mNo edit summary |
mNo edit summary |
||
| Line 6: | Line 6: | ||
=== Create a server === | === Create a server === | ||
Create an IPA server as described in | Create an IPA server as described in [[QA:Testcase_freeipav3_installation]]. | ||
For the rest of test case, we will refer to it as server.example.com | For the rest of test case, we will refer to it as server.example.com | ||
| Line 17: | Line 17: | ||
==== Enroll the client machine ==== | ==== Enroll the client machine ==== | ||
Now enroll the client to the server as described in | Now enroll the client to the server as described in [[QA:Testcase_freeipav3_installation]]. | ||
=== Re-enrollment using admin's credentials === | === Re-enrollment using admin's credentials === | ||
| Line 30: | Line 29: | ||
First, we verify that client host entry is not disabled on the server. This would have happend if we used ipa-client-install --uninstall to unenroll the client. | First, we verify that client host entry is not disabled on the server. This would have happend if we used ipa-client-install --uninstall to unenroll the client. | ||
# ssh server.example.com | # ssh server.example.com | ||
# ipa host-show client.example.com | # ipa host-show client.example.com | ||
You should be able to see client certificate and Kerberos keys enabled (Keytab: True). That means the client host entry is not disabled, the client is still enrolled from the server's point of view. | You should be able to see client certificate and Kerberos keys enabled (Keytab: True). That means the client host entry is not disabled, the client is still enrolled from the server's point of view. | ||
| Line 37: | Line 36: | ||
Now we re-enroll the client using the --force-join option for ipa-client-install. The procedure is the same as in the usual client enrollment, only --force-join option is specified. | Now we re-enroll the client using the --force-join option for ipa-client-install. The procedure is the same as in the usual client enrollment, only --force-join option is specified. | ||
# ssh client.example.com | # ssh client.example.com | ||
# yum install freeipa-client | # yum install freeipa-client | ||
# ipa-client-install --domain=example.com --server=server.example.com -p admin -w Secret123 --force-join -U | # ipa-client-install --domain=example.com --server=server.example.com -p admin -w Secret123 --force-join -U | ||
=== Re-enrollment using backed-up keytab === | === Re-enrollment using backed-up keytab === | ||
| Line 45: | Line 44: | ||
==== Back up keytab file ==== | ==== Back up keytab file ==== | ||
Copy the client keytab file from | Copy the client keytab file from /etc/krb5.keytab to a secure location (e.g. to the server machine) | ||
# scp | # scp /etc/krb5.keytab server.example.com:/root/client.keytab | ||
==== Restore the client machine from the backup ==== | ==== Restore the client machine from the backup ==== | ||
| Line 57: | Line 56: | ||
Copy the client keytab file back from the secure location to the client machine. | Copy the client keytab file back from the secure location to the client machine. | ||
# ssh server.example.com | # ssh server.example.com | ||
# scp client.keytab client.example.com:/root/client.keytab | # scp client.keytab client.example.com:/root/client.keytab | ||
=== Re-enroll the client === | === Re-enroll the client === | ||
| Line 64: | Line 63: | ||
First, we verify that client host entry is not disabled on the server. This would have happend if we used ipa-client-install --uninstall to unenroll the client. | First, we verify that client host entry is not disabled on the server. This would have happend if we used ipa-client-install --uninstall to unenroll the client. | ||
# ssh server.example.com | # ssh server.example.com | ||
# ipa host-show client.example.com | # ipa host-show client.example.com | ||
You should be able to see client certificate and Kerberos keys enabled (Keytab: True). That means the client host entry is not disabled, the client is still enrolled from the server's point of view. | You should be able to see client certificate and Kerberos keys enabled (Keytab: True). That means the client host entry is not disabled, the client is still enrolled from the server's point of view. | ||
| Line 71: | Line 70: | ||
Now we re-enroll the client using the --keytab option for ipa-client-install. The procedure is the same as in the usual client enrollment, only --keytab option is specified. | Now we re-enroll the client using the --keytab option for ipa-client-install. The procedure is the same as in the usual client enrollment, only --keytab option is specified. | ||
# ssh client.example.com | # ssh client.example.com | ||
# yum install freeipa-client | # yum install freeipa-client | ||
# ipa-client-install --domain=example.com --server=server.example.com --keytab /root/client.keytab -U | # ipa-client-install --domain=example.com --server=server.example.com --keytab /root/client.keytab -U | ||
|results= | |results= | ||
All the test steps should end with the specified results. | All the test steps should end with the specified results. | ||
}} | }} | ||
Revision as of 11:56, 11 April 2013
Description
Test client re-enrollment using admin's credentials and backed up keytab.
Setup
- For this test, you'll need at least 2 machines. You should be capable of restoring of at least one of one of those from the backup.
How to test
Create a server
Create an IPA server as described in QA:Testcase_freeipav3_installation. For the rest of test case, we will refer to it as server.example.com
Prepare the client
Backup the client machine
Create a backup of your client machine. This could be either traditional full-disk backup or a snapshot. Ability to recreate the host using kickstart is also sufficient (hostname needs to be preserved).
Enroll the client machine
Now enroll the client to the server as described in QA:Testcase_freeipav3_installation.
Re-enrollment using admin's credentials
Restore the client machine from the backup
Using your preferred method of backup, restore the client machine back to pre-enrollment state.
Re-enroll the client
First, we verify that client host entry is not disabled on the server. This would have happend if we used ipa-client-install --uninstall to unenroll the client.
# ssh server.example.com # ipa host-show client.example.com
You should be able to see client certificate and Kerberos keys enabled (Keytab: True). That means the client host entry is not disabled, the client is still enrolled from the server's point of view.
Now we re-enroll the client using the --force-join option for ipa-client-install. The procedure is the same as in the usual client enrollment, only --force-join option is specified.
# ssh client.example.com # yum install freeipa-client # ipa-client-install --domain=example.com --server=server.example.com -p admin -w Secret123 --force-join -U
Re-enrollment using backed-up keytab
Back up keytab file
Copy the client keytab file from /etc/krb5.keytab to a secure location (e.g. to the server machine)
# scp /etc/krb5.keytab server.example.com:/root/client.keytab
Restore the client machine from the backup
Using your preferred method of backup, restore the client machine back to pre-enrollment state.
Copy the keytab file back to the client
Copy the client keytab file back from the secure location to the client machine.
# ssh server.example.com # scp client.keytab client.example.com:/root/client.keytab
Re-enroll the client
First, we verify that client host entry is not disabled on the server. This would have happend if we used ipa-client-install --uninstall to unenroll the client.
# ssh server.example.com # ipa host-show client.example.com
You should be able to see client certificate and Kerberos keys enabled (Keytab: True). That means the client host entry is not disabled, the client is still enrolled from the server's point of view.
Now we re-enroll the client using the --keytab option for ipa-client-install. The procedure is the same as in the usual client enrollment, only --keytab option is specified.
# ssh client.example.com # yum install freeipa-client # ipa-client-install --domain=example.com --server=server.example.com --keytab /root/client.keytab -U
Expected Results
All the test steps should end with the specified results.