From Fedora Project Wiki

(Initial test case page)
 
(Add further tests)
Line 7: Line 7:
# Your machine should have a valid unique host name. It shouldn't be <code>localhost</code>.
# Your machine should have a valid unique host name. It shouldn't be <code>localhost</code>.
# You need a domain account that is capable of joining the domain, for example an administrative account.
# You need a domain account that is capable of joining the domain, for example an administrative account.
# These commands should be run as root (see <em>Troubleshooting</em> for an alternative).
# These commands should be run as root (see <em>More: Different keytab</em> below for an alternative).


|actions=
|actions=
Line 53: Line 53:
</pre>
</pre>
}}
}}
=== More: Use precached credentials ===
* You should be able to precache your kerberos credentials, and use them to join a domain:
<pre># kinit Administrator@DOMAIN.EXAMPLE.COM
# adcli join --login-ccache domain.example.com</pre>
* You should not be prompted for a password a second time.
=== More: Different computer name ===
* Use the <code>--host-fqdn</code> and <code>--computer-name</code> to specify a different computer account name than what is available through <code>gethostname()</code>.
<pre># adcli join --host-fqdn=different.example.com --computer-name=different domain.example.com</pre>
* The keytab thus created will use the specified names.
=== More: Different keytab ===
* If you are unable to run the <code>adcli join</code> command as root, you can use the following a <code>--host-keytab=/tmp/krb5.keytab</code> argument to remove that requirement.
<pre>$ adcli join --host-keytab=/tmp/krb5.keytab --login-user=Administrator domain.example.com</pre>
* If you do so, you should also set the environment variable <code>KRB5_KTNAME=/tmp/krb5.keytab</code> when checking the results.


== Troubleshooting ==
== Troubleshooting ==


* Use the <code>--verbose</code> argument to provide output when troubleshooting or reporting bugs.
* Use the <code>--verbose</code> argument to provide output when troubleshooting or reporting bugs.
* If you are unable to run the <code>adcli join</code> command as root, you can use the following a <code>--host-keytab=/tmp/krb5.keytab</code> argument to remove that requirement. If you do so, you should also set the environment variable <code>KRB5_KTNAME=/tmp/krb5.keytab</code> when checking the results.


[[Category:Certificate_Trust_Test_Cases]]
[[Category:Certificate_Trust_Test_Cases]]

Revision as of 16:07, 9 April 2013

Description

This test case verifies that adcli join works with basic options.

Setup

  1. Make sure to complete the prerequisites before starting this test.
  2. It is necessary to have complete domain DNS resolution working for this test.
  3. Test general adcli info functionality before doing this test.
  4. Your machine should have a valid unique host name. It shouldn't be localhost.
  5. You need a domain account that is capable of joining the domain, for example an administrative account.
  6. These commands should be run as root (see More: Different keytab below for an alternative).

How to test

  1. Remove your host keytab
    # test -e /etc/krb5.keytab && mv /etc/krb5.keytab /etc/krb5.keytab.bak
  2. Use adcli to join the domain:
    # adcli join --login-user=Administrator domain.example.com

Expected Results

The join command should prompt for a password and then complete without error.

The join command will take a few seconds. It can take up to a minute in extreme cases where the domain controller for the domain is far away (latency wise).

The host keytab should contain new credentials for the host, like this. The KVNO, computer name, and domain name will differ.

# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 COMPUTER$@DOMAIN.EXAMPLE.COM
   3 COMPUTER$@DOMAIN.EXAMPLE.COM
   3 COMPUTER$@DOMAIN.EXAMPLE.COM
   3 COMPUTER$@DOMAIN.EXAMPLE.COM
   3 COMPUTER$@DOMAIN.EXAMPLE.COM
   3 HOST/COMPUTER@DOMAIN.EXAMPLE.COM
   3 HOST/COMPUTER@DOMAIN.EXAMPLE.COM
   3 HOST/COMPUTER@DOMAIN.EXAMPLE.COM
   3 HOST/COMPUTER@DOMAIN.EXAMPLE.COM
   3 HOST/COMPUTER@DOMAIN.EXAMPLE.COM
   3 HOST/computer.example.com@DOMAIN.EXAMPLE.COM
   3 HOST/computer.example.com@DOMAIN.EXAMPLE.COM
   3 HOST/computer.example.com@DOMAIN.EXAMPLE.COM
   3 HOST/computer.example.com@DOMAIN.EXAMPLE.COM
   3 HOST/computer.example.com@DOMAIN.EXAMPLE.COM
   3 RestrictedKrbHost/COMPUTER@DOMAIN.EXAMPLE.COM
   3 RestrictedKrbHost/COMPUTER@DOMAIN.EXAMPLE.COM
   3 RestrictedKrbHost/COMPUTER@DOMAIN.EXAMPLE.COM
   3 RestrictedKrbHost/COMPUTER@DOMAIN.EXAMPLE.COM
   3 RestrictedKrbHost/COMPUTER@DOMAIN.EXAMPLE.COM
   3 RestrictedKrbHost/computer.example.com@DOMAIN.EXAMPLE.COM
   3 RestrictedKrbHost/computer.example.com@DOMAIN.EXAMPLE.COM
   3 RestrictedKrbHost/computer.example.com@DOMAIN.EXAMPLE.COM
   3 RestrictedKrbHost/computer.example.com@DOMAIN.EXAMPLE.COM
   3 RestrictedKrbHost/computer.example.com@DOMAIN.EXAMPLE.COM



More: Use precached credentials

  • You should be able to precache your kerberos credentials, and use them to join a domain:
# kinit Administrator@DOMAIN.EXAMPLE.COM
# adcli join --login-ccache domain.example.com
  • You should not be prompted for a password a second time.

More: Different computer name

  • Use the --host-fqdn and --computer-name to specify a different computer account name than what is available through gethostname().
# adcli join --host-fqdn=different.example.com --computer-name=different domain.example.com
  • The keytab thus created will use the specified names.

More: Different keytab

  • If you are unable to run the adcli join command as root, you can use the following a --host-keytab=/tmp/krb5.keytab argument to remove that requirement.
$ adcli join --host-keytab=/tmp/krb5.keytab --login-user=Administrator domain.example.com
  • If you do so, you should also set the environment variable KRB5_KTNAME=/tmp/krb5.keytab when checking the results.

Troubleshooting

  • Use the --verbose argument to provide output when troubleshooting or reporting bugs.