From Fedora Project Wiki

mNo edit summary
m (Adamwill moved page QA:Testcase FreeIPA control center to QA:Testcase gnome-control-center domain join: better name to reflect freeipa/AD agnosticism)
 
(4 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{QA/Test_Case
{{QA/Test_Case
|description=Setup an FreeIPA domain account login via the GNOME Control Center.
|description=Enrol the system in an Active Directory or FreeIPA domain using the GNOME Control Center.
|setup=
|setup=
This test has several gotchas in Fedora 19 Alpha. Please review the Troubleshooting section below before continuing.
{{Domain server setup}}
# You need control-center 3.6.x version or later.
{{Domain client enrol prep}}
# You need a configured FreeIPA domain. The realm name must match the domain name (upper cased).
# Ensure GNOME is installed on the test client
# You need a FreeIPA domain user account and administrator account, or both. If you have both, enter the use account as the user you're going to add below.
# Your machine must have a configured host name. Do not proceed if you host name is <code>localhost</code> or similar.
#: <pre>$ hostname</pre>
# Make sure you have [https://admin.fedoraproject.org/updates/realmd-0.13.3-2.fc19 realmd 0.13.3-2] or later installed.
#: <pre>$ yum list realmd</pre>
# Make sure you have [http://koji.fedoraproject.org/koji/buildinfo?buildID=412505 selinux-policy-3.12.1-32] or later installed.
#: <pre>$ yum list selinux-policy</pre>
# Remove the following packages, they should be installed by realmd as necessary.
#: <pre>$ sudo yum remove freeipa-client</pre>
# Make sure you are not joined to a domain. Use <code>realm list</code> to check, and <code>realm leave</code> to leave.
 
|actions=
|actions=
# Run <code>gnome-control-center</code> from a terminal.
# Open the GNOME Control Center (e.g. by clicking on the top-right menu and then clicking the screwdriver/wrench icon, or by running {{command|gnome-control-center}} from a terminal - this will allow you to see debugging output)
# Choose the ''Users'' panel.
# Choose the ''Users'' panel
# Click the ''Unlock'' button.
# Click the ''Unlock'' button, if present
#: You should get a Policy Kit authorization prompt.
#: You should get a PolicyKit authorization prompt.
# Click the add [+] button in the lower left.
# Click the add [+] button in the lower left
# Choose the ''Enterprise login'' pane.
# Choose the ''Enterprise login'' pane
# Enter an invalid domain, invalid user, and invalid password for the account.
# Enter an invalid domain, invalid user, and invalid password for the account
#: Click on ''Add''. You should see a problem icon on the domain.
#: Click on ''Add''. You should see a problem icon on the domain.
# Enter the valid domain, invalid user, and invalid password for the account.
# Enter the valid domain, invalid user, and invalid password for the account
#: Click on ''Add''. You should see a problem icon on the user.
#: Click on ''Add''. You should see a problem icon on the user.
# Enter the valid domain, valid user, and invalid password for the account.
# Enter the valid domain, valid user, and invalid password for the account
#: Click on ''Add''. You should see a problem icon on the password.
#: Click on ''Add''. You should see a problem icon on the password.
# Enter the right password.
# Enter the right password
# Click on ''Add''
# Click on ''Add''
#: If you use a non-administrative user, you should be prompted for administrative credentials.
#: If you use a non-administrative user, you should be prompted for administrative credentials.
|results=
|results=
# The user should now be listed in the ''User Accounts'' panel of the GNOME Control Center.
# The user should now be listed in the ''User Accounts'' panel of the GNOME Control Center
# Check that the domain is now configured.
{{Domain_client_enrol_results}}
#: <pre>$ realm list</pre>
# Go to GDM by logging out, or by ''Switch User'' from the user menu
#: Make sure the domain is listed.
# Choose the ''Not Listed?'' option
#: Make sure you have a <code>configured: kerberos-member</code> line in the output.
#: Verify that you can see the short name listed with a hint as to how to log in
#: Make note of the <code>login-formats</code> line for the next command.
# Type {{command|user@domain}} in the box
# Check that you can resolve domain accounts on the local computer.
#: The case of the domain and user should not matter, but they are separated by the @ sign
#: <pre>$ getent passwd 'user@domain'</pre>
#: The domain part is the entire FreeIPA / AD domain name
#: Make sure to use the quotes around the user name.
# Type the user domain password, and press enter
#: You should see an output line that looks like passwd(5) output. It should contain an appropriate home directory, and a shell.
#: Use the <code>login-formats</code> you saw above, to build a remote user name. It will be in the form of <code>user@domain</code>, where domain is the your full FreeIPA domain  name.
# Check that you have an appropriate entry in your hosts keytab.
#: <pre>sudo klist -k</pre>
#: You should see several lines, with your host name that look like <code>2 host/host.example.com$@IPA.EXAMPLE.COM</code>
# Check that you can use your keytab with kerberos
#: <pre>sudo kinit -k host/host.example.com@IPA.EXAMPLE.COM</pre>
#: Make sure the hostname and domain are capitalized, and specified exactly as in the <code>klist</code> output above.
#: There should be no output from this command.
# The user should show up here:
#: <pre>$ realm list</pre>
#: Look at the <code>permitted-logins:</code> line.
#: You should also see <code>login-policy: allow-permitted-logins</code>.
# Go to GDM by logging out, or by ''Switch User'' from the user menu.
# Choose the ''Not Listed?'' option.
#: Verify that you can see the short name listed with a hint as to how to log in.
# Type <code>user@domain</code> in the box.
#: The case of the domain and user should not matter, but they are separated by a at sign.
#: The domain part is the entire domain name for your FreeIPA domain.
# Type the user domain password, and press enter.
# You should be logged into a Fedora Desktop.
# You should be logged into a Fedora Desktop.
}}
}}


== Troubleshooting ==
[[Category:FreeIPA_Test_Cases]] [[Category:Active_Directory_Test_Cases]] [[Category:Package_gnome-control-center_test_cases]] [[Category:realmd_Test_Cases]]
 
* You can see verbose output in the terminal that you started gnome-control-center from.
 
* {{bz|952830}} If you see '''SELinux issues''', it's because you don't have [http://koji.fedoraproject.org/koji/buildinfo?buildID=412505 selinux-policy-3.12.1-32] or later.
** Please do, this and report all AVC's to the above bug.
<pre>
$ sudo setenforce permissive
... do the test
$ sudo grep realmd /var/log/audit/audit.log
</pre>
 
* {{bz|953445}} If you see the message '''Decrypt integrity check failed''' that means you typed the wrong password. It is a bug that this is message is displayed directly, and the password field not merely flagged.
 
* {{bz|953453}} If you see the message '''No user with the name user@domain found''' then this is because 'sss' was not in your <code>/etc/nsswitch.conf</code> when the tests were started.
** A newly installed system will have this present. However <code>ipa-client-install --uninstall</code> incorrectly removes it.
** This may have happened if you ran earlier tests that performed this command.
** ''Workaround'': The following lines should have 'sss' on them in <code>/etc/nsswitch.conf</code> by default. You can restore this by doing the following, and then running through the tests again:
<pre>$ sudo mv /etc/nsswitch.conf /etc/nsswitch.conf.bak
$ sudo yum reinstall glibc
$ shutdown -r now</pre>
 
* XDGBZ #[https://bugs.freedesktop.org/show_bug.cgi?id=61858 61858] In the <code>realm list</code> output after joining says <code>allow-realm-logins</code> instead of <code>allow-permitted-logins</code> and there is no <code>permitted-logins</code> line. This is a known issue, and a patch is ready upstream, but not yet merged.
 
* {{bz|953174}} '''No login hint in 'Not Listed?' GDM screen''' is a known issue and tracked by this bug.
 
* {{bz|953477}} '''Cannot log in using GDM''' because it seems like GDM or some part of the GNOME session is giving problems when the user name has an @ symbol in it.
 
[[Category:FreeIPA_Test_Cases]] [[Category:realmd_Test_Cases]]

Latest revision as of 00:21, 26 November 2014

Description

Enrol the system in an Active Directory or FreeIPA domain using the GNOME Control Center.

Setup

  1. Deploy a correctly-configured FreeIPA or Active Directory domain controller. You can follow:
    QA:Testcase_Server_role_deploy with the Domain Controller role to deploy a FreeIPA domain controller on Fedora 28 or earlier
    QA:Testcase_freeipa_trust_server_installation to deploy a FreeIPA domain controller on Fedora 29 or later
    QA:Testcase_Active_Directory_Setup to deploy an Active Directory domain controller
  2. Create at least one domain account, either a user or administrator. It's useful to test with both
  3. Ensure the test client has a fully-qualified hostname (e.g. client.example.com). Do not proceed if running hostname returns localhost or similar
  4. Ensure GNOME is installed on the test client

How to test

  1. Open the GNOME Control Center (e.g. by clicking on the top-right menu and then clicking the screwdriver/wrench icon, or by running gnome-control-center from a terminal - this will allow you to see debugging output)
  2. Choose the Users panel
  3. Click the Unlock button, if present
    You should get a PolicyKit authorization prompt.
  4. Click the add [+] button in the lower left
  5. Choose the Enterprise login pane
  6. Enter an invalid domain, invalid user, and invalid password for the account
    Click on Add. You should see a problem icon on the domain.
  7. Enter the valid domain, invalid user, and invalid password for the account
    Click on Add. You should see a problem icon on the user.
  8. Enter the valid domain, valid user, and invalid password for the account
    Click on Add. You should see a problem icon on the password.
  9. Enter the right password
  10. Click on Add
    If you use a non-administrative user, you should be prompted for administrative credentials.

Expected Results

  1. The user should now be listed in the User Accounts panel of the GNOME Control Center
  2. Check that the domain is now configured: realm list
    Make sure the domain is listed
    Make sure you have a configured: kerberos-member line in the output
  3. Check that you can resolve domain accounts on the local computer
    For Active Directory:
    getent passwd 'DOMAIN\User' (DOMAIN is the netbios name, usually the first portion of the domain name, e.g. AD or SAMDOM; make sure to use the single quotes)
    For FreeIPA:
    getent passwd admin@domain (domain is the fully-qualified FreeIPA domain name, e.g. example.ipa)
    You should see an output line that looks like passwd output. It should contain an appropriate home directory, and a shell
  4. Check that you have an appropriate entry in your host's keytab: su -c 'klist -k'
    You should see several lines with your host name. For example 1 host/$hostname$@FQDN
  5. Check that you can use your keytab with kerberos: su -c 'kinit -k (principal)'
    Replace (principal) with the principal from the output of the klist command above. Use the one with the domain capitalized and that looks like host/hostname@DOMAIN) (FreeIPA) or TRUNCATED_HOSTNAME$@DOMAIN (Active Directory)
    There should be no output from this command
  6. If you are testing FreeIPA and have set up the FreeIPA Web UI, you can use it to see that the computer account was created under the Hosts section
  7. If you have are testing Active Directory and have console access to the domain controller, you can use the Active Directory Users and Computers tool to see if that the computer account was created under the Computers section
  8. Optionally, move on to QA:Testcase_domain_client_authenticate to ensure you can log in with a domain account.
  9. Go to GDM by logging out, or by Switch User from the user menu
  10. Choose the Not Listed? option
    Verify that you can see the short name listed with a hint as to how to log in
  11. Type user@domain in the box
    The case of the domain and user should not matter, but they are separated by the @ sign
    The domain part is the entire FreeIPA / AD domain name
  12. Type the user domain password, and press enter
  13. You should be logged into a Fedora Desktop.
Retrieved from "https://fedoraproject.org/w/index.php?title=QA:Testcase_gnome-control-center_domain_join&oldid=395809"