QA:Testcase FreeIPA control center

From FedoraProject

(Difference between revisions)
Jump to: navigation, search
(Add about screwed up nsswitch.conf)
(Update requirements)
 
(6 intermediate revisions by 2 users not shown)
Line 2: Line 2:
 
|description=Setup an FreeIPA domain account login via the GNOME Control Center.
 
|description=Setup an FreeIPA domain account login via the GNOME Control Center.
 
|setup=
 
|setup=
# You need control-center 3.6.x version or later.
+
This test has several gotchas in Fedora 19 Alpha. Please review the Troubleshooting section below before continuing.
# You need a configured FreeIPA domain. The realm name must match the domain name (upper cased).
+
# Following software required:
 +
#* control-center 3.8.1.5 or later.
 +
#* realmd 0.14.0 or later.
 +
#* selinux-policy 3.12.1-40 or later.
 +
# You need a configured FreeIPA domain. If you need to you can [[QA:Testcase_freeipav3_installation|set one up]].
 
# You need a FreeIPA domain user account and administrator account, or both. If you have both, enter the use account as the user you're going to add below.
 
# You need a FreeIPA domain user account and administrator account, or both. If you have both, enter the use account as the user you're going to add below.
 
# Your machine must have a configured host name. Do not proceed if you host name is <code>localhost</code> or similar.
 
# Your machine must have a configured host name. Do not proceed if you host name is <code>localhost</code> or similar.
 
#: <pre>$ hostname</pre>
 
#: <pre>$ hostname</pre>
# Make sure you have [https://admin.fedoraproject.org/updates/realmd-0.13.3-2.fc19 realmd 0.13.3-2] or later installed.
 
#: <pre>$ yum list realmd</pre>
 
# Make sure you have [http://koji.fedoraproject.org/koji/buildinfo?buildID=412505 selinux-policy-3.12.1-32] or later installed.
 
#: <pre>$ yum list selinux-policy</pre>
 
 
# Remove the following packages, they should be installed by realmd as necessary.
 
# Remove the following packages, they should be installed by realmd as necessary.
 
#: <pre>$ sudo yum remove freeipa-client</pre>
 
#: <pre>$ sudo yum remove freeipa-client</pre>
Line 18: Line 18:
 
# Run <code>gnome-control-center</code> from a terminal.
 
# Run <code>gnome-control-center</code> from a terminal.
 
# Choose the ''Users'' panel.
 
# Choose the ''Users'' panel.
# Click the ''Unlock'' button.
+
# Click the ''Unlock'' button, if it was run as non-root user
 
#: You should get a Policy Kit authorization prompt.
 
#: You should get a Policy Kit authorization prompt.
 
# Click the add [+] button in the lower left.
 
# Click the add [+] button in the lower left.
Line 37: Line 37:
 
#: <pre>$ realm list</pre>
 
#: <pre>$ realm list</pre>
 
#: Make sure the domain is listed.
 
#: Make sure the domain is listed.
#: Make sure you have a <code>configured: kerberos-membership</code> line in the output.
+
#: Make sure you have a <code>configured: kerberos-member</code> line in the output.
 
#: Make note of the <code>login-formats</code> line for the next command.
 
#: Make note of the <code>login-formats</code> line for the next command.
 
# Check that you can resolve domain accounts on the local computer.  
 
# Check that you can resolve domain accounts on the local computer.  
Line 46: Line 46:
 
# Check that you have an appropriate entry in your hosts keytab.
 
# Check that you have an appropriate entry in your hosts keytab.
 
#: <pre>sudo klist -k</pre>
 
#: <pre>sudo klist -k</pre>
#: You should see several lines, with your host name. For example <code>2 HOSTNAME$@IPA.EXAMPLE.COM</code>
+
#: You should see several lines, with your host name that look like <code>2 host/host.example.com$@IPA.EXAMPLE.COM</code>
 
# Check that you can use your keytab with kerberos
 
# Check that you can use your keytab with kerberos
#: <pre>sudo kinit -k 'HOSTNAME$@IPA.EXAMPLE.COM'</pre>
+
#: <pre>sudo kinit -k host/host.example.com@IPA.EXAMPLE.COM</pre>
#: Make sure to use quotes around the argument, because of the characters in there. Make sure the hostname and domain are capitalized.
+
#: Make sure the hostname and domain are capitalized, and specified exactly as in the <code>klist</code> output above.
#: Use the principal from the output of the <code>klist</code> command above. Use the one that's capitalized and looks like <code>HOSTNAME$@DOMAIN</code>.
+
 
#: There should be no output from this command.
 
#: There should be no output from this command.
 
# The user should show up here:
 
# The user should show up here:
Line 69: Line 68:
  
 
* You can see verbose output in the terminal that you started gnome-control-center from.
 
* You can see verbose output in the terminal that you started gnome-control-center from.
 
* {{bz|952830}} If you see '''SELinux issues''', it's because you don't have [http://koji.fedoraproject.org/koji/buildinfo?buildID=412505 selinux-policy-3.12.1-32] or later.
 
** Please do, this and report all AVC's to the above bug.
 
<pre>
 
$ sudo setenforce permissive
 
... do the test
 
$ sudo grep realmd /var/log/audit/audit.log
 
</pre>
 
 
* {{bz|953445}} If you see the message '''Decrypt integrity check failed''' that means you typed the wrong password. It is a bug that this is message is displayed directly, and the password field not merely flagged.
 
  
 
* {{bz|953453}} If you see the message '''No user with the name user@domain found''' then this is because 'sss' was not in your <code>/etc/nsswitch.conf</code> when the tests were started.  
 
* {{bz|953453}} If you see the message '''No user with the name user@domain found''' then this is because 'sss' was not in your <code>/etc/nsswitch.conf</code> when the tests were started.  
Line 88: Line 77:
 
$ shutdown -r now</pre>
 
$ shutdown -r now</pre>
  
 +
* {{bz|953477}} '''Cannot log in using GDM''' because it seems like GDM or some part of the GNOME session is giving problems when the user name has an @ symbol in it.
  
 
[[Category:FreeIPA_Test_Cases]] [[Category:realmd_Test_Cases]]
 
[[Category:FreeIPA_Test_Cases]] [[Category:realmd_Test_Cases]]

Latest revision as of 06:45, 9 May 2013

Contents

Description

Setup an FreeIPA domain account login via the GNOME Control Center.

Setup

This test has several gotchas in Fedora 19 Alpha. Please review the Troubleshooting section below before continuing.

  1. Following software required:
    • control-center 3.8.1.5 or later.
    • realmd 0.14.0 or later.
    • selinux-policy 3.12.1-40 or later.
  2. You need a configured FreeIPA domain. If you need to you can set one up.
  3. You need a FreeIPA domain user account and administrator account, or both. If you have both, enter the use account as the user you're going to add below.
  4. Your machine must have a configured host name. Do not proceed if you host name is localhost or similar.
    $ hostname
  5. Remove the following packages, they should be installed by realmd as necessary.
    $ sudo yum remove freeipa-client
  6. Make sure you are not joined to a domain. Use realm list to check, and realm leave to leave.

How to test

  1. Run gnome-control-center from a terminal.
  2. Choose the Users panel.
  3. Click the Unlock button, if it was run as non-root user
    You should get a Policy Kit authorization prompt.
  4. Click the add [+] button in the lower left.
  5. Choose the Enterprise login pane.
  6. Enter an invalid domain, invalid user, and invalid password for the account.
    Click on Add. You should see a problem icon on the domain.
  7. Enter the valid domain, invalid user, and invalid password for the account.
    Click on Add. You should see a problem icon on the user.
  8. Enter the valid domain, valid user, and invalid password for the account.
    Click on Add. You should see a problem icon on the password.
  9. Enter the right password.
  10. Click on Add
    If you use a non-administrative user, you should be prompted for administrative credentials.

Expected Results

  1. The user should now be listed in the User Accounts panel of the GNOME Control Center.
  2. Check that the domain is now configured.
    $ realm list
    Make sure the domain is listed.
    Make sure you have a configured: kerberos-member line in the output.
    Make note of the login-formats line for the next command.
  3. Check that you can resolve domain accounts on the local computer.
    $ getent passwd 'user@domain'
    Make sure to use the quotes around the user name.
    You should see an output line that looks like passwd(5) output. It should contain an appropriate home directory, and a shell.
    Use the login-formats you saw above, to build a remote user name. It will be in the form of user@domain, where domain is the your full FreeIPA domain name.
  4. Check that you have an appropriate entry in your hosts keytab.
    sudo klist -k
    You should see several lines, with your host name that look like 2 host/host.example.com$@IPA.EXAMPLE.COM
  5. Check that you can use your keytab with kerberos
    sudo kinit -k host/host.example.com@IPA.EXAMPLE.COM
    Make sure the hostname and domain are capitalized, and specified exactly as in the klist output above.
    There should be no output from this command.
  6. The user should show up here:
    $ realm list
    Look at the permitted-logins: line.
    You should also see login-policy: allow-permitted-logins.
  7. Go to GDM by logging out, or by Switch User from the user menu.
  8. Choose the Not Listed? option.
    Verify that you can see the short name listed with a hint as to how to log in.
  9. Type user@domain in the box.
    The case of the domain and user should not matter, but they are separated by a at sign.
    The domain part is the entire domain name for your FreeIPA domain.
  10. Type the user domain password, and press enter.
  11. You should be logged into a Fedora Desktop.



Troubleshooting

  • You can see verbose output in the terminal that you started gnome-control-center from.
  • RHBZ #953453 If you see the message No user with the name user@domain found then this is because 'sss' was not in your /etc/nsswitch.conf when the tests were started.
    • A newly installed system will have this present. However ipa-client-install --uninstall incorrectly removes it.
    • This may have happened if you ran earlier tests that performed this command.
    • Workaround: The following lines should have 'sss' on them in /etc/nsswitch.conf by default. You can restore this by doing the following, and then running through the tests again:
$ sudo mv /etc/nsswitch.conf /etc/nsswitch.conf.bak
$ sudo yum reinstall glibc
$ shutdown -r now
  • RHBZ #953477 Cannot log in using GDM because it seems like GDM or some part of the GNOME session is giving problems when the user name has an @ symbol in it.