From Fedora Project Wiki
Description
This test case precreates accounts in the domain using adcli join.
Setup
- Make sure to complete the prerequisites before starting this test.
- It is necessary to have complete domain DNS resolution working for this test.
- Test general adcli info functionality before doing this test.
- You'll need an administrative account in the domain.
- Choose a couple of computer names that are not yet in use on your domain.
How to test
- Use adcli to join the domain:
$ adcli preset-computer --login-user=Administrator --domain=domain.example.com --one-time-password=MyPassword host1.example.com host2.example.com
- Replace the host names above with the computer names you chose.
Expected Results
The preset command should prompt your admin password and then complete without error. It will print out various computer account names.
The computer accounts should able to authenticate with the one time password:
$ kinit 'HOST1$@DOMAIN.EXAMPLE.COM' Password for HOST1$@DOMAIN.EXAMPLE.COM:
- Use a computer name printed above when doing this check.
- Make sure to include the dollar and at signs, and everything upper case.
- Type
MyPasswordor whatever one time password you specified above. - Authenticating like this does not count as a 'one time use' of the one time password.
Next join using the one time password, using one of the host names:
$ adcli join --one-time-password=MyPassword \
--host-fqdn=host1.example.com --host-keytab=/tmp/host1.keytab \
--domain=domain.example.com
- This should complete without error.
- The join command will take a few seconds. It can take up to a minute in extreme cases where the domain controller for the domain is far away (latency wise).
The host keytab should contain new credentials for the host, like this. The KVNO, computer name, and domain name will differ.
$ klist -k /tmp/host1.keytab Keytab name: FILE:/tmp/host1.keytab KVNO Principal ---- -------------------------------------------------------------------------- 3 HOST1$@DOMAIN.EXAMPLE.COM 3 HOST1$@DOMAIN.EXAMPLE.COM 3 HOST1$@DOMAIN.EXAMPLE.COM 3 HOST1$@DOMAIN.EXAMPLE.COM 3 HOST1$@DOMAIN.EXAMPLE.COM 3 HOST/HOST1@DOMAIN.EXAMPLE.COM 3 HOST/HOST1@DOMAIN.EXAMPLE.COM 3 HOST/HOST1@DOMAIN.EXAMPLE.COM 3 HOST/HOST1@DOMAIN.EXAMPLE.COM 3 HOST/HOST1@DOMAIN.EXAMPLE.COM 3 HOST/host1.example.com@DOMAIN.EXAMPLE.COM 3 HOST/host1.example.com@DOMAIN.EXAMPLE.COM 3 HOST/host1.example.com@DOMAIN.EXAMPLE.COM 3 HOST/host1.example.com@DOMAIN.EXAMPLE.COM 3 HOST/host1.example.com@DOMAIN.EXAMPLE.COM 3 RestrictedKrbHost/HOST1@DOMAIN.EXAMPLE.COM 3 RestrictedKrbHost/HOST1@DOMAIN.EXAMPLE.COM 3 RestrictedKrbHost/HOST1@DOMAIN.EXAMPLE.COM 3 RestrictedKrbHost/HOST1@DOMAIN.EXAMPLE.COM 3 RestrictedKrbHost/HOST1@DOMAIN.EXAMPLE.COM 3 RestrictedKrbHost/host1.example.com@DOMAIN.EXAMPLE.COM 3 RestrictedKrbHost/host1.example.com@DOMAIN.EXAMPLE.COM 3 RestrictedKrbHost/host1.example.com@DOMAIN.EXAMPLE.COM 3 RestrictedKrbHost/host1.example.com@DOMAIN.EXAMPLE.COM 3 RestrictedKrbHost/host1.example.com@DOMAIN.EXAMPLE.COM
You should be able to authenticate using the keytab. You should not be prompted for a password, and no error message, when you run this command:
$ KRB5_KTNAME=/tmp/host1.keytab kinit -k 'HOST1$@DOMAIN.EXAMPLE.COM'
You should no longer be able to use the one time password to authenticate against the domain:
$ kinit 'HOST1$@DOMAIN.EXAMPLE.COM' Password for HOST1$@DOMAIN.EXAMPLE.COM: kinit: Preauthentication failed while getting initial credentials
- Type
MyPasswordor whatever one time password you specified above.
Cleanup
# rm -f /etc/krb5.keytab
# adcli delete-computer --domain-controller=10.10.10.10 --domain=domain.example.com <hostname -s>
More: Overwriting Accounts
- You can run the above
adcli presetcommand again with the same hosts. - It should not override computer accounts that already exist.
Troubleshooting
- Use the
--verboseargument to provide output when troubleshooting or reporting bugs. - In the
kinitlines above, make sure you have the dollar sign, are using the short computer name, and have everything capitalized as expected.