From Fedora Project Wiki

Revision as of 00:53, 9 September 2014 by Adamwill (talk | contribs) (create test case for enrolling in FreeIPA domain with gnome-initial-setup)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Associated release criterion
This test case is associated with the Basic_Release_Criteria#remote-authentication release criterion. If you are doing release validation testing, a failure of this test case may be a breach of that release criterion. If so, please file a bug and nominate it as blocking the appropriate milestone, using the blocker bug nomination page.


Description

Join the current machine to a FreeIPA domain using GNOME's initial setup tool. Domain accounts are available on the local machine once this is done.

Setup

  1. This test case assumes you have already set up a FreeIPA domain (named "ipa.example.org" in this example - adjust as appropriate for your local configuration). If you haven't, you can set one up. QA:Testcase_freeipav3_installation can function as an instruction set for this purpose; also see the FreeIPA Guide.
  2. Your machine must have a fully-qualified host name. Do not proceed if the output of hostname is localhost or localhost.localdomain or similar. It should be something like test-system.example.org.
  3. Make sure you have realmd-0.13.3-2 or later installed: rpm -q realmd

How to test

  1. Install Fedora Workstation (or, for releases older than Fedora 21, do a standard Fedora GNOME desktop install), using all defaults where possible and sensible settings elsewhere. Do not create a local user account during installation.
  2. Boot the installed system.
  3. On the About You page of the wizard, click Set Up Enterprise Login.
  4. Enter the FreeIPA domain name (for e.g. example.org) for Domain (it should be available as a choice from the drop-down box if your test system's hostname is as suggested above), and a valid username and password for a user account on the domain, and click Next.
  5. If prompted for administrator credentials, enter the username and password of the FreeIPA domain administrator account and click Continue.
  6. Complete the wizard, and try to log in with the user account you configured.
  7. Check whether you can run getent passwd someuser@example.org and other commands that would require correct authentication with the FreeIPA domain.

Expected Results

  1. Installation should run successfully. If it does not, you have made a mistake or encountered a failure of one of the Installer Test Cases.
  2. The GNOME initial setup wizard should appear before any login screen. If it does not, consider this a failure of QA:Testcase_base_initial_setup.
  3. The user creation step should switch to an 'Enterprise Login' mode when you click the Set Up Enterprise Login button.
  4. If the user account you chose to set up has the power to enrol new client systems in the domain, the joining process should start as soon as you enter the account details and click Next. If not, a dialog requesting the credentials of an account with the necessary powers should appear.
  5. If the admin credentials prompt is necessary, it should appear and the join process should start when you enter correct admin credentials and click Continue.
  6. You should be able to log in as the FreeIPA user configured during this test.
  7. You should be able to do things that
    Make sure the domain is listed.
    Make sure you have a configured: kerberos-member line in the output.
    Make note of the login-formats line for the next command.
  8. Check that you can resolve domain accounts on the local computer. 
    $ getent passwd admin@ipa.example.org
    You should see an output line that looks like passwd(5) output. It should contain an appropriate home directory, and a shell.
    Use the login-formats you saw above, to build a remote user name. It will be in the form of $user@$fqdn, where fqdn is your fully qualified IPA domain name (e.g. ipa.example.org).
  9. Check that you have an appropriate entry in your hosts keytab. 
    sudo klist -k
    You should see several lines, with your host name. For example 1 host/$hostname@$FQDN
  10. Check that you can use your keytab with kerberos 
    sudo kinit -k host/client.ipa.example.org@IPA.EXAMPLE.ORG
    Make sure the domain name is capitalized.
    Use the principal from the output of the klist command above. Use the one that's capitalized and looks like host/$hostname@$FQDN.
    There should be no output from this command.
  11. If you have set up the FreeIPA Web UI, you can use it to see that the computer account was created under the Hosts section.



Troubleshooting

Use the --verbose argument to see details of what's being done during a join. Include verbose output in any bug reports. 

$ realm join --verbose ipa.example.org
Retrieved from "https://fedoraproject.org/w/index.php?title=QA:Testcase_gnome_initial_setup_domain_join&oldid=386225"