From Fedora Project Wiki

Revision as of 14:53, 8 September 2014 by Adamwill (talk | contribs) (looks better this way)

Associated release criterion
This test case is associated with the Basic_Release_Criteria#remote-authentication release criterion. If you are doing release validation testing, a failure of this test case may be a breach of that release criterion. If so, please file a bug and nominate it as blocking the appropriate milestone, using the blocker bug nomination page.


Description

Join the current machine to a FreeIPA domain using GNOME's initial setup tool. Domain accounts are available on the local machine once this is done.

Setup

  1. This test case assumes you have already set up a FreeIPA domain (named "ipa.example.org" in this example - adjust as appropriate for your local configuration). If you haven't, you can set one up. QA:Testcase_freeipav3_installation can function as an instruction set for this purpose; also see the FreeIPA Guide.
  2. Your machine must have a fully-qualified host name. Do not proceed if the output of hostname is localhost or localhost.localdomain or similar. It should be something like test-system.example.org.
  3. Make sure you have realmd-0.13.3-2 or later installed: rpm -q realmd

How to test

  1. Perform the join command using IPA's admin account.
    $ realm join --user=admin ipa.example.org
    You will be prompted for a password for the account.
    You will be prompted for Policy Kit authorization.
    On a successful join there will be no output.
    This can take up to a few minutes depending on how far away your FreeIPA domain is.

Expected Results

  1. Check that the domain is now configured.
    $ realm list
    Make sure the domain is listed.
    Make sure you have a configured: kerberos-member line in the output.
    Make note of the login-formats line for the next command.
  2. Check that you can resolve domain accounts on the local computer.
    $ getent passwd admin@ipa.example.org
    You should see an output line that looks like passwd(5) output. It should contain an appropriate home directory, and a shell.
    Use the login-formats you saw above, to build a remote user name. It will be in the form of $user@$fqdn, where fqdn is your fully qualified IPA domain name (e.g. ipa.example.org).
  3. Check that you have an appropriate entry in your hosts keytab.
    sudo klist -k
    You should see several lines, with your host name. For example 1 host/$hostname@$FQDN
  4. Check that you can use your keytab with kerberos
    sudo kinit -k host/client.ipa.example.org@IPA.EXAMPLE.ORG
    Make sure the domain name is capitalized.
    Use the principal from the output of the klist command above. Use the one that's capitalized and looks like host/$hostname@$FQDN.
    There should be no output from this command.
  5. If you have set up the FreeIPA Web UI, you can use it to see that the computer account was created under the Hosts section.



Troubleshooting

Use the --verbose argument to see details of what's being done during a join. Include verbose output in any bug reports.

$ realm join --verbose ipa.example.org