(Add about OU) |
No edit summary |
||
(One intermediate revision by one other user not shown) | |||
Line 2: | Line 2: | ||
|description=This test case verifies that <code>adcli join</code> works with basic options. | |description=This test case verifies that <code>adcli join</code> works with basic options. | ||
|setup= | |setup= | ||
# Make sure to complete the [[QA: | # Make sure to complete the [[QA:Testcase_adcli_setup|prerequisites before starting this test]]. | ||
# It is necessary to have complete domain DNS resolution working for this test. | # It is necessary to have complete domain DNS resolution working for this test. | ||
# [[QA:Testcase_adcli_info|Test general adcli info]] functionality before doing this test. | # [[QA:Testcase_adcli_info|Test general adcli info]] functionality before doing this test. | ||
Line 61: | Line 61: | ||
# kinit -k 'COMPUTER$@DOMAIN.EXAMPLE.COM' | # kinit -k 'COMPUTER$@DOMAIN.EXAMPLE.COM' | ||
</pre> | </pre> | ||
== Cleanup == | |||
Cleanup after this test case is simple. | |||
<pre># rm -f /etc/krb5.keytab</pre> | |||
<pre># adcli delete-computer --domain=domain.example.com <hostname -s></pre> | |||
=== More: Use precached credentials === | === More: Use precached credentials === | ||
Line 94: | Line 100: | ||
* In the <code>kinit</code> line above, make sure you have the dollar sign, are using the short computer name, and have everything capitalized as expected. | * In the <code>kinit</code> line above, make sure you have the dollar sign, are using the short computer name, and have everything capitalized as expected. | ||
[[Category:Active_Directory_Test_Cases]] | [[Category:Active_Directory_Test_Cases]] [[Category:adcli_Test_Cases]] |
Latest revision as of 13:50, 7 May 2013
Description
This test case verifies that adcli join
works with basic options.
Setup
- Make sure to complete the prerequisites before starting this test.
- It is necessary to have complete domain DNS resolution working for this test.
- Test general adcli info functionality before doing this test.
- Your machine should have a valid unique host name. It shouldn't be
localhost
. - You need a domain account that is capable of joining the domain, for example an administrative account.
- If you only have write access to a specific OU in the domain, see More: Organizational Unit below for how to use that.
- These commands should be run as root.
- See More: Different keytab below for an alternative.
How to test
- Remove your host keytab
# test -e /etc/krb5.keytab && mv /etc/krb5.keytab /etc/krb5.keytab.bak
- Use adcli to join the domain:
# adcli join --login-user=Administrator domain.example.com
Expected Results
The join command should prompt for a password and then complete without error.
The join command will take a few seconds. It can take up to a minute in extreme cases where the domain controller for the domain is far away (latency wise).
The host keytab should contain new credentials for the host, like this. The KVNO, computer name, and domain name will differ.
# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 3 COMPUTER$@DOMAIN.EXAMPLE.COM 3 COMPUTER$@DOMAIN.EXAMPLE.COM 3 COMPUTER$@DOMAIN.EXAMPLE.COM 3 COMPUTER$@DOMAIN.EXAMPLE.COM 3 COMPUTER$@DOMAIN.EXAMPLE.COM 3 HOST/COMPUTER@DOMAIN.EXAMPLE.COM 3 HOST/COMPUTER@DOMAIN.EXAMPLE.COM 3 HOST/COMPUTER@DOMAIN.EXAMPLE.COM 3 HOST/COMPUTER@DOMAIN.EXAMPLE.COM 3 HOST/COMPUTER@DOMAIN.EXAMPLE.COM 3 HOST/computer.example.com@DOMAIN.EXAMPLE.COM 3 HOST/computer.example.com@DOMAIN.EXAMPLE.COM 3 HOST/computer.example.com@DOMAIN.EXAMPLE.COM 3 HOST/computer.example.com@DOMAIN.EXAMPLE.COM 3 HOST/computer.example.com@DOMAIN.EXAMPLE.COM 3 RestrictedKrbHost/COMPUTER@DOMAIN.EXAMPLE.COM 3 RestrictedKrbHost/COMPUTER@DOMAIN.EXAMPLE.COM 3 RestrictedKrbHost/COMPUTER@DOMAIN.EXAMPLE.COM 3 RestrictedKrbHost/COMPUTER@DOMAIN.EXAMPLE.COM 3 RestrictedKrbHost/COMPUTER@DOMAIN.EXAMPLE.COM 3 RestrictedKrbHost/computer.example.com@DOMAIN.EXAMPLE.COM 3 RestrictedKrbHost/computer.example.com@DOMAIN.EXAMPLE.COM 3 RestrictedKrbHost/computer.example.com@DOMAIN.EXAMPLE.COM 3 RestrictedKrbHost/computer.example.com@DOMAIN.EXAMPLE.COM 3 RestrictedKrbHost/computer.example.com@DOMAIN.EXAMPLE.COM
You should be able to authenticate using the keytab. You should not be prompted for a password, and no error message, when you run this command:
# kinit -k 'COMPUTER$@DOMAIN.EXAMPLE.COM'
Cleanup
Cleanup after this test case is simple.
# rm -f /etc/krb5.keytab
# adcli delete-computer --domain=domain.example.com <hostname -s>
More: Use precached credentials
- You should be able to precache your kerberos credentials, and use them to join a domain:
# kinit Administrator@DOMAIN.EXAMPLE.COM # adcli join --login-ccache domain.example.com
- You should not be prompted for a password a second time.
More: Different computer name
- Use the
--host-fqdn
and--computer-name
to specify a different computer account name than what is available throughgethostname()
.
# adcli join --host-fqdn=different.example.com \ --computer-name=different domain.example.com
- The keytab thus created will use the specified names.
More: Different keytab
- If you are unable to run the
adcli join
command as root, you can use the following a--host-keytab=/tmp/krb5.keytab
argument to remove that requirement.
$ adcli join --host-keytab=/tmp/krb5.keytab \ --login-user=Administrator domain.example.com
- If you do so, you should also set the environment variable
KRB5_KTNAME=/tmp/krb5.keytab
when checking the results.
More: Organizational Unit
- To create the computer account in a specific Organizational Unit in the domain, use the
--domain-ou
option:
# adcli join --domain-ou=OU=Testing,DC=domain,DC=example,DC=com \ --login-user=Administrator domain.example.com
Troubleshooting
- Use the
--verbose
argument to provide output when troubleshooting or reporting bugs. - In the
kinit
line above, make sure you have the dollar sign, are using the short computer name, and have everything capitalized as expected.