From Fedora Project Wiki

(Initial page)
 
No edit summary
 
(2 intermediate revisions by the same user not shown)
Line 2: Line 2:
|description=Join the current machine to an Active Directory domain using kerberos credentials already acquired before the join.
|description=Join the current machine to an Active Directory domain using kerberos credentials already acquired before the join.
|setup=
|setup=
# Fulfill the [[QA:Testcase_realmd_prerequisites|prerequisites and make sure your Active Directory domain access works]]. realmd 0.14.0 or later is required.
# Make sure you have the required software:
#* realmd 0.14.0 or later
#* adcli 0.7 or later
# Verify that your [[QA:Testcase_Active_Directory_Setup|Active Directory domain access works, or set a domain up]].
# You need a domain account as an administrator.
# You need a domain account as an administrator.
# Leave realm(s) you are currently joined to.
# Leave realm(s) you are currently joined to.
Line 14: Line 17:
#: <pre>$ realm join ad.example.com</pre>
#: <pre>$ realm join ad.example.com</pre>
#: You should not be prompted for a password for the account again
#: You should not be prompted for a password for the account again
#: You will be prompted for Policy Kit authorization.
#: You will be prompted for Policy Kit authorization, if not running as root.
#: On a successful join there will be no output.
#: On a successful join there will be no output.
#: This can take up to a few minutes depending on how far away your Active Directory domain is.
#: This can take up to a few minutes depending on how far away your Active Directory domain is.
Line 41: Line 44:
=== More: Check the computer account ===
=== More: Check the computer account ===


# If you have console access to a domain controller, you can use the ''Active Directory Users and Computers'' tool to see if that the computer account was created under the ''Computers'' section.
If you have console access to a domain controller, you can use the ''Active Directory Users and Computers'' tool to see if that the computer account was created under the ''Computers'' section.
 
=== More: Use with samba membership software ===
 
When using kerberos credentials, realmd prefers to use adcli to actually do the join. To use with the samba net tool run the join like so:
 
<pre>
$ realm join --membership-software=samba ad.example.com
</pre>


== Troubleshooting ==
== Troubleshooting ==

Latest revision as of 13:51, 9 May 2013

Description

Join the current machine to an Active Directory domain using kerberos credentials already acquired before the join.

Setup

  1. Make sure you have the required software:
    • realmd 0.14.0 or later
    • adcli 0.7 or later
  2. Verify that your Active Directory domain access works, or set a domain up.
  3. You need a domain account as an administrator.
  4. Leave realm(s) you are currently joined to.
    $ realm leave
    If you are joined to multiple domains, run this command multiple times.

How to test

  1. Run kinit to acquire kerberos credentials:
    $ kinit Administrator@AD.EXAMPLE.COM
    Make sure the realm name is upper case and the user's case is correct.
  2. Perform the join command.
    $ realm join ad.example.com
    You should not be prompted for a password for the account again
    You will be prompted for Policy Kit authorization, if not running as root.
    On a successful join there will be no output.
    This can take up to a few minutes depending on how far away your Active Directory domain is.

Expected Results

  1. Check that the domain is now configured.
    $ realm list
    Make sure the domain is listed.
    Make sure you have a configured: kerberos-member line in the output.
    Make note of the login-formats line for the next command.
  2. Check that you can resolve domain accounts on the local computer.
    $ getent passwd 'AD\User'
    Make sure to use the quotes around the user name.
    You should see an output line that looks like passwd(5) output. It should contain an appropriate home directory, and a shell.
    Use the login-formats you saw above, to build a remote user name. It will be in the form of DOMAIN\User, where DOMAIN is the first part of your full Active Directory domain name.
  3. Check that you have an appropriate entry in your hosts keytab.
    sudo klist -k
    You should see several lines, with your host name. For example 2 HOSTNAME$@AD.EXAMPLE.COM
  4. Check that you can use your keytab with kerberos
    sudo kinit -k 'HOSTNAME$@AD.EXAMPLE.COM'
    Make sure to use quotes around the argument, because of the characters in there. Make sure the hostname and domain are capitalized.
    Use the principal from the output of the klist command above. Use the one that's capitalized and looks like HOSTNAME$@DOMAIN.
    There should be no output from this command.



More: Check the computer account

If you have console access to a domain controller, you can use the Active Directory Users and Computers tool to see if that the computer account was created under the Computers section.

More: Use with samba membership software

When using kerberos credentials, realmd prefers to use adcli to actually do the join. To use with the samba net tool run the join like so:

$ realm join --membership-software=samba ad.example.com

Troubleshooting

Use the --verbose argument to see details of what's being done during a join. Include verbose output in any bug reports.

$ realm join --verbose ad.example.com