QA:Testcase freeipav3 client reenrollment

From FedoraProject

Jump to: navigation, search

Contents

Description

Test client re-enrollment using admin's credentials and backed up keytab.

Setup

  1. For this test, you'll need at least 2 machines. You should be capable of restoring of at least one of one of those from the backup.

How to test

Create a server

Create an IPA server as described in QA:Testcase_freeipav3_installation. For the rest of test case, we will refer to it as server.example.com

Prepare the client

Backup the client machine

Create a backup of your client machine. This could be either traditional full-disk backup or a snapshot. Ability to recreate the host using kickstart is also sufficient (hostname needs to be preserved).

Enroll the client machine

Now enroll the client to the server as described in QA:Testcase_freeipav3_installation.

Re-enrollment using admin's credentials

Restore the client machine from the backup

Using your preferred method of backup, restore the client machine back to pre-enrollment state.

Re-enroll the client

First, we verify that client host entry is not disabled on the server. This would have happend if we used ipa-client-install --uninstall to unenroll the client.

# ssh server.example.com
# ipa host-show client.example.com

You should be able to see client certificate and Kerberos keys enabled (Keytab: True). That means the client host entry is not disabled, the client is still enrolled from the server's point of view.

Now we re-enroll the client using the --force-join option for ipa-client-install. The procedure is the same as in the usual client enrollment, only --force-join option is specified.

# ssh client.example.com
# yum install freeipa-client
# ipa-client-install --domain=example.com --server=server.example.com -p admin -w Secret123 --force-join -U

Re-enrollment using backed-up keytab

Back up keytab file

Copy the client keytab file from /etc/krb5.keytab to a secure location (e.g. to the server machine)

# scp /etc/krb5.keytab server.example.com:/root/client.keytab

Restore the client machine from the backup

Using your preferred method of backup, restore the client machine back to pre-enrollment state.

Copy the keytab file back to the client

Copy the client keytab file back from the secure location to the client machine.

# ssh server.example.com
# scp client.keytab client.example.com:/root/client.keytab

Re-enroll the client

First, we verify that client host entry is not disabled on the server. This would have happend if we used ipa-client-install --uninstall to unenroll the client.

# ssh server.example.com
# ipa host-show client.example.com

You should be able to see client certificate and Kerberos keys enabled (Keytab: True). That means the client host entry is not disabled, the client is still enrolled from the server's point of view.

Now we re-enroll the client using the --keytab option for ipa-client-install. The procedure is the same as in the usual client enrollment, only --keytab option is specified.

# ssh client.example.com
# yum install freeipa-client
# ipa-client-install --domain=example.com --server=server.example.com --keytab /root/client.keytab -U

Expected Results

All the test steps should end with the specified results.