From Fedora Project Wiki

Revision as of 11:48, 11 April 2013 by Tbabej (talk | contribs) (Initial draft)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Description

Test client re-enrollment using admin's credentials and backed up keytab.

Setup

  1. For this test, you'll need at least 2 machines. You should be capable of restoring of at least one of one of those from the backup.

How to test

        1. Create a server

Create an IPA server as described in For the rest of test case, we will refer to it as server.example.com

        1. Prepare the client
      1. Backup the client machine

Create a backup of your client machine. This could be either traditional full-disk backup or a snapshot. Ability to recreate the host using kickstart is also sufficient (hostname needs to be preserved).

      1. Enroll the client machine

Now enroll the client to the server as described in https://fedoraproject.org/wiki/QA:Testcase_freeipav3_installation#Add_a_client

        1. Re-enrollment using admin's credentials
      1. Restore the client machine from the backup

Using your preferred method of backup, restore the client machine back to pre-enrollment state.

      1. Re-enroll the client

First, we verify that client host entry is not disabled on the server. This would have happend if we used ipa-client-install --uninstall to unenroll the client.

  1. ssh server.example.com
  2. ipa host-show client.example.com

You should be able to see client certificate and Kerberos keys enabled (Keytab: True). That means the client host entry is not disabled, the client is still enrolled from the server's point of view.

Now we re-enroll the client using the --force-join option for ipa-client-install. The procedure is the same as in the usual client enrollment, only --force-join option is specified.

  1. ssh client.example.com
  2. yum install freeipa-client
  3. ipa-client-install --domain=example.com --server=server.example.com -p admin -w Secret123 --force-join -U
        1. Re-enrollment using backed-up keytab
      1. Back up keytab file

Copy the client keytab file from /etc/krb5.keytab to a secure location (e.g. to the server machine)

  1. scp /etc/krb5.keytab server.example.com:/root/client.keytab
      1. Restore the client machine from the backup

Using your preferred method of backup, restore the client machine back to pre-enrollment state.

      1. Copy the keytab file back to the client

Copy the client keytab file back from the secure location to the client machine.

  1. ssh server.example.com
  2. scp client.keytab client.example.com:/root/client.keytab
      1. Re-enroll the client

First, we verify that client host entry is not disabled on the server. This would have happend if we used ipa-client-install --uninstall to unenroll the client.

  1. ssh server.example.com
  2. ipa host-show client.example.com

You should be able to see client certificate and Kerberos keys enabled (Keytab: True). That means the client host entry is not disabled, the client is still enrolled from the server's point of view.

Now we re-enroll the client using the --keytab option for ipa-client-install. The procedure is the same as in the usual client enrollment, only --keytab option is specified.

  1. ssh client.example.com
  2. yum install freeipa-client
  3. ipa-client-install --domain=example.com --server=server.example.com --keytab /root/client.keytab -U

Expected Results

All the test steps should end with the specified results.