From Fedora Project Wiki

Description

This test case precreates accounts in the domain using adcli join, using the default automatic 'reset' computer account password.

Setup

  1. Make sure to complete the prerequisites before starting this test.
  2. It is necessary to have complete domain DNS resolution working for this test.
  3. Test general adcli info functionality before doing this test.
  4. You'll need an administrative account in the domain.
  5. Choose a couple of computer names that are not yet in use on your domain.

How to test

  1. Use adcli to join the domain:
    $ adcli preset-computer --login-user=Administrator --domain=domain.example.com host1.example.com host2.example.com
    Replace the host names above with the computer names you chose.

Expected Results

The preset command should prompt your admin password and then complete without error. It will print out various computer account names.

The computer accounts should able to authenticate with the an automatically generated 'reset' password. This password is the short computer name printed above, in lower case:

$ kinit 'HOST1$@DOMAIN.EXAMPLE.COM'
Password for HOST1$@DOMAIN.EXAMPLE.COM: 
  • For the above computer name the password will be host1
  • Use a computer name printed above when doing this check.
  • Make sure to include the dollar and at signs, and everything upper case.

Next join automatically, using one of the host names:

$ adcli join --no-password --login-type=computer \
        --host-fqdn=host1.example.com --host-keytab=/tmp/host1.keytab \
        --domain=domain.example.com
  • There should be no password prompt above.
  • This should complete without error.
  • The join command will take a few seconds. It can take up to a minute in extreme cases where the domain controller for the domain is far away (latency wise).

The host keytab should contain new credentials for the host, like this. The KVNO, computer name, and domain name will differ.

$ klist -k /tmp/host1.keytab
Keytab name: FILE:/tmp/host1.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 HOST1$@DOMAIN.EXAMPLE.COM
   3 HOST1$@DOMAIN.EXAMPLE.COM
   3 HOST1$@DOMAIN.EXAMPLE.COM
   3 HOST1$@DOMAIN.EXAMPLE.COM
   3 HOST1$@DOMAIN.EXAMPLE.COM
   3 HOST/HOST1@DOMAIN.EXAMPLE.COM
   3 HOST/HOST1@DOMAIN.EXAMPLE.COM
   3 HOST/HOST1@DOMAIN.EXAMPLE.COM
   3 HOST/HOST1@DOMAIN.EXAMPLE.COM
   3 HOST/HOST1@DOMAIN.EXAMPLE.COM
   3 HOST/host1.example.com@DOMAIN.EXAMPLE.COM
   3 HOST/host1.example.com@DOMAIN.EXAMPLE.COM
   3 HOST/host1.example.com@DOMAIN.EXAMPLE.COM
   3 HOST/host1.example.com@DOMAIN.EXAMPLE.COM
   3 HOST/host1.example.com@DOMAIN.EXAMPLE.COM
   3 RestrictedKrbHost/HOST1@DOMAIN.EXAMPLE.COM
   3 RestrictedKrbHost/HOST1@DOMAIN.EXAMPLE.COM
   3 RestrictedKrbHost/HOST1@DOMAIN.EXAMPLE.COM
   3 RestrictedKrbHost/HOST1@DOMAIN.EXAMPLE.COM
   3 RestrictedKrbHost/HOST1@DOMAIN.EXAMPLE.COM
   3 RestrictedKrbHost/host1.example.com@DOMAIN.EXAMPLE.COM
   3 RestrictedKrbHost/host1.example.com@DOMAIN.EXAMPLE.COM
   3 RestrictedKrbHost/host1.example.com@DOMAIN.EXAMPLE.COM
   3 RestrictedKrbHost/host1.example.com@DOMAIN.EXAMPLE.COM
   3 RestrictedKrbHost/host1.example.com@DOMAIN.EXAMPLE.COM



You should be able to authenticate using the keytab. You should not be prompted for a password, and no error message, when you run this command:

$ KRB5_KTNAME=/tmp/host1.keytab kinit -k 'HOST1$@DOMAIN.EXAMPLE.COM'

You should no longer be able to use the reset password to authenticate against the domain:

$ kinit 'HOST1$@DOMAIN.EXAMPLE.COM'
Password for HOST1$@DOMAIN.EXAMPLE.COM:
kinit: Preauthentication failed while getting initial credentials
  • The password here would have been host1
  • ... but it won't work, if it does, there's a problem.

Cleanup

Cleanup after this test case is simple.

# rm -f /etc/krb5.keytab
# adcli delete-computer --domain-controller=10.10.10.10 --domain=domain.example.com <hostname -s>

More: Use Windows to Precreate

  • Use the Active Directory Users and Computers to create a new computer account in the domain.
  • Right click on the new computer account and choose Reset Account.
  • You should now have a preset computer account with the default account password, similar to if you used adcli preset above, and kinit and adcli should be able to interact with it similarly.

Troubleshooting

  • Use the --verbose argument to provide output when troubleshooting or reporting bugs.
  • In the kinit lines above, make sure you have the dollar sign, are using the short computer name, and have everything capitalized as expected.