|
|
| (8 intermediate revisions by 3 users not shown) |
| Line 1: |
Line 1: |
| {{QA/Test_Case
| | #REDIRECT [[QA:Testcase_freeipa_trust_server_installation]] |
| |description=Installation testing.
| |
| |setup=
| |
| <ol>
| |
| <li>For testing purposes, a machine (or VM) with 1GB of RAM and 4 GB of free disk space for binaries, data and logs should be plenty to set up and run an IPA master.
| |
| <li>Make sure <code>/etc/hosts</code> is sane. This means that your host will be listed on a separate line with its IP address with the FQDN listed first, this is necessary to avoid chicken/egg issues when the DNS is installed as name resolution for the public host name is needed to start the DNS itself (to init krb credentials). In particular the hostname SHOULD not appear in either the IPv4 or IPv6 localhost lines.</li>
| |
| <li>If you have an existing AD server in your network, choose a different name for the IPA server realm name. Clients that use DNS autodiscovery to find the KDC to use may get confused and try to authenticate to the AD KDC.</li>
| |
| </ol>
| |
| |actions=
| |
| === Installation ===
| |
| | |
| First, install the FreeIPA server package:
| |
| | |
| # yum install freeipa-server
| |
| | |
| ==== Without DNS ====
| |
| | |
| For a fully-interactive install run:
| |
| | |
| # ipa-server-install
| |
| | |
| You can optionally provide all options on the command-line:
| |
| | |
| # ipa-server-install -a secret123 -p 123Secret --domain=ipa.example.org --realm=IPA.EXAMPLE.ORG -U
| |
| | |
| ==== With DNS ====
| |
| | |
| # yum install bind bind-dyndb-ldap
| |
| # ipa-server-install --setup-dns
| |
| | |
| Or with all options on the command-line:
| |
| | |
| # ipa-server-install -a secret123 -p 123Secret --domain=ipa.example.org --realm=IPA.EXAMPLE.ORG --setup-dns --forwarder=<forwarder IP> -U
| |
| | |
| Substitute you existing DNS server's IP for <forwarder IP>, or pass --no-forwarders.
| |
|
| |
| ==== Verify the basics ====
| |
| | |
| Ideally each of these installation steps will conclude with no errors and a running set of IPA services.
| |
| | |
| To briefly test the installation:
| |
| | |
| # kinit admin # (the password is the admin password, or the password from -a)
| |
| | |
| Show our own user entry:
| |
| | |
| # ipa user-show admin
| |
| | |
| And make sure nss can see us too:
| |
| | |
| # id admin
| |
| # getent passwd admin
| |
| | |
| ==== Verify Services ====
| |
| | |
| We install a number of SSL certificates that should be automatically managed by certmonger:
| |
| | |
| # ipa-getcert list
| |
| | |
| There should be 3 certificates, all in MONITORING status. The certificates should be in the following NSS databases:
| |
| | |
| * /etc/httpd/alias
| |
| * /etc/dirsrv/slapd-PKI-IPA
| |
| * /etc/dirsrv/slapd-IPA-EXAMPLE-ORG
| |
| | |
| Now, check the service principals:
| |
| | |
| # kinit admin
| |
| # ipa service-find
| |
| | |
| There should be 2 services: ldap and HTTP for your FreeIPA server. If you installed DNS, there should be a DNS service as well.
| |
| | |
| ==== Verify DNS ====
| |
| | |
| Verify these only if you installed with a DNS server.
| |
| | |
| # dig server.ipa.example.org.
| |
| | |
| Look for a line like this in the output:
| |
| | |
| server.ipa.example.org. 86400 IN A 192.168.0.1
| |
| | |
| # host server.ipa.example.org
| |
| server.ipa.example.org has address 192.168.0.1
| |
| | |
| # ipa dns-resolve server.ipa.example.org
| |
| ---------------------------
| |
| Found 'server.ipa.example.org.'
| |
| ---------------------------
| |
| | |
| # ipa host-show server.ipa.example.org
| |
| Host name: server.ipa.example.org
| |
| Principal name: host/server.ipa.example.org@IPA.EXAMPLE.ORG
| |
| Keytab: True
| |
| Managed by: server.ipa.example.org
| |
| | |
| === Client testing ===
| |
| ==== Add a client ====
| |
| | |
| If you have more than two machines, install a client of the replica.
| |
| If you have installed DNS, edit /etc/resolv.conf and add the IPA server as a nameserver.
| |
| | |
| # yum install freeipa-client
| |
| # ipa-client-install
| |
| | |
| Or with all options on the command-line.
| |
| | |
| # yum install freeipa-client
| |
| # ipa-client-install --domain=ipa.example.org --server=server.ipa.example.org -p admin -w secret123 -U
| |
| | |
| Verify that nss can see us:
| |
| | |
| # id admin
| |
| # getent passwd admin
| |
| | |
| With the {{package|freeipa-admintools}} package, you can test installation using the ipa command:
| |
| | |
| # yum install freeipa-admintools
| |
| # kinit admin
| |
| # ipa user-show admin
| |
| | |
| ==== Remove a client ====
| |
| | |
| When you are done with a client, you can uninstall it:
| |
| | |
| # ipa-client-install --uninstall
| |
| | |
| The uninstallation should complete with no errors. To verify that uninstallation was successful, install the client again.
| |
| | |
| === Uninstallation ===
| |
| | |
| FreeIPA provides a way to unininstall the configured services and it does its best to return the system to its previous state. To run the uninstaller execute:
| |
| | |
| # ipa-server-install --uninstall -U
| |
| | |
| ==== Verify uninstallation ====
| |
| | |
| Un-installation is intended for developers. It is a best-as-we-can restoration of files primarily to prepare the server to be re-installed.
| |
| | |
| To verify that the server is in a state where it can be re-installed re-run ipa-server-install:
| |
| | |
| # ipa-server-install
| |
| | |
| If something failed in the un-installation you would get an error message that the server is already installed/configured.
| |
| | |
| |results=
| |
| All the test steps should end with the specified results.
| |
| }}
| |
