From Fedora Project Wiki

The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Description

Client enrollment testing.

Setup

  1. Make sure you have a working FreeIPA server (see QA:Testcase_freeipav2_installation)
  2. Make sure the CLI works as expected (see QA:Testcase_freeipav2_cli)
  3. This requires a separate client machine from the IPA server machine.

How to test

First create a user for the test: 

# kinit admin
# ipa user-add psmith --first=Patty --last=Smith
# ipa passwd psmith

Enrolling Client Using admin Credentials

Run from a newly installed machine other than the IPA server, logged in as root: 

# /sbin/ifconfig eth0

On the ipa server, run this command to add the new host's dns A record. Replace the IP address 10.10.10.10 with the address from the ifconfig line listed above. 

# kinit admin
# ipa dnsrecord-add ipa.example.com client1 --a-rec=10.10.10.10

On the client machine, install the ipa-client. 

# yum install freeipa-client freeipa-admintools
# ipa-client-install --mkhomedir --server server.ipa.example.com --domain ipa.example.com -p admin

Expected result: install script should prompt the user an Enrollment password, use the admin Kerberos password:

Confirm: that the user the user list is fetched from the IPA server 

# getent passwd psmith

expected result: 

# psmith:x:0:0:psmith:/home/psmith:/bin/bash

Confirm IPA client setup

# kinit admin

Expected result: prompted for admin password for ipa server 

# ipa-user-find psmith

Expected result: the record for the user psmith created as a prerequisite

Confirm auth mechanism 

# ssh psmith@localhost

You should be prompted for the password of psmith, and then immediately required to change it.

confirm Kerberos setup: 

$ klist

Expected result:  a line comparable to the line below 

$ 02/08/11 11:45:39  02/08/11 21:45:39  krbtgt/SERVERNAMEM@SERVERNAME

Confirm home directory creation: 

$ ls

expected result: 

$ /home/psmith

Enrolling Client Using Delegated Credentials

A role can be created that has the rights to enroll a client machine.

Create the Role

On the IPA server, create the role, add the privilege, then add our user to this role: 

# ipa role-add --desc='Users who can enroll hosts' 'Enrollment Administrator'
# ipa role-add-privilege --privileges='Host Enrollment' 'enrollment administrator'
# ipa role-add-member --users=psmith 'enrollment administrator'
# ipa user-show psmith

Confirm that the user is in the role in the user-show output: 

 Roles: enrollment administrator

Prepare the client machine

If you are going to use the same client machine as in the previous step uninstall the IPA client with: 

# ipa-client-install --uninstall -U

This should restore the configuration to its previous state. You can confirm with: 

# getent passwd psmith

The user should be not found.

If you are using a new machine then install the IPA client program: 

# yum install freeipa-client freeipa-admintools

In either case, destroy any Kerberos credentials there may be: 

# kdestroy

Enroll as a delegated user

Install the client: 

# ipa-client-install --mkhomedir --server server.ipa.example.com --domain ipa.example.com -p psmith

When prompted for an Enrollment password use psmith's password.

Expected result: a properly installed client

Confirm with: 

# getent passwd psmith

# ipa user-show psmith

Enrolling Client Using Bulk Credentials

If you want a way to enroll a host without kerberos credentials you can pre-create the host and set a One-Time Password (OTP) on that host. This password can then be used to enroll the host.

The same pre-requisites apply.

Prepare the Client

If you are going to use the same client machine as the previous step or steps first unconfigure the client: 

# ipa-client-install --uninstall -U

Create the Client Host entry

On the server we need to create the host entry we're going to enroll.

First remove any existing entry there might be: 

# ipa host-del client.ipa.example.com

Now create the host entry: 

# ipa host-add --random client.ipa.example.com

We added the IP address of this client earlier so you shouldn't get a DNS error about A records.

The output of this will contain a random password. Save a copy of this, we'll need it later.

Enroll the Client with a Bulk password

Now on the client machine run the IPA client installer and pass in the bulk password created in the previous step: 

# ipa-client-install --mkhomedir --server server.ipa.example.com --domain ipa.example.com -W

The installer should exit without error.

Test things out: 

# getent passwd psmith
# kinit admin
# ipa user-show admin

Expected Results

All the test steps should end with the specified results.



Retrieved from "https://fedoraproject.org/w/index.php?title=QA:Testcase_freeipav2_client_enrollment&oldid=221102"