URL: https://github.com/freeipa/freeipa/pull/5434 Author: wladich Title: #5434: ipatests: use fully qualified name for AD admin when establishing trust Action: opened
PR body: """ Changes in https://pagure.io/freeipa/issue/8655 made it impossible to use AD admin name without domain part in "ipa trust-add" command to establish external trust with an AD tree domain. Also use fully qualified admin name by default in all trust related tests to reduce abiguity """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5434/head:pr5434 git checkout pr5434
From 7a50b6e4273bad77b46d44ad9d0a7d84d0af43ac Mon Sep 17 00:00:00 2001 From: Sergey Orlov <sor...@redhat.com> Date: Fri, 15 Jan 2021 14:51:48 +0100 Subject: [PATCH] ipatests: use fully qualified name for AD admin when establishing trust Changes in https://pagure.io/freeipa/issue/8655 made it impossible to use AD admin name without domain part in "ipa trust-add" command to establish external trust with an AD tree domain. Also use fully qualified admin name by default in all trust related tests to reduce abiguity --- ipatests/pytest_ipa/integration/tasks.py | 9 +++++++-- ipatests/test_integration/test_trust.py | 15 ++++++++------- 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py index a1d0575ab80..4c241de7bd3 100755 --- a/ipatests/pytest_ipa/integration/tasks.py +++ b/ipatests/pytest_ipa/integration/tasks.py @@ -635,7 +635,7 @@ def unconfigure_windows_dns_for_trust(ad, master): ad.run_command(['dnscmd', '/zonedelete', master.domain.name, '/f']) -def establish_trust_with_ad(master, ad_domain, extra_args=(), +def establish_trust_with_ad(master, ad_domain, ad_admin=None, extra_args=(), shared_secret=None): """ Establishes trust with Active Directory. Trust type is detected depending @@ -643,6 +643,9 @@ def establish_trust_with_ad(master, ad_domain, extra_args=(), Use extra arguments to pass extra arguments to the trust-add command, such as --range-type="ipa-ad-trust" to enforce a particular range type. + + If ad_admin is not provided, name will be constructed as + "Administrator@<ad_domain>". """ # Force KDC to reload MS-PAC info by trying to get TGT for HTTP @@ -660,7 +663,9 @@ def establish_trust_with_ad(master, ad_domain, extra_args=(), extra_args += ['--trust-secret'] stdin_text = shared_secret else: - extra_args += ['--admin', 'Administrator', '--password'] + if ad_admin is None: + ad_admin = 'Administrator@{}'.format(ad_domain) + extra_args += ['--admin', ad_admin, '--password'] stdin_text = master.config.ad_admin_password run_repeatedly( master, ['ipa', 'trust-add', '--type', 'ad', ad_domain] + extra_args, diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py index 86cdcd17abc..044ff722101 100644 --- a/ipatests/test_integration/test_trust.py +++ b/ipatests/test_integration/test_trust.py @@ -461,7 +461,7 @@ def test_invalid_range_types(self): result = self.master.run_command( ['ipa', 'trust-add', '--type', 'ad', self.ad_domain, - '--admin', 'Administrator', + '--admin', 'Administrator@' + self.ad_domain, '--range-type', range_type, '--password'], raiseonerr=False, stdin_text=self.master.config.ad_admin_password) @@ -512,8 +512,8 @@ def test_establish_nonexternal_subdomain_trust(self): result = self.master.run_command([ 'ipa', 'trust-add', '--type', 'ad', self.ad_subdomain, - '--admin', - 'Administrator', '--password', '--range-type', 'ipa-ad-trust' + '--admin', 'Administrator@' + self.ad_subdomain, + '--password', '--range-type', 'ipa-ad-trust' ], stdin_text=self.master.config.ad_admin_password, raiseonerr=False) @@ -564,8 +564,8 @@ def test_establish_nonexternal_treedomain_trust(self): result = self.master.run_command([ 'ipa', 'trust-add', '--type', 'ad', self.ad_treedomain, - '--admin', - 'Administrator', '--password', '--range-type', 'ipa-ad-trust' + '--admin', 'Administrator@' + self.ad_treedomain, + '--password', '--range-type', 'ipa-ad-trust' ], stdin_text=self.master.config.ad_admin_password, raiseonerr=False) @@ -774,8 +774,9 @@ def test_server_option_with_unreachable_ad(self): # Check that trust can not be established without --server option # This checks that our setup is correct result = self.master.run_command( - ['ipa', 'trust-add', self.ad.domain.name, - '--admin', 'Administrator', '--password'], raiseonerr=False, + ['ipa', 'trust-add', self.ad_domain, + '--admin', 'Administrator@' + self.ad_domain, '--password'], + raiseonerr=False, stdin_text=self.master.config.ad_admin_password) assert result.returncode == 1 assert 'CIFS server communication error: code "3221225653", ' \
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org