From Fedora Project Wiki

Revision as of 16:05, 14 February 2011 by Jcholast (talk | contribs)

Description

CLI testing.

Setup

  1. Make sure you have a working FreeIPA server (see QA:Testcase_freeipav2_installation)

How to test

Users

  1. Creating Users
  2. To make things interesting create several users. Some of these will be used in later tests.

    Make sure you have a valid ticket:

    # kinit admin
    

    Fully Interactive User Creation:

    # ipa user-add
    

    You should be prompted for just First name, Last name and login name.

    A example would be:

    # ipa user-add
    
    First name: Patty
    Last name: Smith
    User login [psmith]:
    

    Create and provide some optional data:

    # ipa user-add mmouse --first=Mickey --last=Mouse --street='123 Disney Way' --city=Anaheim --state=CA --postalcode=92801
    # ipa user-add mightym --first=Mighty --last=Mouse --uid=500 --shell=/bin/tcsh
    

    Specify an illegal UID number:

    # ipa user-add --first=Bad --last=Guy bguy --uid=0
    

    This should fail, you can't add new root users.

    Try some bad login names:

    # ipa user-add --first=Bad --last=User +user
    # ipa user-add --first=Bad --last=User ^buser
    # ipa user-add --first=Bad --last=User aloginnamethatislongerthanthedefaultloginallowed
    
  3. Searching for Users
  4. At this point we should have 4 users.

    First find them all:

    # ipa user-find
    

    Now search for the Mouse family (should return 2 users):

    # ipa user-find mouse
    

    Look for a user based on uid (should return 1 user):

    # ipa user-find --uid=500
    
  5. Updating Users
  6. Mighty Mouse is moving in with Mickey, add an address:

    # ipa user-mod mightym --street='123 Disney Way' --city=Anaheim --state=CA --postalcode=92801
    

    Make sure the data was actually saved:

    # ipa user-show mightym
    

    The output should include the address we added.

  7. Setting Passwords
  8. Note that there is no password set on any of the accounts we created in this section. You could have added --password to any of the user-add commands to create one, lets do one now.

    # ipa passwd mmouse
    

    A password set by an administrator is marked as expired. This way only the end user will know their final password.

    Become mmouse to show that password resetting works:

    # kinit mmouse
    

    Now we are the user mmouse, klist will confirm this.

  9. Locking accounts
  10. Do a kinit 4 times and enter a bad password for each one. The last one should return:

    kinit: Clients credentials have been revoked while getting initial credentials
    
  11. Unlocking Locked Accounts
  12. kinit to admin so we can unlock this user:

    # kinit admin
    # ipa user-unlock mmouse
    

    Test that the unlock worked (use correct password this time):

    # kinit mmouse
    
  13. Testing the Account
  14. Lets see if the mmouse account actually works as a unix account. We should still have a TGT for the mmouse user from the previous step, if not run: kinit mmouse.

    # su - mmouse
    su: warning: cannot change directory to /home/mmouse: No such file or directory
    

    This is expected, IPA doesn't create user directories automatically.

    Return to root:

    $ exit
    
  15. Removing Users
  16. Entries can be removed one at a time or you can specify multiple on a single command-line. Let us try both:

    # ipa user-del mightym
    

    Oops, that failed because we are still the user mmouse who isn't allowed to delete users.

    # kinit admin
    

    Now try again:

    # ipa user-del mightym
    

    And let us remove the rest at once:

    # ipa user-del mmouse psmith
    

    That should be it, you can to a user-find to see if everyone is gone, except for admin and perhaps the user created during the Installation test.

Groups

  1. Creating Groups
  2. Start by being admin:

    # kinit admin
    

    Create a Group Interactively:

    # ipa group-add
    Group name: testgroup1
    Description: test group 1
    

    Create a Group Specifying required options:

    # ipa group-add --desc='test group 2' testgroup2
    

    Create a group with a specific GID:

    # ipa group-add --desc='test group 3' --gid=500 testgroup3
    

    Create a non-POSIX group:

    # ipa group-add --nonposix --desc='test group 4' testgroup4
    
  3. Searching for Groups
  4. We should have 4 test groups now, find them:

    # ipa group-find test
    

    Four entries should be returned, the groups we just added.

  5. Adding Members to Groups
  6. Lets add a group as a member of a group:

    # ipa group-add-member --groups=testgroup2 testgroup1
    

    It should have 1 group member (testgroup2)

    Now add a user to a group:

    # ipa group-add-member --users=admin testgroup2
    

    Now look at the user admin and it is a member of 3 groups: admins, testgroup2 and testgroup1.

    # ipa user-show admin | grep Member
     Member of groups: admins, testgroup2, testgroup1
    

    It is a member of testgroup1 because it is a member of testgroup2 which is a member of testgroup 1. Group membership is nested, in other words.

  7. Removing Members from Groups
  8. admin isn't a direct member of testgroup1 so we can't remove it:

    # ipa group-remove-member --users=admin testgroup1
      Group name: testgroup1
      Description: test group 1
      GID: 618600026
      Member groups: testgroup2
      Indirect Member users: admin
      Failed members: 
        user: admin: This entry is not a member
    ---------------------------
    Number of members removed 0
    ---------------------------
    

    If we remove testgroup2 as a member of testgroup1 we'll also see a change in the admin user:

    # ipa group-remove-member --groups=testgroup2 testgroup1
    # ipa user-show admin | grep Member
      Member of groups: admins, testgroup2
    
  9. Promote a non-POSIX group to POSIX
  10. A non-POSIX group doesn't have a GID number:

    # ipa group-show testgroup4
    

    Let's make this a POSIX group:

    # ipa group-mod --posix  testgroup4
    

    It should have a GID number now.

  11. Deleting Groups
  12. We can remove them one at a time:

    # ipa group-del testgroup4
    

    Or a bunch at a time:

    # ipa group-del testgroup1 testgroup2 testgroup3
    

    And the user is updated accordingly:

    # ipa user-show admin | grep Member
      Member of groups: admins
    

    All the test groups should be gone now, confirm with:

    # ipa group-find test
    ----------------
    0 groups matched
    ----------------
    ----------------------------
    Number of entries returned 0
    ----------------------------
    
  13. Managed Groups
  14. When a user is created a group with the same name is created with the GID set to the user's UID.

    # ipa user-add --first=Patty --last=Smith psmith
    
    # ipa group-show psmith
    

    Note that the UID number of the user matches the GID number of the group.

    These groups are hidden by default, they aren't generally interesting as you can't add users to them:

    # ipa group-find psmith
    ----------------
    0 groups matched
    ----------------
    ----------------------------
    Number of entries returned 0
    ----------------------------
    
    # ipa group-add-member --users=admin psmith
      Group name: psmith
      Description: User private group for psmith
      GID: 618600030
      Failed members: 
        user: admin: attribute "member" not allowed
    -------------------------
    Number of members added 0
    -------------------------
    

    It is possible to find them though:

    # ipa group-find --private psmith
    ---------------
    1 group matched
    ---------------
      Group name: psmith
      Description: User private group for psmith
      GID: 618600029
    ----------------------------
    Number of entries returned 1
    ----------------------------
    

    You can detach the group from the user and make it into a regular old users group where you can add members. This process is irreversible.

    # ipa group-detach psmith
    

    Now you can find it on a normal search:

    # ipa group-find psmith
    ---------------
    1 group matched
    ---------------
     Group name: psmith
     Description: User private group for psmith
     GID: 618600029
    ----------------------------
    Number of entries returned 1
    ----------------------------
    

    And add members:

    # ipa group-add-member --users=admin psmith
    

    Note that admin is a Member now.

    The group is now also independent of the user, lets delete Patty:

    # ipa user-del psmith
    

    And the group is still available:

    # ipa group-show psmith
    

    Create another user to show how managed entries are tied together:

    # ipa user-add --first=Ron --last=Jones rjones
    # ipa group-find --private rjones
    # ipa user-del rjones
    # ipa group-find --private rjones
    

    The group is deleted with the user if they are still attached.

    We'll finish by deleting the psmith group:

    # ipa group-del psmith
    

Hosts

Hosts are separate from DNS entries (e.g. the data is not stored together) but it is required that a host have a valid DNS entry. Without DNS Kerberos doesn't really work..

  1. Start as admin:
  2. # kinit admin
    
  3. Creating Hosts
  4. For the sake of testing the assumption is going to be that none of these hostnames exist in your DNS. If you have valid hostnames you can use then you can drop the --force flag. We are going to touch briefly on enrollment but aren't actually going to enroll any client machines.

    Create a host:

    The domain name must be fully-qualified.

    # ipa host-add --force panther.freeipa.org
    

    This host is ready to be enrolled as a client machine using an authorized principal. Let us create one that can be registered using a simple password:

    # ipa host-add --random --force lion.freeipa.org
    

    Note in the output there is a random password. Using this password you could enroll the host.

    Or if you want to set a specific password on a new host entry:

    # ipa host-add --password=secret123 --force puma.freeipa.org
    
  5. Searching for Hosts
  6. We can search on either the FQDN or just the server name:

    # ipa host-find puma
    

    Returns the same as:

    # ipa host-find puma.freeipa.org
    
  7. Updating Hosts
  8. We can also store information specific to the host such as operating system, etc:

    # ipa host-mod --os='Fedora 12' --platform='White Box' --locality=Baltimore puma.freeipa.org
    

    Or change if we upgrade:

    # ipa host-mod --os='Fedora 14' puma.freeipa.org
    
  9. Managing other Hosts
  10. You may have noticed the managedby field with the same value as the FQDN of the host. This is the list of hosts are allowed to bind and manage this entry, lets try that:

    # ipa host-add-managedby --hosts=hostname puma.freeipa.org
    

    Now your current host is allowed to manage the certificates and keytab of puma.freeipa.org. Lets try to update something else. First let us get a TGT for the current host:

    # kinit -kt /etc/krb5.keytab host/hostname
    

    And try to modify puma:

    # ipa host-mod --os='Ubuntu 10.14' puma.freeipa.org
    

    It fails due to lack of permissions. Remember, we can only modify certificates and its keytab.

    Getting a keytab for a managed host:

    # ipa-getkeytab -s hostname -p host/puma.freeipa.org -k /tmp/test.keytab
    # klist -kt /tmp/test.keytab
    

    We successfully retrieved a keytab for a different host. Let's try again for a host we do not manage, panther:

    # ipa-getkeytab -s hostname -p host/panther.freeipa.org -k /tmp/test.keytab
    Operation failed! Insufficient access rights
    

    As expected, we aren't allowed.

  11. Removing Hosts
  12. Now back to admin and we'll remove the hosts we added:

    # kinit admin
    # ipa host-del puma panther lion
    

    Note that we're using the shortname for all.

Service

A service must be connected to a host. A service consists of a service name, a hostname and a realm. The service name is case sensitive.

  1. Creating Services
  2. Start by creating a host to attach our test services to:

    # ipa host-add --force puma.freeipa.org
    

    Now we can start adding services:

    # ipa service-add HTTP/puma.freeipa.org
    

    The service name isn't checked but the formatting is:

    # ipa service-add puma.freeipa.org
    ipa: ERROR: Service principal is not of the form: service/fully-qualified host name: missing service
    

    The realm is optional but must match the current realm:

    # ipa service-add HTTP/puma.freeipa.org@FOO.ORG
    ipa: ERROR: The realm for the principal does not match the realm for this IPA server
    
  3. Searching for Services
  4. Now find out service, there should just be one, HTTP:

    # ipa service-find puma
    # ipa service-find HTTP/puma.freeipa.org@FOO.ORG
    

    Searching for a service with --hosts=LIST option, should display the services which are managed by this host.

    # ipa service-find HTTP/puma.freeipa.org@FOO.ORG --hosts=<managed by hostname>
    

    Searching for a service with --no-hosts=LIST option, should display the services which are not managed by this host.

    # ipa service-find HTTP/puma.freeipa.org@FOO.ORG --no-hosts=<managed by hostname>
    

    Searching for services with --sizelimit option, should display only the number of services specified.

    # ipa service-find HTTP/puma.freeipa.org@FOO.ORG --sizelimit=1
    

    Searching for services with --timelimit option, should display the services searched in that timelimit. (0 = show all)

    # ipa service-find HTTP/puma.freeipa.org@FOO.ORG --timelimit=5
    
  5. Modifying Services
  6. Make sure your service does not have any certificate.

    To add an attribute to any existing service

    # ipa service-mod HTTP/puma.freeipa.org@FOO.ORG --addattr=certificate=<your cert in bytes>
    

    To replace an existing attribute

    # ipa service-mod HTTP/puma.freeipa.org@FOO.ORG --setattr=certificate=<your new cert in bytes>
    
  7. Disabling Services
  8. # ipa service-disable HTTP/puma.freeipa.org@FOO.ORG
    
  9. Deleting Services
  10. Deleting a service

    # ipa service-del HTTP/puma.freeipa.org@FOO.ORG
    

    Deleting a service with --continue option

    # ipa service-del HTTP/puma.freeipa.org@FOO.ORG INVALID/puma.freeipa.org@FOO.ORG SSH/puma.freeipa.org@FOO.ORG
    The deleting process is continued even though there exists an INVALID service in between. This should fail deleting
    SSH/puma.freeipa.org@FOO.ORG if --continue option is not specified.
    
  11. Managing a Host's services
  12. By default a host can manage its own services. This is controlled by the managedby option.

    Management is defined as retrieving a keytab and requesting certificates on behalf of a service or host.

    So we can create a service for a host and get a keytab for it using the host's credentials:

    # kinit admin
    # ipa service-add test/puma.freeipa.org
    # kinit host/slinky.freeipa.org
    # ipa-getkeytab -s slinky -k /tmp/test.keytab -p test/puma.freeipa.org
    Keytab successfully retrieved and stored in: /tmp/test.keytab
    
  13. Managing Services on other Hosts
  14. It is possible to allow a host to manage other hosts or services on other hosts.

    If a host is added to the Managed By of another host this does not mean management of all services on that host. Each delegation has to be done independently. In other words to manage a host and all of its services you need to add the host to each host and service you want to delegate management for.

    Create a new host:

    # kinit admin
    # ipa host-add panther.freeipa.org
    

    And create a service on the host:

    # ipa service-add test/panther.freeipa.org
    

    Delegate managing the service:

    # ipa service-add-host --hosts=slinky panther
    

    Now we can use the host service principal on slinky to manage panther:

    # kinit -kt /etc/krb5.keytab host/slinky.freeipa.org
    # ipa-getkeytab -s slinky -k /tmp/test.keytab -p test/panther.freeipa.org
    Keytab successfully retrieved and stored in: /tmp/test.keytab
    

    To create a certificate for this service first generate a CSR (Certificate Signing Request).

    The subject you use is not particularly important because our backend CA will only use the value of CN. The CN value must be your hosts fully-qualified domain name.

    You can generate the CSR using either OpenSSL:

    # openssl req -out example.csr -new -newkey rsa:2048 -nodes -keyout private.key
    Generating a 2048 bit RSA private key
    .........................................................+++
    .............................+++
    writing new private key to 'private.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:AU
    State or Province Name (full name) []:QLD
    Locality Name (eg, city) [Default City]:BNE
    Organization Name (eg, company) [Default Company Ltd]:MYDOMAIN.NET
    Organizational Unit Name (eg, section) []:ECS
    Common Name (eg, your name or your server's hostname) []:myserver.mydomain.net
    Email Address []:authors@mydomain.net
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    

    ...or using NSS:

    If you need to create an NSS database in which to store your key, use the certutil command as follows:
    
    $ certutil -N -d /path/to/database/dir
    $ certutil -R -s "CN=myserver.mydomain.net, O=MYDOMAIN.NET" -d /path/to/database/dir -a > example.csr
    

    Once you have the CSR, do:

    # ipa cert-request --add --principal=test/panther.freeipa.org panther.csr
     Certificate: MIICETCCAXqgA...[snip]
     Subject: CN=panther.freeipa.org,O=FREEIPA.ORG
     Issuer: CN=EXAMPLE.COM Certificate Authority
     Not Before: Tue Feb 08 18:51:51 2011 UTC
     Not After: Mon Feb 08 18:51:51 2016 UTC
     Fingerprint (MD5): c1:46:8b:29:51:a6:4c:11:cd:81:cb:9d:7c:5e:84:d5
     Fingerprint (SHA1): 01:43:bc:fa:b9:d8:30:35:ee:b6:54:dd:a4:e7:d2:11:b1:9d:bc:38
     Serial number: 1005
    

    The same can be done for hosts:

    # kinit admin
    # ipa host-add-managedby --hosts=slinky panther
    

    Become slinky and get a keytab for panther:

    # kinit -kt /etc/krb5.keytab host/slinky.freeipa.org
    # ipa-getkeytab -s slinky -k /tmp/panther.keytab -p host/panther.freeipa.org
    Keytab successfully retrieved and stored in: /tmp/panther.keytab
    

    Removing hosts from managed by list of a service:

    # ipa service-remove-host test/panther.freeipa.org --hosts=slinky,panther
    
  15. Getting a keytab
  16. Get a keytab quietly with no output on the terminal.

    # ipa-getkeytab -q -s hostname -p HTTP/puma.freeipa.org -k /tmp/service.keytab
    

    Display the supported encryption types for this keytab:

    # klist -ekt /tmp/service.keytab
    

    Get a keytab with specific encryption type

    # ipa-getkeytab -s hostname -p HTTP/puma.freeipa.org -k /tmp/service.keytab -e aes256-cts.
    

    Verify that just the requested encryption type is available in keytab:

    # klist -ekt /tmp/service.keytab
    

    Setting a password while getting keytab:

    # ipa-getkeytab -s hostname -p HTTP/puma.freeipa.org -k /tmp/service.keytab -P
     New Principal Password: <enter password>
     Verify Principal Password: <enter password>
     Keytab successfully retrieved and stored in: /tmp/service.keytab
    
    

    Check the validity by:

    # kinit HTTP/puma.freeipa.org
     Password for HTTP/puma.freeipa.org: 
    # klist
    

    Get a keytab using binddn and its credentials:

    # ipa-getkeytab -s hostname -p HTTP/puma.freeipa.org -k /tmp/service.keytab -D "binddn" -w "bindpw"
     Keytab successfully retrieved and stored in: /tmp/service.keytab
    

    Get a keytab for this service:

    # ipa-getkeytab -s hostname -p HTTP/puma.freeipa.org -k /tmp/service.keytab
    

    Check the validity of the keytab:

    # kinit -kt /tmp/service.keytab  HTTP/puma.freeipa.org
    

    The kinit should have succeeded, return to admin:

    # kinit admin
    
  17. Removing a keytab
  18. Removing a specific principal from a keytab:

    # ipa-rmkeytab -p HTTP/puma.freeipa.org -k /tmp/service.keytab
     Removing principal HTTP/puma.freeipa.org
    

    Validate by listing the principals in the keytab:

    # klist -ekt /tmp/service.keytab
    

    Removing all principal in this realm:

    # ipa-rmkeytab -r FOO.ORG -k /tmp/service.keytab
     Removing principal HTTP/puma.freeipa.org@FOO.ORG
    
  19. Disable a keytab
  20. A service can be disabled without having to do anything on the remote server.

    # ipa-service-disable HTTP/puma.freeipa.org
    

    Double-check that the keytab is invalidated:

    # kinit -kt /tmp/service.keytab  HTTP/puma.freeipa.org
    kinit: Preauthentication failed while getting initial credentials
    

Expected Results

All the test steps should end with the specified results.