From Fedora Project Wiki

Revision as of 17:29, 14 February 2011 by Jcholast (talk | contribs) (Created page with '{{QA/Test_Case |description=Client enrollment testing. |setup= # Make sure you have a working FreeIPA server (see QA:Testcase_freeipav2_installation) # Make sure the CLI work...')
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Description

Client enrollment testing.

Setup

  1. Make sure you have a working FreeIPA server (see QA:Testcase_freeipav2_installation)
  2. Make sure the CLI works as expected (see QA:Testcase_freeipav2_cli)
  3. This requires a separate client machine from the IPA server machine.

How to test

First create a user for the test:

# kinit admin
# ipa user-add psmith --first=Patty --last=Smith
# ipa passwd psmith

Enrolling Client Using admin Credentials

Run from a newly installed machine other than the IPA server, logged in as root:

# /sbin/ifconfig eth0

On the ipa server, run this command to add the new host's dns A record. Replace the IP address 10.10.10.10 with the address from the ifconfig line listed above.

# kinit admin
# ipa dnsrecord-add ipa.example.com client1 --a-rec=10.10.10.10

On the client machine, install the ipa-client.

# yum install freeipa-client freeipa-admintools
# ipa-client-install --mkhomedir --server server.ipa.example.com \
--domain ipa.example.com -p admin

Expected result: install script should prompt the user an Enrollment password, use the admin Kerberos password:

Confirm: that the user the user list is fetched from the IPA server

# getent passwd psmith

expected result:

# psmith:x:0:0:psmith:/home/psmith:/bin/bash 

Confirm IPA client setup

# kinit admin 

Expected result: prompted for admin password for ipa server

# ipa-user-find psmith 

Expected result: the record for the user psmith created as a prerequisite

Confirm auth mechanism

# ssh psmith@localhost 

You should be prompted for the password of psmith, and then immediately required to change it.

confirm Kerberos setup:

$ klist

Expected result:  a line comparable to the line below

$ 02/08/11 11:45:39  02/08/11 21:45:39  krbtgt/SERVERNAMEM@SERVERNAME 

Confirm home directory creation:

$ ls 

expected result:

$ /home/psmith

Enrolling Client Using Delegated Credentials

A role can be created that has the rights to enroll a client machine.

Create the Role

On the IPA server, create the role, add the privilege, then add our user to this role:

# ipa role-add --desc='Users who can enroll hosts' 'Enrollment Administrator'
# ipa role-add-privilege --privileges='Host Enrollment' 'enrollment administrator'
# ipa role-add-member --users=psmith 'enrollment administrator'
# ipa user-show psmith

Confirm that the user is in the role in the user-show output:

 Roles: enrollment administrator

Prepare the client machine

If you are going to use the same client machine as in the previous step uninstall the IPA client with:

# ipa-client-install --uninstall -U

This should restore the configuration to its previous state. You can confirm with:

# getent passwd psmith

The user should be not found.

If you are using a new machine then install the IPA client program:

# yum install freeipa-client freeipa-admintools

In either case, destroy any Kerberos credentials there may be:

# kdestroy

Enroll as a delegated user

Install the client:

# ipa-client-install --mkhomedir --server server.ipa.example.com \
--domain ipa.example.com -p psmith

When prompted for an Enrollment password use psmith's password.

Expected result: a properly installed client

Confirm with:

# getent passwd psmith
# ipa user-show psmith

Enrolling Client Using Bulk Credentials

If you want a way to enroll a host without kerberos credentials you can pre-create the host and set a One-Time Password (OTP) on that host. This password can then be used to enroll the host.

The same pre-requisites apply.

Prepare the Client

If you are going to use the same client machine as the previous step or steps first unconfigure the client:

# ipa-client-install --uninstall -U

Create the Client Host entry

On the server we need to create the host entry we're going to enroll.

First remove any existing entry there might be:

# ipa host-del client.ipa.example.com

Now create the host entry:

# ipa host-add --random client.ipa.example.com

We added the IP address of this client earlier so you shouldn't get a DNS error about A records.

The output of this will contain a random password. Save a copy of this, we'll need it later.

Enroll the Client with a Bulk password

Now on the client machine run the IPA client installer and pass in the bulk password created in the previous step:

# ipa-client-install --mkhomedir --server server.ipa.example.com --domain ipa.example.com -W

The installer should exit without error.

Test things out:

# getent passwd psmith
# kinit admin
# ipa user-show admin

Expected Results

All the test steps should end with the specified results.