QA:Testcase freeipav2 client enrollment

{{QA/Test_Case
 * description=Client enrollment testing.
 * setup=
 * 1) Make sure you have a working FreeIPA server (see QA:Testcase_freeipav2_installation)
 * 2) Make sure the CLI works as expected (see QA:Testcase_freeipav2_cli)
 * 3) This requires a separate client machine from the IPA server machine.


 * actions=

First create a user for the test:


 * 1) kinit admin
 * 2) ipa user-add psmith --first=Patty --last=Smith
 * 3) ipa passwd psmith

Enrolling Client Using admin Credentials
Run from a newly installed machine other than the IPA server, logged in as root:


 * 1) /sbin/ifconfig eth0

On the ipa server, run this command to add the new host's dns A record. Replace the IP address 10.10.10.10 with the address from the ifconfig line listed above.


 * 1) kinit admin
 * 2) ipa dnsrecord-add ipa.example.com client1 --a-rec=10.10.10.10

On the client machine, install the ipa-client.


 * 1) yum install freeipa-client freeipa-admintools
 * 2) ipa-client-install --mkhomedir --server server.ipa.example.com --domain ipa.example.com -p admin

Expected result: install script should prompt the user an Enrollment password, use the admin Kerberos password:

Confirm: that the user the user list is fetched from the IPA server


 * 1) getent passwd psmith

expected result:


 * 1) psmith:x:0:0:psmith:/home/psmith:/bin/bash

Confirm IPA client setup

 * 1) kinit admin

Expected result: prompted for admin password for ipa server


 * 1) ipa-user-find psmith

Expected result: the record for the user psmith created as a prerequisite

Confirm auth mechanism


 * 1) ssh psmith@localhost

You should be prompted for the password of psmith, and then immediately required to change it.

confirm Kerberos setup:

$ klist

Expected result: a line comparable to the line below

$ 02/08/11 11:45:39 02/08/11 21:45:39  krbtgt/SERVERNAMEM@SERVERNAME

Confirm home directory creation:

$ ls

expected result:

$ /home/psmith

Enrolling Client Using Delegated Credentials
A role can be created that has the rights to enroll a client machine.

Create the Role
On the IPA server, create the role, add the privilege, then add our user to this role:


 * 1) ipa role-add --desc='Users who can enroll hosts' 'Enrollment Administrator'
 * 2) ipa role-add-privilege --privileges='Host Enrollment' 'enrollment administrator'
 * 3) ipa role-add-member --users=psmith 'enrollment administrator'
 * 4) ipa user-show psmith

Confirm that the user is in the role in the user-show output:

Roles: enrollment administrator

Prepare the client machine
If you are going to use the same client machine as in the previous step uninstall the IPA client with:


 * 1) ipa-client-install --uninstall -U

This should restore the configuration to its previous state. You can confirm with:


 * 1) getent passwd psmith

The user should be not found.

If you are using a new machine then install the IPA client program:


 * 1) yum install freeipa-client freeipa-admintools

In either case, destroy any Kerberos credentials there may be:


 * 1) kdestroy

Enroll as a delegated user
Install the client:


 * 1) ipa-client-install --mkhomedir --server server.ipa.example.com --domain ipa.example.com -p psmith

When prompted for an Enrollment password use psmith's password.

Expected result: a properly installed client

Confirm with:


 * 1) getent passwd psmith


 * 1) ipa user-show psmith

Enrolling Client Using Bulk Credentials
If you want a way to enroll a host without kerberos credentials you can pre-create the host and set a One-Time Password (OTP) on that host. This password can then be used to enroll the host.

The same pre-requisites apply.

Prepare the Client
If you are going to use the same client machine as the previous step or steps first unconfigure the client:


 * 1) ipa-client-install --uninstall -U

Create the Client Host entry
On the server we need to create the host entry we're going to enroll.

First remove any existing entry there might be:


 * 1) ipa host-del client.ipa.example.com

Now create the host entry:


 * 1) ipa host-add --random client.ipa.example.com

We added the IP address of this client earlier so you shouldn't get a DNS error about A records.

The output of this will contain a random password. Save a copy of this, we'll need it later.

Enroll the Client with a Bulk password
Now on the client machine run the IPA client installer and pass in the bulk password created in the previous step:


 * 1) ipa-client-install --mkhomedir --server server.ipa.example.com --domain ipa.example.com -W

The installer should exit without error.

Test things out:


 * 1) getent passwd psmith
 * 2) kinit admin
 * 3) ipa user-show admin

All the test steps should end with the specified results. }}
 * results=