From Fedora Project Wiki

(Add known issues)
(typo)
Line 22: Line 22:
#: <pre>$ realm list</pre>
#: <pre>$ realm list</pre>
#: Make sure the domain is listed.
#: Make sure the domain is listed.
#: Make sure you have a <code>configured: kerberos-membership</code> line in the output.
#: Make sure you have a <code>configured: kerberos-member</code> line in the output.
#: Make sure you have a <code>client-software: winbind</code> line in the output.
#: Make sure you have a <code>client-software: winbind</code> line in the output.
#: Make note of the <code>login-formats</code> line for the next command.
#: Make note of the <code>login-formats</code> line for the next command.

Revision as of 14:20, 18 October 2012

Description

Join the current machine to an Active Directory domain using winbind as an AD client. Domain accounts are available on the local machine once this is done.

Setup

  1. Verify that your Active Directory domain access works. If you don't have an Active Directory domain, you can set one up.
  2. You need a domain account, either a user or administrator. It's useful to test with both.
  3. Your machine must have a configured host name. Do not proceed if you host name is localhost or similar.
    $ hostname
  4. Make sure you have realmd 0.9 or later installed.
    $ yum list realmd
  5. Remove the following packages, they should be installed by realmd as necessary.
    $ yum remove samba-winbind samba-client

How to test

  1. Perform the join command. Use the --user=xxx argument to specify your domain account name.
    $ realm join --user=User --client-software=winbind ad.example.com
    You will be prompted for Policy Kit authorization.
    You will be prompted for a password for the account.
    On a successful join there will be no output.
    This can take up to a few minutes depending on how far away your Active Directory domain is.

Expected Results

  1. Check that the domain is now configured.
    $ realm list
    Make sure the domain is listed.
    Make sure you have a configured: kerberos-member line in the output.
    Make sure you have a client-software: winbind line in the output.
    Make note of the login-formats line for the next command.
  2. Check that you can resolve domain accounts on the local computer.
    $ getent passwd 'AD\User'
    Make sure to use the quotes around the user name.
    You should see an output line that looks like passwd(5) output. It should contain an appropriate home directory, and a shell.
    Use the login-formats you saw above, to build a remote user name. It will be in the form of DOMAIN\User, where DOMAIN is the first part of your full Active Directory domain name.
  3. Check that you have an appropriate entry in your hosts keytab.
    sudo klist -k
    You should see several lines, with your host name. For example 2 HOSTNAME$@AD.EXAMPLE.COM
  4. Check that you can use your keytab with kerberos
    sudo kinit -k 'HOSTNAME$@AD.EXAMPLE.COM'
    Make sure to use quotes around the argument, because of the characters in there. Make sure the hostname and domain are capitalized.
    Use the principal from the output of the klist command above. Use the one that's capitalized and looks like HOSTNAME$@DOMAIN.
    There should be no output from this command.
  5. If you have console access to a domain controller, you can use the Active Directory Users and Computers tool to see if that the computer account was created under the Computers section.



Troubleshooting

Use the --verbose argument to see details of what's being done during a join. Include verbose output in any bug reports.

$ realm join --client-software=winbind --verbose ad.example.com

Known Issue [Samba Package Names]: The samba package names in the realmd configuration are incorrect. The packages were renamed in Fedora 18 recently. Please do:

$ sudo sed -i -e 's/samba4/samba/' usr/lib64/realmd/realmd-distro.conf'

You can comment on this issue here: https://bugzilla.redhat.com/show_bug.cgi?id=867873

Known Issue [Selinux]: You need to turn off selinux to complete the join. Please do:

$ sudo setenforce 0

Please file the all realmd AVC's at this bug: https://bugzilla.redhat.com/show_bug.cgi?id=867873

$ sudo grep realmd /var/log/audit/audit.log