From Fedora Project Wiki

Revision as of 14:03, 15 April 2015 by Sgallagh (talk | contribs) (Domain controller FQDN must be resolvable by the client.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Associated release criterion
This test case is associated with the Fedora_41_Beta_Release_Criteria#cockpit-management-interface release criterion. If you are doing release validation testing, a failure of this test case may be a breach of that release criterion. If so, please file a bug and nominate it as blocking the appropriate milestone, using the blocker bug nomination page.


This test case checks that a system can be enrolled in a FreeIPA or Active Directory domain ('realm') using Cockpit.


  1. Deploy a correctly-configured FreeIPA or Active Directory domain controller. You can follow:
    QA:Testcase_Server_role_deploy with the Domain Controller role to deploy a FreeIPA domain controller on Fedora 28 or earlier
    QA:Testcase_freeipa_trust_server_installation to deploy a FreeIPA domain controller on Fedora 29 or later
    QA:Testcase_Active_Directory_Setup to deploy an Active Directory domain controller
  2. Follow QA:Testcase_Server_cockpit_default to deploy Fedora Server on the test client and ensure Cockpit is enabled and accessible
  3. The client must be capable of resolving the FreeIPA or Active Directory servers by FQDN. The easiest method of accomplishing this is to use Cockpit to modify the default DNS server address to be the IP address of the domain controller. If the domain controller is not running a DNS server, the alternative is to modify /etc/hosts on the client to contain the appropriate IP address for the domain controller FQDN.

How to test

  1. Log in to Cockpit with the root account or an administrative user account, and select the system from the host list
  2. Select System Information
  3. Click Join Domain
  4. Enter correct configuration and credentials for the domain

Expected Results

  1. Check that the domain is now configured: realm list
    Make sure the domain is listed
    Make sure you have a configured: kerberos-member line in the output
  2. Check that you can resolve domain accounts on the local computer
    For Active Directory:
    getent passwd 'DOMAIN\User' (DOMAIN is the netbios name, usually the first portion of the domain name, e.g. AD or SAMDOM; make sure to use the single quotes)
    For FreeIPA:
    getent passwd admin@domain (domain is the fully-qualified FreeIPA domain name, e.g. example.ipa)
    You should see an output line that looks like passwd output. It should contain an appropriate home directory, and a shell
  3. Check that you have an appropriate entry in your host's keytab: su -c 'klist -k'
    You should see several lines with your host name. For example 1 host/$hostname$@FQDN
  4. Check that you can use your keytab with kerberos: su -c 'kinit -k (principal)'
    Replace (principal) with the principal from the output of the klist command above. Use the one with the domain capitalized and that looks like host/hostname@DOMAIN) (FreeIPA) or TRUNCATED_HOSTNAME$@DOMAIN (Active Directory)
    There should be no output from this command
  5. If you are testing FreeIPA and have set up the FreeIPA Web UI, you can use it to see that the computer account was created under the Hosts section
  6. If you have are testing Active Directory and have console access to the domain controller, you can use the Active Directory Users and Computers tool to see if that the computer account was created under the Computers section
  7. Optionally, move on to QA:Testcase_domain_client_authenticate to ensure you can log in with a domain account.