From Fedora Project Wiki
Description
This test case tests enrolling a system as a domain client using Anaconda/Kickstart.
Setup
- Deploy a correctly-configured FreeIPA or Active Directory domain controller. You can follow:
- QA:Testcase_Server_role_deploy with the Domain Controller role to deploy a FreeIPA domain controller on Fedora 28 or earlier
- QA:Testcase_freeipa_trust_server_installation to deploy a FreeIPA domain controller on Fedora 29 or later
- QA:Testcase_Active_Directory_Setup to deploy an Active Directory domain controller
- Ensure you have a non-live installer image for the Fedora release you wish to test
- Create a computer account in the domain with a one time password
- For Active Directory:
$ adcli preset-computer --one-time-password=MyPassword --domain=dc.example.com anaconda1
- Replace
dc.example.com
with the correct domain name - For FreeIPA:
ipa host-add anaconda1 --password=MyPassword
- For both, the client hostname ('anaconda1') above must match the name in the ks.cfg file below
- Create a new virtual machine with at least an 8GB disk and 1GB of RAM, using the installer image to boot from
- Prepare the kickstart file
- Create a file based on the one below, replacing your domain name into the
realm
command, and making any other adjustments as necessary - Upload the kickstart file to an accessible web server (or use another method of kickstart deployment, whatever is most convenient)
- Create a file based on the one below, replacing your domain name into the
bootloader --location=mbr network --device=eth0 --bootproto=static --ip=<static_ip_address> --netmask=<netmask> --gateway=<gateway_ip> --nameserver=<AD IP address> --hostname=anaconda1 url --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$releasever&arch=$basearch install timezone Europe/Prague lang en_US.UTF-8 clearpart --all autopart realm join --one-time-password=MyPassword dc.example.com %packages vim %end rootpw anaconda
How to test
- Start your new virtual machine you prepared above
- At the Fedora boot loader install prompt, use the arrow keys to select Install Fedora 42 and press tab.
- Add the following to the end of the command line
inst.ks=http://path/to/the/ks.cfg
- You may also need to pass
ip=(static IP)::(gateway IP):(netmask):anaconda1:(interface):off nameserver=(DNS server IP)
to force use of the correct DNS server, if retrieving the kickstart via the network and DHCP would not use the correct DNS server - Make sure to use the full path to the location you uploaded your custom ks.cfg file (or adjust as necessary for any other kickstart deployment method)
- Press enter to boot and run the installation
Expected Results
- The boot should complete without prompting
- If you watch closely, before install you should see a status line saying that the realm is being discovered
- Again, after installation, you should see a status line joining the domain
- Reboot the machine after installation
- Check that the domain is now configured:
realm list
- Make sure the domain is listed
- Make sure you have a
configured: kerberos-member
line in the output
- Check that you can resolve domain accounts on the local computer
- For Active Directory:
getent passwd 'DOMAIN\User'
(DOMAIN is the netbios name, usually the first portion of the domain name, e.g. AD or SAMDOM; make sure to use the single quotes)- For FreeIPA:
getent passwd admin@domain
(domain is the fully-qualified FreeIPA domain name, e.g. example.ipa)- You should see an output line that looks like
passwd
output. It should contain an appropriate home directory, and a shell
- Check that you have an appropriate entry in your host's keytab:
su -c 'klist -k'
- You should see several lines with your host name. For example
1 host/$hostname$@FQDN
- You should see several lines with your host name. For example
- Check that you can use your keytab with kerberos:
su -c 'kinit -k (principal)'
- Replace (principal) with the principal from the output of the
klist
command above. Use the one with the domain capitalized and that looks likehost/hostname@DOMAIN)
(FreeIPA) orTRUNCATED_HOSTNAME$@DOMAIN
(Active Directory) - There should be no output from this command
- Replace (principal) with the principal from the output of the
- If you are testing FreeIPA and have set up the FreeIPA Web UI, you can use it to see that the computer account was created under the Hosts section
- If you have are testing Active Directory and have console access to the domain controller, you can use the Active Directory Users and Computers tool to see if that the computer account was created under the Computers section
- Optionally, move on to QA:Testcase_domain_client_authenticate to ensure you can log in with a domain account.
Troubleshooting
- If the domain is not resolvable by the DHCP/DNS server used by the virtual machine's virtual switch, you can configure network settings directly in the kickstart file using the "network" keyword. For example:
network --bootproto=static --ip=<vm-static-ip-address> --netmask=<vm-netmask> --gateway=<vm-gateway> --nameserver=<ad-dns-server-ip-address> --hostname=anaconda1
- If the
adcli preset-computer
command complains about the computer account already existing, you can delete it withadcli delete-computer --domain=ad.example.com anaconda1