From Fedora Project Wiki
(rejig to be AD/FreeIPA agnostic, few other cleanups) |
(don't need client enrolment software here...) |
||
| Line 5: | Line 5: | ||
|setup= | |setup= | ||
{{Domain server setup}} | {{Domain server setup}} | ||
# Ensure you have a non-live installer image for the Fedora release you wish to test | # Ensure you have a non-live installer image for the Fedora release you wish to test | ||
# Create a computer account in the domain with a one time password | # Create a computer account in the domain with a one time password | ||
Revision as of 02:26, 25 November 2014
Associated release criterion
This test case is associated with the Basic_Release_Criteria#remote-authentication release criterion. If you are doing release validation testing, a failure of this test case may be a breach of that release criterion. If so, please file a bug and nominate it as blocking the appropriate milestone, using the blocker bug nomination page.
This test case is associated with the Basic_Release_Criteria#remote-authentication release criterion. If you are doing release validation testing, a failure of this test case may be a breach of that release criterion. If so, please file a bug and nominate it as blocking the appropriate milestone, using the blocker bug nomination page.
Description
This test case tests enrolling a system as a domain client using Anaconda/Kickstart.
Setup
- Deploy a correctly-configured FreeIPA or Active Directory domain controller. You can follow:
- QA:Testcase_Server_role_deploy with the Domain Controller role to deploy a FreeIPA domain controller on Fedora 28 or earlier
- QA:Testcase_freeipa_trust_server_installation to deploy a FreeIPA domain controller on Fedora 29 or later
- QA:Testcase_Active_Directory_Setup to deploy an Active Directory domain controller
- Ensure you have a non-live installer image for the Fedora release you wish to test
- Create a computer account in the domain with a one time password
- For Active Directory:
$ adcli preset-computer --one-time-password=MyPassword --domain=dc.example.com anaconda1- Replace
dc.example.comwith the correct domain name - For FreeIPA:
ipa host-add anaconda1 --password=MyPassword- For both, the client hostname ('anaconda1') above must match the name in the ks.cfg file below
- Create a new virtual machine with at least an 8GB disk and 1GB of RAM, using the installer image to boot from
- Prepare the kickstart file
- Create a file based on the one below, replacing your domain name into the
realmcommand, and making any other adjustments as necessary - Upload the kickstart file to an accessible web server (or use another method of kickstart deployment, whatever is most convenient)
- Create a file based on the one below, replacing your domain name into the
bootloader --location=mbr network --bootproto=dhcp --nameserver=(AD IP address) --hostname=anaconda1 url --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$releasever&arch=$basearch install timezone Europe/Prague lang en_US.UTF-8 clearpart --all autopart realm join --one-time-password=MyPassword dc.example.com %packages vim %end rootpw anaconda
How to test
- Start your new virtual machine you prepared above
- At the Fedora boot loader install prompt, use the arrow keys to select Install Fedora 42 and press tab.
- Add the following to the end of the command line
inst.ks=http://path/to/the/ks.cfg- You may also need to pass
ip=(static IP)::(gateway IP):(netmask):anaconda1:(interface):off nameserver=(DNS server IP)to force use of the correct DNS server, if retrieving the kickstart via the network and DHCP would not use the correct DNS server - Make sure to use the full path to the location you uploaded your custom ks.cfg file (or adjust as necessary for any other kickstart deployment method)
- Press enter to boot and run the installation
Expected Results
- The boot should complete without prompting
- If you watch closely, before install you should see a status line saying that the realm is being discovered
- Again, after installation, you should see a status line joining the domain
- Reboot the machine after installation
- Log in as root, using the root password in the ks.cfg
- Check if you are joined to the domain
realm list
- The domain should be listed
- Make note of the login format
- Check that domain accounts can be resolved
- For Active Directory:
getent passwd 'AD\User', making sure to use the quotes around the user name- For FreeIPA:
getent passwd (user)@(domain), where (user) is a valid user name and (domain) is the FreeIPA domain (e.g. example.com)- You should see an output line that looks like passwd(5) output. It should contain an appropriate home directory, and a shell
- Use the login-formats you saw above, to build a remote user name. It will be in the form of DOMAIN\User, where DOMAIN is the first part of your full Active Directory domain name.
- Check that you have an appropriate entry in your hosts keytab:
klist -k - Optionally, move on to QA:Testcase_domain_client_authenticate to ensure you can log in with a domain account.
Troubleshooting
- If the domain is not resolvable by the DHCP/DNS server used by the virtual machine's virtual switch, you can configure network settings directly in the kickstart file using the "network" keyword. For example:
network --bootproto=static --ip=<vm-static-ip-address> --netmask=<vm-netmask> --gateway=<vm-gateway> --nameserver=<ad-dns-server-ip-address> --hostname=anaconda1
- If the
adcli preset-computercommand complains about the computer account already existing, you can delete it withadcli delete-computer --domain=ad.example.com anaconda1