo klist -k</pre> | ||
#: You should see no lines referring to the domain in the table, or an error message saying that the keytab does not exist. | #: You should see no lines referring to the domain in the table, or an error message saying that the keytab does not exist. | ||
# If you have | # If you have set up the FreeIPA Web UI, you can see that computer account has not been deleted (under the ''Hosts'' section) | ||
}} | }} | ||
| Line 38: | Line 37: | ||
<pre> | <pre> | ||
$ realm leave --verbose | $ realm leave --verbose ipa.example.org | ||
</pre> | </pre> | ||
Revision as of 23:21, 15 April 2013
Description
Leave a FreeIPA domain by deconfiguring it locally.
Setup
- Run through the test case to join the domain.
- Verify that you are joined to the domain with the following command
$ realm list
- Make sure you have a
configured: kerberos-memberline in the output. - Note the
login-formats:line.
- Check that you can resolve domain accounts on the local computer.
- Use the
login-formatsyou saw above, to build a remote user name. It will be in the form ofUser@FULL-DOMAIN, where FULL-DOMAIN is your full FreeIPA domain name (e.g. ipa.example.org) $ getent passwd 'admin@ipa.example.org'
- Use the
How to test
- Perform the leave command.
$ realm leave ipa.example.org
- You will be prompted for Policy Kit authorization.
- You will not be prompted for a password.
- This should proceed quickly, not take more that 10 seconds.
- On a successful leave there will be no output.
Expected Results
- Check that the domain is no longer configured.
$ realm list
- Make sure the domain is not listed.
- Check that you cannot resolve domain accounts on the local computer.
$ getent passwd 'admin@ipa.example.org'
- There should be no output.
- Check that there is no machine account for the domain in the keytab.
sudo klist -k
- You should see no lines referring to the domain in the table, or an error message saying that the keytab does not exist.
- If you have set up the FreeIPA Web UI, you can see that computer account has not been deleted (under the Hosts section)
Troubleshooting
Use the --verbose argument to see details of what's being done during a leave. Include verbose output in any bug reports.
$ realm leave --verbose ipa.example.org
Known Issue [Selinux]: You need to turn off selinux to complete the join. Please do:
$ sudo setenforce 0
Please file all realmd AVC's at this bug: https://bugzilla.redhat.com/show_bug.cgi?id=867873
$ sudo grep realmd /var/log/audit/audit.log