From Fedora Project Wiki

(Initial draft)
 
mNo edit summary
Line 4: Line 4:
# For this test, you'll need at least 2 machines. You should be capable of restoring of at least one of one of those from the backup.
# For this test, you'll need at least 2 machines. You should be capable of restoring of at least one of one of those from the backup.
|actions=
|actions=
#### Create a server
=== Create a server ===


Create an IPA server as described in  
Create an IPA server as described in  
For the rest of test case, we will refer to it as server.example.com
For the rest of test case, we will refer to it as server.example.com


#### Prepare the client
=== Prepare the client ===


### Backup the client machine
==== Backup the client machine ====


Create a backup of your client machine. This could be either traditional full-disk backup or a snapshot. Ability to recreate the host using kickstart is also sufficient (hostname needs to be preserved).
Create a backup of your client machine. This could be either traditional full-disk backup or a snapshot. Ability to recreate the host using kickstart is also sufficient (hostname needs to be preserved).


### Enroll the client machine
==== Enroll the client machine ====


Now enroll the client to the server as described in
Now enroll the client to the server as described in
https://fedoraproject.org/wiki/QA:Testcase_freeipav3_installation#Add_a_client
<https://fedoraproject.org/wiki/QA:Testcase_freeipav3_installation#Add_a_client>


#### Re-enrollment using admin's credentials
=== Re-enrollment using admin's credentials ===


### Restore the client machine from the backup
==== Restore the client machine from the backup ====


Using your preferred method of backup, restore the client machine back to pre-enrollment state.
Using your preferred method of backup, restore the client machine back to pre-enrollment state.


### Re-enroll the client
==== Re-enroll the client ====


First, we verify that client host entry is not disabled on the server. This would have happend if we used ipa-client-install --uninstall to unenroll the client.
First, we verify that client host entry is not disabled on the server. This would have happend if we used ipa-client-install --uninstall to unenroll the client.
Line 41: Line 41:
# ipa-client-install --domain=example.com --server=server.example.com -p admin -w Secret123 --force-join -U
# ipa-client-install --domain=example.com --server=server.example.com -p admin -w Secret123 --force-join -U


#### Re-enrollment using backed-up keytab
=== Re-enrollment using backed-up keytab ===


### Back up keytab file
==== Back up keytab file ====


Copy the client keytab file from /etc/krb5.keytab to a secure location (e.g. to the server machine)
Copy the client keytab file from [/etc/krb5.keytab](file:///etc/krb5.keytab) to a secure location (e.g. to the server machine)


# scp /etc/krb5.keytab server.example.com:/root/client.keytab
# scp [/etc/krb5.keytab](file:///etc/krb5.keytab) server.example.com:/root/client.keytab


### Restore the client machine from the backup
==== Restore the client machine from the backup ====


Using your preferred method of backup, restore the client machine back to pre-enrollment state.
Using your preferred method of backup, restore the client machine back to pre-enrollment state.


### Copy the keytab file back to the client
==== Copy the keytab file back to the client ====


Copy the client keytab file back from the secure location to the client machine.
Copy the client keytab file back from the secure location to the client machine.
Line 60: Line 60:
# scp client.keytab client.example.com:/root/client.keytab
# scp client.keytab client.example.com:/root/client.keytab


### Re-enroll the client
=== Re-enroll the client ===


First, we verify that client host entry is not disabled on the server. This would have happend if we used ipa-client-install --uninstall to unenroll the client.
First, we verify that client host entry is not disabled on the server. This would have happend if we used ipa-client-install --uninstall to unenroll the client.

Revision as of 11:53, 11 April 2013

Description

Test client re-enrollment using admin's credentials and backed up keytab.

Setup

  1. For this test, you'll need at least 2 machines. You should be capable of restoring of at least one of one of those from the backup.

How to test

Create a server

Create an IPA server as described in For the rest of test case, we will refer to it as server.example.com

Prepare the client

Backup the client machine

Create a backup of your client machine. This could be either traditional full-disk backup or a snapshot. Ability to recreate the host using kickstart is also sufficient (hostname needs to be preserved).

Enroll the client machine

Now enroll the client to the server as described in <https://fedoraproject.org/wiki/QA:Testcase_freeipav3_installation#Add_a_client>

Re-enrollment using admin's credentials

Restore the client machine from the backup

Using your preferred method of backup, restore the client machine back to pre-enrollment state.

Re-enroll the client

First, we verify that client host entry is not disabled on the server. This would have happend if we used ipa-client-install --uninstall to unenroll the client.

  1. ssh server.example.com
  2. ipa host-show client.example.com

You should be able to see client certificate and Kerberos keys enabled (Keytab: True). That means the client host entry is not disabled, the client is still enrolled from the server's point of view.

Now we re-enroll the client using the --force-join option for ipa-client-install. The procedure is the same as in the usual client enrollment, only --force-join option is specified.

  1. ssh client.example.com
  2. yum install freeipa-client
  3. ipa-client-install --domain=example.com --server=server.example.com -p admin -w Secret123 --force-join -U

Re-enrollment using backed-up keytab

Back up keytab file

Copy the client keytab file from [/etc/krb5.keytab](file:///etc/krb5.keytab) to a secure location (e.g. to the server machine)

  1. scp [/etc/krb5.keytab](file:///etc/krb5.keytab) server.example.com:/root/client.keytab

Restore the client machine from the backup

Using your preferred method of backup, restore the client machine back to pre-enrollment state.

Copy the keytab file back to the client

Copy the client keytab file back from the secure location to the client machine.

  1. ssh server.example.com
  2. scp client.keytab client.example.com:/root/client.keytab

Re-enroll the client

First, we verify that client host entry is not disabled on the server. This would have happend if we used ipa-client-install --uninstall to unenroll the client.

  1. ssh server.example.com
  2. ipa host-show client.example.com

You should be able to see client certificate and Kerberos keys enabled (Keytab: True). That means the client host entry is not disabled, the client is still enrolled from the server's point of view.

Now we re-enroll the client using the --keytab option for ipa-client-install. The procedure is the same as in the usual client enrollment, only --keytab option is specified.

  1. ssh client.example.com
  2. yum install freeipa-client
  3. ipa-client-install --domain=example.com --server=server.example.com --keytab /root/client.keytab -U

Expected Results

All the test steps should end with the specified results.