From Fedora Project Wiki

(Add AD IP address to the network line for nameserver (in case the DHCP-assigned resolvers won't find the domain))
(rejig to be AD/FreeIPA agnostic, few other cleanups)
Line 2: Line 2:


{{QA/Test_Case
{{QA/Test_Case
|description=Join the current machine to an Active Directory using Anaconda's kickstart.
|description=This test case tests enrolling a system as a domain client using [[Anaconda/Kickstart]].
|setup=
|setup=
# Make sure you have the required software:
{{Domain server setup}}
#* realmd 0.14.0 or later
{{Domain client enrol software}}
#* adcli 0.7 or later
# Ensure you have a non-live installer image for the Fedora release you wish to test
#* A non-live installer image for the Fedora release you wish to test
# Create a computer account in the domain with a one time password
# Verify that your [[QA:Testcase_Active_Directory_Setup|Active Directory domain access works, or set a domain up]].
#: For Active Directory:
# Precreate a computer account in the domain with a one time password using adcli:
#: {{command|<nowiki>$ adcli preset-computer --one-time-password=MyPassword --domain=dc.example.com anaconda1</nowiki>}}
#: <pre>$ adcli preset-computer --one-time-password=MyPassword --domain=ad.example.com anaconda1</pre>
#: Replace {{command|dc.example.com}} with the correct domain name
#: The computer name above must match the name in the ks.cfg file below.
#: For FreeIPA:
#: Replace your domain name.
#: {{command|<nowiki>ipa host-add anaconda1 --password=MyPassword</nowiki>}}
#: For both, the client hostname ('anaconda1') above must match the name in the ks.cfg file below
# Create a new virtual machine with at least an 8GB disk and 1GB of RAM, using the installer image to boot from
# Create a new virtual machine with at least an 8GB disk and 1GB of RAM, using the installer image to boot from
# Prepare the kickstart file
# Prepare the kickstart file
#: Create a file based on the one below, replacing your domain name into the <code>realm</code> command and the correct Fedora version and architecture into the <code>url</code> command (and making any other adjustments as necessary)
#: Create a file based on the one below, replacing your domain name into the <code>realm</code> command, and making any other adjustments as necessary
#: Upload the kickstart file to your fedorapeople.org account or some other accessible http server (or use another method of kickstart deployment, whatever is most convenient)
#: Upload the kickstart file to an accessible web server (or use another method of kickstart deployment, whatever is most convenient)
<pre>bootloader --location=mbr
<pre>bootloader --location=mbr
network --bootproto=dhcp --nameserver=(AD IP address) --hostname=anaconda1
network --bootproto=dhcp --nameserver=(AD IP address) --hostname=anaconda1
url --url http://download.fedoraproject.org/pub/linux/fedora/linux/development/(version)/(arch)/os/
url --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$releasever&arch=$basearch
install
install
timezone Europe/Prague
timezone Europe/Prague
Line 25: Line 26:
clearpart --all
clearpart --all
autopart
autopart
realm join --one-time-password=MyPassword ad.example.com
realm join --one-time-password=MyPassword dc.example.com
%packages
%packages
vim
vim
Line 35: Line 36:
# At the Fedora boot loader install prompt, use the arrow keys to select <i>Install Fedora {{FedoraVersionNumber|next}}</i> and press tab.
# At the Fedora boot loader install prompt, use the arrow keys to select <i>Install Fedora {{FedoraVersionNumber|next}}</i> and press tab.
# Add the following to the end of the command line
# Add the following to the end of the command line
#: <pre>inst.ks=http://path/to/the/ks.cfg</pre>
#: {{command|inst.ks<nowiki>=</nowiki>http://path/to/the/ks.cfg}}
#: Make sure to use the full path to the location you uploaded your custom ks.cfg file (or adjust as necessary for any other kickstart deployment method).
#: You may also need to pass {{command|<nowiki>ip=(static IP)::(gateway IP):(netmask):anaconda1:(interface):off nameserver=(DNS server IP)</nowiki>}} to force use of the correct DNS server, if retrieving the kickstart via the network and DHCP would not use the correct DNS server
# Press enter to boot and run the installation.
#: Make sure to use the full path to the location you uploaded your custom ks.cfg file (or adjust as necessary for any other kickstart deployment method)
# Press enter to boot and run the installation
|results=
|results=
# The boot should complete without prompting
# The boot should complete without prompting
#: If you watch closely, before install you should see a status line saying that the realm is being discovered
#: If you watch closely, before install you should see a status line saying that the realm is being discovered
#: Again, after installation, you should see a status line joining the domain.
#: Again, after installation, you should see a status line joining the domain
# Reboot the machine after installation
# Reboot the machine after installation
# Log in as root, using the root password in the ks.cfg
# Log in as root, using the root password in the ks.cfg
Line 49: Line 51:
#: Make note of the login format
#: Make note of the login format
# Check that domain accounts can be resolved
# Check that domain accounts can be resolved
#: <pre>getent passwd 'AD\User'</pre>
#: For Active Directory:
#: Make sure to use the quotes around the user name.
#: {{command|getent passwd 'AD\User'}}, making sure to use the quotes around the user name
#: You should see an output line that looks like passwd(5) output. It should contain an appropriate home directory, and a shell.
#: For FreeIPA:
#: {{command|getent passwd (user)@(domain)}}, where (user) is a valid user name and (domain) is the FreeIPA domain (e.g. example.com)
#: You should see an output line that looks like passwd(5) output. It should contain an appropriate home directory, and a shell
#: Use the login-formats you saw above, to build a remote user name. It will be in the form of DOMAIN\User, where DOMAIN is the first part of your full Active Directory domain name.
#: Use the login-formats you saw above, to build a remote user name. It will be in the form of DOMAIN\User, where DOMAIN is the first part of your full Active Directory domain name.
# Check that you have an appropriate entry in your hosts keytab.
# Check that you have an appropriate entry in your hosts keytab: {{command|klist -k}}
#: <pre>sudo klist -k</pre>
# Optionally, move on to [[QA:Testcase_domain_client_authenticate]] to ensure you can log in with a domain account.
# Check that you can use your keytab with kerberos
#: <pre>sudo kinit -k 'HOSTNAME$@AD.EXAMPLE.COM'</pre>
#: Make sure to use quotes around the argument, because of the characters in there. #: Make sure the hostname and domain are capitalized.
#: Use the principal from the output of the klist command above. Use the one that's capitalized and looks like HOSTNAME$@DOMAIN.
#: There should be no output from this command.
# Try to log into the machine as a domain account at the console.
#: This should automatically create a new home directory for the user, and log into a shell prompt.
}}
}}
=== More: Try it with FreeIPA ===
Use a FreeIPA domain with kickstart.
Instead of the <code>adcli preset-computer</code> command, use the FreeIPA Web UI to precreate an account with the appropriate name.


== Troubleshooting ==
== Troubleshooting ==


* If the domain is not resolvable by the DHCP/DNS server used by the virtual machine's virtual switch, you can configure network settings directly in the kickstart file using the "network" keyword. For example:  
* If the domain is not resolvable by the DHCP/DNS server used by the virtual machine's virtual switch, you can configure network settings directly in the kickstart file using the "network" keyword. For example:  
<pre>
network --bootproto=static --ip=<vm-static-ip-address> --netmask=<vm-netmask> --gateway=<vm-gateway> --nameserver=<ad-dns-server-ip-address> --hostname=anaconda1
network --bootproto=static --ip=<vm-static-ip-address> --netmask=<vm-netmask> --gateway=<vm-gateway> --nameserver=<ad-dns-server-ip-address> --hostname=anaconda1
</pre>
 
* If the <code>adcli preset-computer</code> command above complains about the computer account already existing, you can delete it with a command like this:


<pre>$ adcli delete-computer --domain=ad.example.com anaconda1</pre>
* If the {{command|adcli preset-computer}} command complains about the computer account already existing, you can delete it with {{command|<nowiki>adcli delete-computer --domain=ad.example.com anaconda1</nowiki>}}


[[Category:Active_Directory_Test_Cases]] [[Category:Realmd_Test_Cases]] [[Category:Kickstart_test_cases]]
[[Category:Active_Directory_Test_Cases]] [[Category:Realmd_Test_Cases]] [[Category:Kickstart_test_cases]] [[Category:FreeIPA_Test_Cases]]
[[Category:Server Acceptance Test Cases]]
[[Category:Server Acceptance Test Cases]]

Revision as of 02:25, 25 November 2014

Associated release criterion
This test case is associated with the Basic_Release_Criteria#remote-authentication release criterion. If you are doing release validation testing, a failure of this test case may be a breach of that release criterion. If so, please file a bug and nominate it as blocking the appropriate milestone, using the blocker bug nomination page.


Description

This test case tests enrolling a system as a domain client using Anaconda/Kickstart.

Setup

  1. Deploy a correctly-configured FreeIPA or Active Directory domain controller. You can follow:
    QA:Testcase_Server_role_deploy with the Domain Controller role to deploy a FreeIPA domain controller on Fedora 28 or earlier
    QA:Testcase_freeipa_trust_server_installation to deploy a FreeIPA domain controller on Fedora 29 or later
    QA:Testcase_Active_Directory_Setup to deploy an Active Directory domain controller
  2. Ensure you have the following installed:
    freeipa-client for FreeIPA enrolment
    adcli for Active Directory enrolment
  3. Ensure you have a non-live installer image for the Fedora release you wish to test
  4. Create a computer account in the domain with a one time password
    For Active Directory:
    $ adcli preset-computer --one-time-password=MyPassword --domain=dc.example.com anaconda1
    Replace dc.example.com with the correct domain name
    For FreeIPA:
    ipa host-add anaconda1 --password=MyPassword
    For both, the client hostname ('anaconda1') above must match the name in the ks.cfg file below
  5. Create a new virtual machine with at least an 8GB disk and 1GB of RAM, using the installer image to boot from
  6. Prepare the kickstart file
    Create a file based on the one below, replacing your domain name into the realm command, and making any other adjustments as necessary
    Upload the kickstart file to an accessible web server (or use another method of kickstart deployment, whatever is most convenient)
bootloader --location=mbr
network --bootproto=dhcp --nameserver=(AD IP address) --hostname=anaconda1
url --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$releasever&arch=$basearch
install
timezone Europe/Prague
lang en_US.UTF-8
clearpart --all
autopart
realm join --one-time-password=MyPassword dc.example.com
%packages
vim
%end
rootpw anaconda

How to test

  1. Start your new virtual machine you prepared above
  2. At the Fedora boot loader install prompt, use the arrow keys to select Install Fedora 42 and press tab.
  3. Add the following to the end of the command line
    inst.ks=http://path/to/the/ks.cfg
    You may also need to pass ip=(static IP)::(gateway IP):(netmask):anaconda1:(interface):off nameserver=(DNS server IP) to force use of the correct DNS server, if retrieving the kickstart via the network and DHCP would not use the correct DNS server
    Make sure to use the full path to the location you uploaded your custom ks.cfg file (or adjust as necessary for any other kickstart deployment method)
  4. Press enter to boot and run the installation

Expected Results

  1. The boot should complete without prompting
    If you watch closely, before install you should see a status line saying that the realm is being discovered
    Again, after installation, you should see a status line joining the domain
  2. Reboot the machine after installation
  3. Log in as root, using the root password in the ks.cfg
  4. Check if you are joined to the domain 
    realm list
    The domain should be listed
    Make note of the login format
  5. Check that domain accounts can be resolved
    For Active Directory:
    getent passwd 'AD\User', making sure to use the quotes around the user name
    For FreeIPA:
    getent passwd (user)@(domain), where (user) is a valid user name and (domain) is the FreeIPA domain (e.g. example.com)
    You should see an output line that looks like passwd(5) output. It should contain an appropriate home directory, and a shell
    Use the login-formats you saw above, to build a remote user name. It will be in the form of DOMAIN\User, where DOMAIN is the first part of your full Active Directory domain name.
  6. Check that you have an appropriate entry in your hosts keytab: klist -k
  7. Optionally, move on to QA:Testcase_domain_client_authenticate to ensure you can log in with a domain account.



Troubleshooting

  • If the domain is not resolvable by the DHCP/DNS server used by the virtual machine's virtual switch, you can configure network settings directly in the kickstart file using the "network" keyword. For example:
network --bootproto=static --ip=<vm-static-ip-address> --netmask=<vm-netmask> --gateway=<vm-gateway> --nameserver=<ad-dns-server-ip-address> --hostname=anaconda1
  • If the adcli preset-computer command complains about the computer account already existing, you can delete it with adcli delete-computer --domain=ad.example.com anaconda1
Retrieved from "https://fedoraproject.org/w/index.php?title=QA:Testcase_realmd_join_kickstart&oldid=395614"