From Fedora Project Wiki

(Created page with "{{QA/Test_Case |description=Test that the IPA server can be installed |setup= <ol> <li>For testing purposes, a machine (or VM) with 1GB of RAM and 4 GB of free disk space for ...")
 
(use freeipa-server group, ditch manual bind install)
 
(9 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{Template:Associated_release_criterion|Basic|freeipa-server-requirements}}
{{QA/Test_Case
{{QA/Test_Case
|description=Test that the IPA server can be installed
|description=Test that the IPA server can be installed
Line 5: Line 7:
<li>For testing purposes, a machine (or VM) with 1GB of RAM and 4 GB of free disk space for binaries, data and logs should be plenty to set up and run an IPA master.
<li>For testing purposes, a machine (or VM) with 1GB of RAM and 4 GB of free disk space for binaries, data and logs should be plenty to set up and run an IPA master.
<li>Make sure <code>/etc/hosts</code> is sane and your hostname does not appear in either the IPv4 or IPv6 localhost lines.</li>
<li>Make sure <code>/etc/hosts</code> is sane and your hostname does not appear in either the IPv4 or IPv6 localhost lines.</li>
<li>In the following text, we assume that the IPA server name is srv.ipa.example.org and the realm is IPA.EXAMPLE.ORG</li>
<li>If you have an existing AD server in your network, choose a different name for the IPA server realm name. Clients that use DNS autodiscovery to find the KDC to use may get confused and try to authenticate to the AD KDC. It is recommended that FreeIPA and AD serves different domains, for example ''ipa.example.org'' and ''ad.example.org''</li>
<li>If you have an existing AD server in your network, choose a different name for the IPA server realm name. Clients that use DNS autodiscovery to find the KDC to use may get confused and try to authenticate to the AD KDC. It is recommended that FreeIPA and AD serves different domains, for example ''ipa.example.org'' and ''ad.example.org''</li>
</ol>
</ol>
Line 12: Line 15:
First, install the FreeIPA server package:
First, install the FreeIPA server package:


  # yum install freeipa-server
  # dnf groupinstall freeipa-server


==== With DNS ====
==== With DNS ====
Line 18: Line 21:
We highly recommend installing FreeIPA with integrated DNS service as it will make client autodiscovery or AD Trust configuration much easier. You will just need to make sure that the domain managed by FreeIPA is properly delegated to the FreeIPA server or that your VMs are configured to use FreeIPA server directly (by configuring your DHCP server or manually updating ''/etc/resolv.conf'').
We highly recommend installing FreeIPA with integrated DNS service as it will make client autodiscovery or AD Trust configuration much easier. You will just need to make sure that the domain managed by FreeIPA is properly delegated to the FreeIPA server or that your VMs are configured to use FreeIPA server directly (by configuring your DHCP server or manually updating ''/etc/resolv.conf'').


# yum install bind bind-dyndb-ldap
  # ipa-server-install --setup-dns
  # ipa-server-install --setup-dns


Or with all options on the command-line:
Or with all options on the command-line:


  # ipa-server-install -a Secret123 -p Secret123 --domain=ipa.example.org --realm=IPA.EXAMPLE.ORG --hostname srv1.ipa.example.org --setup-dns --forwarder=<forwarder IP> -U
  # ipa-server-install -a Secret123 -p Secret123 --domain=ipa.example.org --realm=IPA.EXAMPLE.ORG --hostname srv.ipa.example.org --setup-dns --forwarder=<forwarder IP> -U


Substitute you existing DNS server's IP for <forwarder IP>, or pass --no-forwarders.
Substitute you existing DNS server's IP for <forwarder IP>, or pass --no-forwarders.
Line 35: Line 37:
You can optionally provide all options on the command-line:
You can optionally provide all options on the command-line:


  # ipa-server-install -a Secret123 -p Secret123 --domain=ipa.example.org --realm=IPA.EXAMPLE.ORG --hostname srv1.ipa.example.org -U
  # ipa-server-install -a Secret123 -p Secret123 --domain=ipa.example.org --realm=IPA.EXAMPLE.ORG --hostname srv.ipa.example.org -U


==== Verify the basics ====
==== Verify the basics ====
Line 53: Line 55:
  # id admin
  # id admin
  # getent passwd admin
  # getent passwd admin
==== Verify the server_mode ====
Starting with version 3.3, the SSSD running on the server operates in a special mode, denoted with <code>ipa_server_mode</code> directive set in the config file. Verify it has been set:
# grep server_mode /etc/sssd/sssd.conf
ipa_server_mode = True


==== Verify DNS ====
==== Verify DNS ====
Line 58: Line 67:
Verify these only if you installed with a DNS server.
Verify these only if you installed with a DNS server.


  # dig srv1.ipa.example.org.
  # dig srv.ipa.example.org.


Look for a line like this in the output:
Look for a line like this in the output:


  srv1.ipa.example.org.      86400  IN      A      192.168.0.1
  srv.ipa.example.org.      86400  IN      A      192.168.0.1


  # host srv1.ipa.example.org
  # host srv.ipa.example.org
  srv1.ipa.example.org has address 192.168.0.1
  srv.ipa.example.org has address 192.168.0.1


  # ipa dns-resolve srv1.ipa.example.org
  # ipa dns-resolve srv.ipa.example.org
  ---------------------------
  ---------------------------
  Found 'srv1.ipa.example.org.'
  Found 'srv.ipa.example.org.'
  ---------------------------
  ---------------------------


  # ipa host-show srv1.ipa.example.org
  # ipa host-show srv.ipa.example.org
   Host name: srv1.ipa.example.org
   Host name: srv.ipa.example.org
   Principal name: host/srv1.ipa.example.org@IPA.EXAMPLE.ORG
   Principal name: host/srv.ipa.example.org@IPA.EXAMPLE.ORG
   Keytab: True
   Keytab: True
   Managed by: srv1.ipa.example.org
   Managed by: srv.ipa.example.org


=== Configure the Firewall ===
=== Configure the Firewall ===
New Fedora 19 systems have [[FirewallD]] enabled by default, you may want to either open all ports required by FreeIPA server or disable the Firewall for the test and flush iptables rules so that clients do not have issues connecting FreeIPA server:
To open all ports typically required for FreeIPA using firewalld, run these commands:
 
# systemctl stop firewalld.service
# systemctl disable firewalld.service
# iptables -F
 
=== Client testing ===
==== Add a client ====
 
If you have more than two machines, install a client or a replica.
If you have installed DNS, edit /etc/resolv.conf and add the FreeIPA server as a nameserver.
 
# yum install freeipa-client
# ipa-client-install
 
Or with all options on the command-line.
 
# yum install freeipa-client
# ipa-client-install --domain=ipa.example.org --server=srv1.ipa.example.org -p admin -w Secret123 -U
 
Verify that nss can see us:
 
# id admin
# getent passwd admin
 
With the {{package|freeipa-admintools}} package, you can test installation using the ipa command:
 
# yum install freeipa-admintools
# kinit admin
# ipa user-show admin
 
==== Remove a client ====
 
When you are done with a client, you can uninstall it:
 
# ipa-client-install --uninstall
 
The uninstallation should complete with no errors. To verify that uninstallation was successful, install the client again.
 
=== Uninstallation ===
 
FreeIPA provides a way to uninstall the configured services and it does its best to return the system to its previous state. To run the FreeIPA server uninstaller execute:
 
# ipa-server-install --uninstall -U


==== Verify uninstallation ====
# for i in freeipa-ldap freeipa-ldaps dns; do firewall-cmd --permanent --add-service $i; done
 
  # systemctl restart firewalld.service
Un-installation is intended for developers. It is a best-as-we-can restoration of files primarily to prepare the server to be re-installed.
 
To verify that the server is in a state where it can be re-installed re-run ipa-server-install:
 
  # ipa-server-install


If something failed in the un-installation you would get an error message that the server is already installed/configured.
=== Further tests ===
After completing this test it would be a good idea, if you have extra test systems, to test [[QA:Testcase_freeipa_replication|installing a replica server]] and installing clients via [[QA:Testcase_realmd_join_sssd|the realm CLI]], [[QA:Testcase_realmd_join_kickstart|kickstart]] and/or [[QA:Testcase realmd join cockpit|cockpit]].


|results=
|results=
Line 139: Line 101:


[[Category:FreeIPA_Test_Cases]]
[[Category:FreeIPA_Test_Cases]]
[[Category:Server Acceptance Test Cases]]

Latest revision as of 21:30, 3 August 2018

Associated release criterion
This test case is associated with the Basic_Release_Criteria#freeipa-server-requirements release criterion. If you are doing release validation testing, a failure of this test case may be a breach of that release criterion. If so, please file a bug and nominate it as blocking the appropriate milestone, using the blocker bug nomination page.


Description

Test that the IPA server can be installed

Setup

  1. For testing purposes, a machine (or VM) with 1GB of RAM and 4 GB of free disk space for binaries, data and logs should be plenty to set up and run an IPA master.
  2. Make sure /etc/hosts is sane and your hostname does not appear in either the IPv4 or IPv6 localhost lines.
  3. In the following text, we assume that the IPA server name is srv.ipa.example.org and the realm is IPA.EXAMPLE.ORG
  4. If you have an existing AD server in your network, choose a different name for the IPA server realm name. Clients that use DNS autodiscovery to find the KDC to use may get confused and try to authenticate to the AD KDC. It is recommended that FreeIPA and AD serves different domains, for example ipa.example.org and ad.example.org

How to test

Installation

First, install the FreeIPA server package:

# dnf groupinstall freeipa-server

With DNS

We highly recommend installing FreeIPA with integrated DNS service as it will make client autodiscovery or AD Trust configuration much easier. You will just need to make sure that the domain managed by FreeIPA is properly delegated to the FreeIPA server or that your VMs are configured to use FreeIPA server directly (by configuring your DHCP server or manually updating /etc/resolv.conf).

# ipa-server-install --setup-dns

Or with all options on the command-line:

# ipa-server-install -a Secret123 -p Secret123 --domain=ipa.example.org --realm=IPA.EXAMPLE.ORG --hostname srv.ipa.example.org --setup-dns --forwarder=<forwarder IP> -U

Substitute you existing DNS server's IP for <forwarder IP>, or pass --no-forwarders.

Without DNS

For a fully-interactive install run:

# ipa-server-install

You can optionally provide all options on the command-line:

# ipa-server-install -a Secret123 -p Secret123 --domain=ipa.example.org --realm=IPA.EXAMPLE.ORG --hostname srv.ipa.example.org -U

Verify the basics

Ideally each of these installation steps will finish with no errors and will yield a running set of IPA services.

To briefly test the installation:

# kinit admin  # (the password is the admin password, or the password from -a)

Show our own user entry:

# ipa user-show admin

And make sure nss can see us too:

# id admin
# getent passwd admin

Verify the server_mode

Starting with version 3.3, the SSSD running on the server operates in a special mode, denoted with ipa_server_mode directive set in the config file. Verify it has been set:

# grep server_mode /etc/sssd/sssd.conf 
ipa_server_mode = True

Verify DNS

Verify these only if you installed with a DNS server.

# dig srv.ipa.example.org.

Look for a line like this in the output:

srv.ipa.example.org.      86400   IN      A       192.168.0.1
# host srv.ipa.example.org
srv.ipa.example.org has address 192.168.0.1
# ipa dns-resolve srv.ipa.example.org
---------------------------
Found 'srv.ipa.example.org.'
---------------------------
# ipa host-show srv.ipa.example.org
  Host name: srv.ipa.example.org
  Principal name: host/srv.ipa.example.org@IPA.EXAMPLE.ORG
  Keytab: True
  Managed by: srv.ipa.example.org

Configure the Firewall

To open all ports typically required for FreeIPA using firewalld, run these commands:

# for i in freeipa-ldap freeipa-ldaps dns; do firewall-cmd --permanent --add-service $i; done
# systemctl restart firewalld.service

Further tests

After completing this test it would be a good idea, if you have extra test systems, to test installing a replica server and installing clients via the realm CLI, kickstart and/or cockpit.

Expected Results

All the test steps should end with the specified results.