From Fedora Project Wiki

Revision as of 17:39, 14 February 2011 by Jcholast (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Description

Client enrollment testing.

Setup

  1. Make sure you have a working FreeIPA server (see QA:Testcase_freeipav2_installation)
  2. Make sure the CLI works as expected (see QA:Testcase_freeipav2_cli)
  3. This requires a separate client machine from the IPA server machine.

How to test

First create a user for the test: 

# kinit admin
# ipa user-add psmith --first=Patty --last=Smith
# ipa passwd psmith

Enrolling Client Using admin Credentials

Run from a newly installed machine other than the IPA server, logged in as root: 

# /sbin/ifconfig eth0

On the ipa server, run this command to add the new host's dns A record. Replace the IP address 10.10.10.10 with the address from the ifconfig line listed above. 

# kinit admin
# ipa dnsrecord-add ipa.example.com client1 --a-rec=10.10.10.10

On the client machine, install the ipa-client. 

# yum install freeipa-client freeipa-admintools
# ipa-client-install --mkhomedir --server server.ipa.example.com --domain ipa.example.com -p admin

Expected result: install script should prompt the user an Enrollment password, use the admin Kerberos password:

Confirm: that the user the user list is fetched from the IPA server 

# getent passwd psmith

expected result: 

# psmith:x:0:0:psmith:/home/psmith:/bin/bash

Confirm IPA client setup

# kinit admin

Expected result: prompted for admin password for ipa server 

# ipa-user-find psmith

Expected result: the record for the user psmith created as a prerequisite

Confirm auth mechanism 

# ssh psmith@localhost

You should be prompted for the password of psmith, and then immediately required to change it.

confirm Kerberos setup: 

$ klist

Expected result:  a line comparable to the line below 

$ 02/08/11 11:45:39  02/08/11 21:45:39  krbtgt/SERVERNAMEM@SERVERNAME

Confirm home directory creation: 

$ ls

expected result: 

$ /home/psmith

Enrolling Client Using Delegated Credentials

A role can be created that has the rights to enroll a client machine.

Create the Role

On the IPA server, create the role, add the privilege, then add our user to this role: 

# ipa role-add --desc='Users who can enroll hosts' 'Enrollment Administrator'
# ipa role-add-privilege --privileges='Host Enrollment' 'enrollment administrator'
# ipa role-add-member --users=psmith 'enrollment administrator'
# ipa user-show psmith

Confirm that the user is in the role in the user-show output: 

 Roles: enrollment administrator

Prepare the client machine

If you are going to use the same client machine as in the previous step uninstall the IPA client with: 

# ipa-client-install --uninstall -U

This should restore the configuration to its previous state. You can confirm with: 

# getent passwd psmith

The user should be not found.

If you are using a new machine then install the IPA client program: 

# yum install freeipa-client freeipa-admintools

In either case, destroy any Kerberos credentials there may be: 

# kdestroy

Enroll as a delegated user

Install the client: 

# ipa-client-install --mkhomedir --server server.ipa.example.com --domain ipa.example.com -p psmith

When prompted for an Enrollment password use psmith's password.

Expected result: a properly installed client

Confirm with: 

# getent passwd psmith

# ipa user-show psmith

Enrolling Client Using Bulk Credentials

If you want a way to enroll a host without kerberos credentials you can pre-create the host and set a One-Time Password (OTP) on that host. This password can then be used to enroll the host.

The same pre-requisites apply.

Prepare the Client

If you are going to use the same client machine as the previous step or steps first unconfigure the client: 

# ipa-client-install --uninstall -U

Create the Client Host entry

On the server we need to create the host entry we're going to enroll.

First remove any existing entry there might be: 

# ipa host-del client.ipa.example.com

Now create the host entry: 

# ipa host-add --random client.ipa.example.com

We added the IP address of this client earlier so you shouldn't get a DNS error about A records.

The output of this will contain a random password. Save a copy of this, we'll need it later.

Enroll the Client with a Bulk password

Now on the client machine run the IPA client installer and pass in the bulk password created in the previous step: 

# ipa-client-install --mkhomedir --server server.ipa.example.com --domain ipa.example.com -W

The installer should exit without error.

Test things out: 

# getent passwd psmith
# kinit admin
# ipa user-show admin

Expected Results

All the test steps should end with the specified results.



Retrieved from "https://fedoraproject.org/w/index.php?title=QA:Testcase_freeipav2_client_enrollment&oldid=221102"