QA:Testcase realmd join otp

From FedoraProject

(Difference between revisions)
Jump to: navigation, search
(Add known issues)
(Some minor tweaks)
 
(7 intermediate revisions by 2 users not shown)
Line 2: Line 2:
 
|description=Join the current machine to an Active Directory domain using sssd as an AD client, using a one time password.
 
|description=Join the current machine to an Active Directory domain using sssd as an AD client, using a one time password.
 
|setup=
 
|setup=
# [[Features/ActiveDirectory/TestBed|Verify that your Active Directory domain access works]]. If you don't have an Active Directory domain, you can [[Features/ActiveDirectory/TestBed|set one up]].
+
# Make sure you have other required software:
 +
#* realmd 0.14.0 or later
 +
#* adcli 0.7 or later
 +
# Verify that your [[QA:Testcase_Active_Directory_Setup|Active Directory domain access works, or set a domain up]].
 
# You need a domain administrator account.
 
# You need a domain administrator account.
 
# Your machine must have a configured host name. Do not proceed if you host name is <code>localhost</code> or similar.
 
# Your machine must have a configured host name. Do not proceed if you host name is <code>localhost</code> or similar.
 
#: <pre>$ hostname</pre>
 
#: <pre>$ hostname</pre>
 
#: Make note of the host name.
 
#: Make note of the host name.
# Make sure you have [https://admin.fedoraproject.org/updates/FEDORA-2012-16388/realmd-0.9-1.fc18 realmd 0.9] or later installed.
 
#: <pre>$ yum list realmd</pre>
 
 
# Remove the following packages, they should be installed by realmd as necessary.
 
# Remove the following packages, they should be installed by realmd as necessary.
#: <pre>$ yum remove sssd samba-client adcli</pre>
+
#: <pre>$ yum remove sssd samba-client</pre>
 +
# Delete any existing computer account in the domain for this machine:
 +
#: <pre>$ adcli delete-computer -U AdminUser --domain=ad.example.com hostname</pre>
 +
#: It's fine if this command tells you the computer account doesn't exist
 
# Precreate the computer account in the domain, and set a one time password.
 
# Precreate the computer account in the domain, and set a one time password.
 
#* You can also use the adcli tool to create a reset computer account:
 
#* You can also use the adcli tool to create a reset computer account:
#*: <pre>$ adcli preset --user=AdminUser --verbose --domain ad.example.com --one-time-password=MyPassword hostname</pre>
+
#*: <pre>$ adcli preset-computer -U AdminUser --verbose --domain ad.example.com --one-time-password=MyPassword hostname</pre>
 
#*: Make sure the hostname is the same as the one returned above
 
#*: Make sure the hostname is the same as the one returned above
  
 
|actions=
 
|actions=
# Perform the join command. Use the <code>--user=xxx</code> argument to specify your domain account name.
+
# Perform the join command.  
 
#: <pre>$ realm join --one-time-password=MyPassword ad.example.com</pre>
 
#: <pre>$ realm join --one-time-password=MyPassword ad.example.com</pre>
#: You will be not prompted for a password for the account.
+
#: Don't use <code>--user</code> to specify an domain account</code>
#: You will be prompted for Policy Kit authorization.
+
 
#: On a successful join there will be no output.
 
#: On a successful join there will be no output.
 
#: This can take up to a few minutes depending on how far away your Active Directory domain is.
 
#: This can take up to a few minutes depending on how far away your Active Directory domain is.
Line 43: Line 46:
 
#: Use the principal from the output of the <code>klist</code> command above. Use the one that's capitalized and looks like <code>HOSTNAME$@DOMAIN</code>.
 
#: Use the principal from the output of the <code>klist</code> command above. Use the one that's capitalized and looks like <code>HOSTNAME$@DOMAIN</code>.
 
#: There should be no output from this command.
 
#: There should be no output from this command.
# You should not be able to use the one time password again. To verify this, leave the domain using <code>realm leave</code> and then try the above ''How to test'' actions again. It should fail this time.
 
 
}}
 
}}
 +
 +
== More: Try one time password again ==
 +
 +
You should not be able to use the one time password again.
 +
 +
To verify this, leave the domain using <code>realm leave</code> and then try the above ''How to test'' actions again. It should fail this time.
  
 
== Troubleshooting ==
 
== Troubleshooting ==
Line 54: Line 62:
 
</pre>
 
</pre>
  
The selinux profile for realmd isn't yet stable, so you may want turn off enforcement. Please do still file bugs for the SElinux AVC notifications you see.
+
If adcli preset-computer fails with '! The computer account <hostname -s> already exists', then you can delete account with
 
+
<pre>
+
$ sudo setenforce 0
+
</pre>
+
 
+
'''Known Issue [https://bugs.freedesktop.org/show_bug.cgi?id=56148 Insufficient Permissions]:''' The automatic join fails for computer accounts created through the AD MMC. See https://bugs.freedesktop.org/show_bug.cgi?id=56148 for more details.
+
 
+
'''Known Issue [https://bugs.freedesktop.org/show_bug.cgi?id=56147 Short Host Name]:''' If the host name of the computer doesn't have a dot '.' in it, then the autojoin fails. See https://bugs.freedesktop.org/show_bug.cgi?id=56147
+
 
+
'''Known Issue [[https://bugzilla.redhat.com/show_bug.cgi?id=867873 Selinux]]:''' You need to turn off selinux to complete the join. Please do:
+
 
+
<pre>
+
$ sudo setenforce 0
+
</pre>
+
 
+
Please file the all realmd AVC's at this bug: https://bugzilla.redhat.com/show_bug.cgi?id=867873
+
  
 
<pre>
 
<pre>
$ sudo grep realmd /var/log/audit/audit.log
+
$ adcli delete-computer -U AdminUser --domain=ad.example.com <hostname -s>
 
</pre>
 
</pre>
  
[[Category:Active_Directory_Test_Cases]]
+
[[Category:Active_Directory_Test_Cases]] [[Category:Realmd_Test_Cases]]

Latest revision as of 08:27, 9 May 2013

Contents

Description

Join the current machine to an Active Directory domain using sssd as an AD client, using a one time password.

Setup

  1. Make sure you have other required software:
    • realmd 0.14.0 or later
    • adcli 0.7 or later
  2. Verify that your Active Directory domain access works, or set a domain up.
  3. You need a domain administrator account.
  4. Your machine must have a configured host name. Do not proceed if you host name is localhost or similar.
    $ hostname
    Make note of the host name.
  5. Remove the following packages, they should be installed by realmd as necessary.
    $ yum remove sssd samba-client
  6. Delete any existing computer account in the domain for this machine:
    $ adcli delete-computer -U AdminUser --domain=ad.example.com hostname
    It's fine if this command tells you the computer account doesn't exist
  7. Precreate the computer account in the domain, and set a one time password.
    • You can also use the adcli tool to create a reset computer account:
      $ adcli preset-computer -U AdminUser --verbose --domain ad.example.com --one-time-password=MyPassword hostname
      Make sure the hostname is the same as the one returned above

How to test

  1. Perform the join command.
    $ realm join --one-time-password=MyPassword ad.example.com
    Don't use --user to specify an domain account</code>
    On a successful join there will be no output.
    This can take up to a few minutes depending on how far away your Active Directory domain is.

Expected Results

  1. Check that the domain is now configured.
    $ realm list
    Make sure the domain is listed.
    Make sure you have a configured: kerberos-membership line in the output.
    Make note of the login-formats line for the next command.
  2. Check that you can resolve domain accounts on the local computer.
    $ getent passwd 'AD\User'
    Make sure to use the quotes around the user name.
    You should see an output line that looks like passwd(5) output. It should contain an appropriate home directory, and a shell.
    Use the login-formats you saw above, to build a remote user name. It will be in the form of DOMAIN\User, where DOMAIN is the first part of your full Active Directory domain name.
  3. Check that you have an appropriate entry in your hosts keytab.
    sudo klist -k
    You should see several lines, with your host name. For example 2 HOSTNAME$@AD.EXAMPLE.COM
  4. Check that you can use your keytab with kerberos
    sudo kinit -k 'HOSTNAME$@AD.EXAMPLE.COM'
    Make sure to use quotes around the argument, because of the characters in there. Make sure the hostname and domain are capitalized.
    Use the principal from the output of the klist command above. Use the one that's capitalized and looks like HOSTNAME$@DOMAIN.
    There should be no output from this command.



More: Try one time password again

You should not be able to use the one time password again.

To verify this, leave the domain using realm leave and then try the above How to test actions again. It should fail this time.

Troubleshooting

Use the --verbose argument to see details of what's being done during a join. Include verbose output in any bug reports.

$ realm join --verbose ad.example.com

If adcli preset-computer fails with '! The computer account <hostname -s> already exists', then you can delete account with

$ adcli delete-computer -U AdminUser --domain=ad.example.com <hostname -s>