From Fedora Project Wiki

(Initial draft)
 
mNo edit summary
 
(2 intermediate revisions by one other user not shown)
Line 4: Line 4:
# For this test, you'll need at least 2 machines. You should be capable of restoring of at least one of one of those from the backup.
# For this test, you'll need at least 2 machines. You should be capable of restoring of at least one of one of those from the backup.
|actions=
|actions=
#### Create a server
=== Create a server ===


Create an IPA server as described in  
Create an IPA server as described in [[QA:Testcase_freeipav3_installation]].
For the rest of test case, we will refer to it as server.example.com
For the rest of test case, we will refer to it as server.example.com


#### Prepare the client
=== Prepare the client ===


### Backup the client machine
==== Backup the client machine ====


Create a backup of your client machine. This could be either traditional full-disk backup or a snapshot. Ability to recreate the host using kickstart is also sufficient (hostname needs to be preserved).
Create a backup of your client machine. This could be either traditional full-disk backup or a snapshot. Ability to recreate the host using kickstart is also sufficient (hostname needs to be preserved).


### Enroll the client machine
==== Enroll the client machine ====


Now enroll the client to the server as described in
Now enroll the client to the server as described in [[QA:Testcase_freeipav3_installation]].
https://fedoraproject.org/wiki/QA:Testcase_freeipav3_installation#Add_a_client


#### Re-enrollment using admin's credentials
=== Re-enrollment using admin's credentials ===


### Restore the client machine from the backup
==== Restore the client machine from the backup ====


Using your preferred method of backup, restore the client machine back to pre-enrollment state.
Using your preferred method of backup, restore the client machine back to pre-enrollment state.


### Re-enroll the client
==== Re-enroll the client ====


First, we verify that client host entry is not disabled on the server. This would have happend if we used ipa-client-install --uninstall to unenroll the client.
First, we verify that client host entry is not disabled on the server. This would have happend if we used ipa-client-install --uninstall to unenroll the client.


# ssh server.example.com
# ssh server.example.com
# ipa host-show client.example.com
# ipa host-show client.example.com


You should be able to see client certificate and Kerberos keys enabled (Keytab: True). That means the client host entry is not disabled, the client is still enrolled from the server's point of view.
You should be able to see client certificate and Kerberos keys enabled (Keytab: True). That means the client host entry is not disabled, the client is still enrolled from the server's point of view.
Line 37: Line 36:
Now we re-enroll the client using the --force-join option for ipa-client-install. The procedure is the same as in the usual client enrollment, only --force-join option is specified.
Now we re-enroll the client using the --force-join option for ipa-client-install. The procedure is the same as in the usual client enrollment, only --force-join option is specified.


# ssh client.example.com
# ssh client.example.com
# yum install freeipa-client
# yum install freeipa-client
# ipa-client-install --domain=example.com --server=server.example.com -p admin -w Secret123 --force-join -U
# ipa-client-install --domain=example.com --server=server.example.com -p admin -w Secret123 --force-join -U


#### Re-enrollment using backed-up keytab
=== Re-enrollment using backed-up keytab ===


### Back up keytab file
==== Back up keytab file ====


Copy the client keytab file from /etc/krb5.keytab to a secure location (e.g. to the server machine)
Copy the client keytab file from /etc/krb5.keytab to a secure location (e.g. to the server machine)


# scp /etc/krb5.keytab server.example.com:/root/client.keytab
# scp /etc/krb5.keytab server.example.com:/root/client.keytab


### Restore the client machine from the backup
==== Restore the client machine from the backup ====


Using your preferred method of backup, restore the client machine back to pre-enrollment state.
Using your preferred method of backup, restore the client machine back to pre-enrollment state.


### Copy the keytab file back to the client
==== Copy the keytab file back to the client ====


Copy the client keytab file back from the secure location to the client machine.
Copy the client keytab file back from the secure location to the client machine.


# ssh server.example.com
# ssh server.example.com
# scp client.keytab client.example.com:/root/client.keytab
# scp client.keytab client.example.com:/root/client.keytab


### Re-enroll the client
=== Re-enroll the client ===


First, we verify that client host entry is not disabled on the server. This would have happend if we used ipa-client-install --uninstall to unenroll the client.
First, we verify that client host entry is not disabled on the server. This would have happend if we used ipa-client-install --uninstall to unenroll the client.


# ssh server.example.com
# ssh server.example.com
# ipa host-show client.example.com
# ipa host-show client.example.com


You should be able to see client certificate and Kerberos keys enabled (Keytab: True). That means the client host entry is not disabled, the client is still enrolled from the server's point of view.
You should be able to see client certificate and Kerberos keys enabled (Keytab: True). That means the client host entry is not disabled, the client is still enrolled from the server's point of view.
Line 71: Line 70:
Now we re-enroll the client using the --keytab option for ipa-client-install. The procedure is the same as in the usual client enrollment, only --keytab option is specified.
Now we re-enroll the client using the --keytab option for ipa-client-install. The procedure is the same as in the usual client enrollment, only --keytab option is specified.


# ssh client.example.com
# ssh client.example.com
# yum install freeipa-client
# yum install freeipa-client
# ipa-client-install --domain=example.com --server=server.example.com --keytab /root/client.keytab -U
# ipa-client-install --domain=example.com --server=server.example.com --keytab /root/client.keytab -U


|results=
|results=
All the test steps should end with the specified results.
All the test steps should end with the specified results.
}}
}}
[[Category:FreeIPA_Test_Cases]]

Latest revision as of 06:50, 9 May 2013

Description

Test client re-enrollment using admin's credentials and backed up keytab.

Setup

  1. For this test, you'll need at least 2 machines. You should be capable of restoring of at least one of one of those from the backup.

How to test

Create a server

Create an IPA server as described in QA:Testcase_freeipav3_installation. For the rest of test case, we will refer to it as server.example.com

Prepare the client

Backup the client machine

Create a backup of your client machine. This could be either traditional full-disk backup or a snapshot. Ability to recreate the host using kickstart is also sufficient (hostname needs to be preserved).

Enroll the client machine

Now enroll the client to the server as described in QA:Testcase_freeipav3_installation.

Re-enrollment using admin's credentials

Restore the client machine from the backup

Using your preferred method of backup, restore the client machine back to pre-enrollment state.

Re-enroll the client

First, we verify that client host entry is not disabled on the server. This would have happend if we used ipa-client-install --uninstall to unenroll the client. 

# ssh server.example.com
# ipa host-show client.example.com

You should be able to see client certificate and Kerberos keys enabled (Keytab: True). That means the client host entry is not disabled, the client is still enrolled from the server's point of view.

Now we re-enroll the client using the --force-join option for ipa-client-install. The procedure is the same as in the usual client enrollment, only --force-join option is specified. 

# ssh client.example.com
# yum install freeipa-client
# ipa-client-install --domain=example.com --server=server.example.com -p admin -w Secret123 --force-join -U

Re-enrollment using backed-up keytab

Back up keytab file

Copy the client keytab file from /etc/krb5.keytab to a secure location (e.g. to the server machine) 

# scp /etc/krb5.keytab server.example.com:/root/client.keytab

Restore the client machine from the backup

Using your preferred method of backup, restore the client machine back to pre-enrollment state.

Copy the keytab file back to the client

Copy the client keytab file back from the secure location to the client machine. 

# ssh server.example.com
# scp client.keytab client.example.com:/root/client.keytab

Re-enroll the client

First, we verify that client host entry is not disabled on the server. This would have happend if we used ipa-client-install --uninstall to unenroll the client. 

# ssh server.example.com
# ipa host-show client.example.com

You should be able to see client certificate and Kerberos keys enabled (Keytab: True). That means the client host entry is not disabled, the client is still enrolled from the server's point of view.

Now we re-enroll the client using the --keytab option for ipa-client-install. The procedure is the same as in the usual client enrollment, only --keytab option is specified. 

# ssh client.example.com
# yum install freeipa-client
# ipa-client-install --domain=example.com --server=server.example.com --keytab /root/client.keytab -U

Expected Results

All the test steps should end with the specified results.

Retrieved from "https://fedoraproject.org/w/index.php?title=QA:Testcase_freeipav3_client_reenrollment&oldid=336237"