URL: https://github.com/SSSD/sssd/pull/5689 Author: jakub-vavra-cz Title: #5689: Tests: Add tests ported from bash for AD Parameters Domain Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5689/head:pr5689 git checkout pr5689
From 7a712ad61f9225c60ca9bcced351cf3a38d80c22 Mon Sep 17 00:00:00 2001 From: Dan Lavu <dl...@redhat.com> Date: Sat, 19 Dec 2020 15:50:32 -0500 Subject: [PATCH 1/3] Adding multihost test for supporting asymmetric nsupdate auth * https://bugzilla.redhat.com/show_bug.cgi?id=1884301 --- src/tests/multihost/ipa/conftest.py | 39 +++++++++++++++++++++-- src/tests/multihost/ipa/test_misc.py | 47 ++++++++++++++++++++++++++++ 2 files changed, 84 insertions(+), 2 deletions(-) diff --git a/src/tests/multihost/ipa/conftest.py b/src/tests/multihost/ipa/conftest.py index 446c087311..f65ae765d3 100644 --- a/src/tests/multihost/ipa/conftest.py +++ b/src/tests/multihost/ipa/conftest.py @@ -61,7 +61,38 @@ def remove_ad_user_group(): ad.delete_ad_user_group(ad_user) request.addfinalizer(remove_ad_user_group) - return (ad_user, ad_group) + return ad_user, ad_group + + +@pytest.fixture(scope="function") +def create_reverse_zone(session_multihost, request): + """ Creates reverse zone """ + client_ip = session_multihost.client[0].ip + subnet = client_ip.split(".", 3) + del subnet[-1] + subnet.reverse() + zone = '.'.join(subnet) + '.in-addr.arpa.' + policy = 'grant * tcp-self * PTR' + + cmd_createzone = 'ipa dnszone-add %s ' \ + '--dynamic-update=true ' \ + '--allow-sync-ptr=true ' \ + '--skip-overlap-check ' \ + '--forward-policy=none' % zone + cmd_modifyzone = 'ipa dnszone-mod %s ' \ + '--update-policy=\'%s;\'' % (zone, policy) + session_multihost.master[0].run_command(cmd_createzone, + raiseonerr=False) + session_multihost.master[0].run_command(cmd_modifyzone, + raiseonerr=False) + + def remove_reverse_zone(): + """ removes reverse zone """ + cmd_removezone = 'ipa dnszone-del %s' % zone + session_multihost.master[0].run_command(cmd_removezone, + raiseonerr=False) + + request.addfinalizer(remove_reverse_zone) @pytest.fixture(scope="function") @@ -147,7 +178,7 @@ def default_ipa_users(session_multihost, request): 'loginname': 'foobar%d' % i, 'default_password': 'RedHat@123', 'reset_password': 'Secret123'} - useradd = "echo '%s' | ipa user-add --first %s "\ + useradd = "echo '%s' | ipa user-add --first %s " \ " --last %s --password %s" % (user_info['default_password'], user_info['firstname'], user_info['lastname'], @@ -162,6 +193,7 @@ def remove_ipa_users(): user = 'foobar%d' % i cmd = 'ipa user-del foobar%d' % i session_multihost.master[0].run_command(cmd) + request.addfinalizer(remove_ipa_users) @@ -193,6 +225,7 @@ def allow_all_hbac(): session_multihost.master[0].run_command(allow_all) except CalledProcessError: pytest.fail("Failed to enable allow_all rule") + request.addfinalizer(allow_all_hbac) @@ -226,6 +259,7 @@ def remove_users(): """ Remove AD users """ del_cmd = 'powershell -inputformat none -noprofile ./remove-users.ps1' session_multihost.ad[0].run_command(del_cmd, raiseonerr=False) + request.addfinalizer(remove_users) @@ -247,6 +281,7 @@ def remove_ad_groups(): """ Remove AD Groups """ del_cmd = 'powershell -inputformat none -noprofile ./remove-groups.ps1' session_multihost.ad[0].run_command(del_cmd, raiseonerr=False) + request.addfinalizer(remove_ad_groups) diff --git a/src/tests/multihost/ipa/test_misc.py b/src/tests/multihost/ipa/test_misc.py index a15ac5f08a..f199f2fc92 100644 --- a/src/tests/multihost/ipa/test_misc.py +++ b/src/tests/multihost/ipa/test_misc.py @@ -8,6 +8,7 @@ import pytest import time +from sssd.testlib.ipa.utils import ipaTools from sssd.testlib.common.utils import sssdTools from sssd.testlib.common.exceptions import SSSDException import re @@ -133,3 +134,49 @@ def test_filter_groups(self, multihost, default_ipa_groups, str(gid_start+4), str(gid_start+5)]), \ "The unexpected gid found in the id output!" + + def test_asymmetric_auth_for_nsupdate(self, multihost, + create_reverse_zone): + """ + @Title: Support asymmetric auth for nsupdate + @Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1884301 + """ + client = sssdTools(multihost.client[0]) + client_hostname = multihost.client[0].sys_hostname + server_hostname = multihost.master[0].sys_hostname + client_l = client_hostname.split('.', 1) + client_hostname_short = client_l[0] + client_ip = multihost.client[0].ip + subnet = client_ip.split('.', 3) + del subnet[-1] + subnet.reverse() + zone = '.'.join(subnet) + '.in-addr.arpa.' + + domain_name = client.get_domain_section_name() + client.sssd_conf( + 'domain/%s' % domain_name, + {'dyndns_force_tcp': 'true', + 'dyndns_update': 'true', + 'dyndns_update_ptr': 'true', + 'dyndns_refresh_interval': '5', + 'dyndns_auth_ptr': 'None', + 'dyndns_server': '%s' % server_hostname}) + cmd_del_record = 'ipa dnsrecord-del %s %s --del-all' % \ + (domain_name, client_hostname_short) + multihost.master[0].run_command(cmd_del_record, raiseonerr=False) + + client.remove_sss_cache('/var/lib/sss/db') + multihost.client[0].service_sssd('restart') + time.sleep(10) + + cmd_check_arecord = 'nslookup %s' % client_hostname + cmd_check_ptrrecord = 'nslookup %s' % client_ip + + rc_arecord = multihost.client[0].run_command(cmd_check_arecord, + raiseonerr=False) + rc_ptrrecord = multihost.client[0].run_command(cmd_check_ptrrecord, + raiseonerr=False) + assert rc_arecord.returncode == 0 + assert client_ip in rc_arecord.stdout_text + assert rc_ptrrecord.returncode == 0 + assert client_hostname in rc_ptrrecord.stdout_text From cb9041d77db4af982fac3903507e4f39acd75d45 Mon Sep 17 00:00:00 2001 From: Dan Lavu <dl...@redhat.com> Date: Wed, 18 Nov 2020 21:05:57 -0500 Subject: [PATCH 2/3] Adding tests to cover ad discovery improvements using cldap * This test requires a primary and secondary domain controller so AD can be moved between sites * Currently contains four test cases ** Two DCs in one site no restrictions. ** Two DCs in one site, traffic blocked to the other DC ** DCs in seperate sites no restrictions ** DCs in seperate sites, traffic blocked to the other DC Signed-off-by: Dan Lavu <dl...@redhat.com> SSSD-2497 --- src/tests/multihost/adsites/conftest.py | 305 ++++++++++++++++++++ src/tests/multihost/adsites/pytest.ini | 3 + src/tests/multihost/adsites/readme.rst | 134 +++++++++ src/tests/multihost/adsites/test_adsites.py | 262 +++++++++++++++++ 4 files changed, 704 insertions(+) create mode 100644 src/tests/multihost/adsites/conftest.py create mode 100644 src/tests/multihost/adsites/pytest.ini create mode 100644 src/tests/multihost/adsites/readme.rst create mode 100644 src/tests/multihost/adsites/test_adsites.py diff --git a/src/tests/multihost/adsites/conftest.py b/src/tests/multihost/adsites/conftest.py new file mode 100644 index 0000000000..cc5c594466 --- /dev/null +++ b/src/tests/multihost/adsites/conftest.py @@ -0,0 +1,305 @@ + +""" Common AD Fixtures """ +from __future__ import print_function +import subprocess +import time +import pytest +import os +import posixpath +from sssd.testlib.common.paths import SSSD_DEFAULT_CONF, NSSWITCH_DEFAULT_CONF +from sssd.testlib.common.qe_class import session_multihost +from sssd.testlib.common.exceptions import SSSDException +from sssd.testlib.common.samba import sambaTools +from sssd.testlib.common.utils import ADOperations +from sssd.testlib.common.utils import sssdTools + + +def pytest_configure(): + """ Namespace hook, Adds below dict to pytest namespace """ + pytest.num_masters = 0 + pytest.num_ad = 2 + pytest.num_atomic = 0 + pytest.num_replicas = 0 + pytest.num_clients = 1 + pytest.num_others = 0 + +# ######## Function scoped Fixtures #################### + + +@pytest.fixture(scope="function") +def smbconfig(session_multihost, request): + """ Configure smb.conf """ + sambaclient = sambaTools(session_multihost.client[0], + session_multihost.ad[0]) + sambaclient.smbadsconf() + + def restore(): + """ Restore smb.conf """ + restoresmb = 'cp -f /etc/samba/smb.conf.orig /etc/samba/smb.conf' + session_multihost.client[0].run_command(restoresmb, raiseonerr=False) + removebkup = 'rm -f /etc/samba/smb.conf.orig' + session_multihost.client[0].run_command(removebkup, raiseonerr=False) + request.addfinalizer(restore) + + +@pytest.fixture(scope='function') +def run_powershell_script(session_multihost, request): + """ Run Powershell script """ + cwd = os.path.dirname(os.path.abspath(__file__)) + split_cwd = cwd.split('/') + idx = split_cwd.index('pytest') + path_list = split_cwd[:idx + 1] + sssd_qe_path = '/'.join(path_list) + data_path = "%s/data" % sssd_qe_path + + def _script(name): + """ Run powershell script """ + filename = name + remote_file_path = posixpath.join('/home/administrator', filename) + source_file_path = posixpath.join(data_path, filename) + session_multihost.ad[0].transport.put_file(source_file_path, + remote_file_path) + pwrshell_cmd = 'powershell.exe -inputformat '\ + 'none -noprofile ./%s' % filename + cmd = session_multihost.ad[0].run_command(pwrshell_cmd, + raiseonerr=False) + return cmd + return _script + + +@pytest.fixture(scope="function") +def adjoin(session_multihost, request): + """ Join to AD using net ads command """ + ad_realm = session_multihost.ad[0].realm + ad_ip = session_multihost.ad[0].ip + client_ad = sssdTools(session_multihost.client[0], session_multihost.ad[0]) + + client_ad.disjoin_ad() # Make sure system is disjoined from AD + client_ad.create_kdcinfo(ad_realm, ad_ip) + kinit = "kinit Administrator" + ad_password = session_multihost.ad[0].ssh_password + try: + session_multihost.client[0].run_command(kinit, stdin_text=ad_password) + except subprocess.CalledProcessError: + pytest.fail("kinit failed") + + def _join(membersw=None): + """ Join AD """ + if membersw == 'samba': + client_ad.join_ad(ad_realm, ad_password, mem_sw='samba') + else: + client_ad.join_ad(ad_realm, ad_password) + + def adleave(): + """ Disjoin AD """ + client_ad.disjoin_ad() + remove_keytab = 'rm -f /etc/krb5.keytab' + kdestroy_cmd = 'kdestroy -A' + session_multihost.client[0].run_command(kdestroy_cmd) + session_multihost.client[0].run_command(remove_keytab) + request.addfinalizer(adleave) + return _join + + +@pytest.fixture(scope="function") +def get_rid(session_multihost, create_aduser_group): + """ + Find Relative ID from object SID + :param obj session_multihost: multihost object + :Return: RID value + """ + (user, _) = create_aduser_group + client = sssdTools(session_multihost.client[0], session_multihost.ad[0]) + client.clear_sssd_cache() + ad_user = '{}@{}'.format(user, session_multihost.ad[0].domainname) + getent = 'getent passwd %s' % ad_user + cmd = session_multihost.client[0].run_command(getent, raiseonerr=False) + if cmd.returncode == 0: + rid = client.find_rid(ad_user) + return (ad_user, rid) + else: + pytest.fail("%s User lookup failed" % ad_user) + + +@pytest.fixture(scope="function") +def keytab_sssd_conf(session_multihost, request, adjoin): + """ Add parameters required for keytab rotation in sssd.conf """ + adjoin(membersw='samba') + client = sssdTools(session_multihost.client[0], session_multihost.ad[0]) + client.backup_sssd_conf() + sssd_params = {'ad_maximum_machine_account_password_age': '1', + 'ad_machine_account_password_renewal_opts': '300:15', + 'debug_level': '9'} + domain_name = client.get_domain_section_name() + domain_section = 'domain/{}'.format(domain_name) + client.sssd_conf(domain_section, sssd_params,) + + def restore_sssd_conf(): + """ Restore original sssd.conf """ + client.restore_sssd_conf() + request.addfinalizer(restore_sssd_conf) + + +@pytest.fixture(scope="function") +def cifsmount(session_multihost, request): + """ Mount cifs share and create files with + different permissions + """ + ad_user = 'idmfoouser1' + ad_group = 'idmfoogroup1' + kinit = 'kinit %s' % ad_user + server = session_multihost.master[0].sys_hostname.strip().split('.')[0] + share_path = '/mnt/samba/share1' + session_multihost.client[0].run_command(kinit, stdin_text='Secret123') + mountcifs = "mount -t cifs -o cifsacl "\ + "-o sec=krb5 -o username=%s //%s/share1"\ + " /mnt/samba/share1" % (ad_user, server) + cmd = session_multihost.client[0].run_command(mountcifs, raiseonerr=False) + time.sleep(5) + if cmd.returncode != 0: + journalctl = 'journalctl -x -n 50 --no-pager' + session_multihost.client[0].run_command(journalctl) + + def cifsunmount(): + """ Umount the cifs shares """ + umount = "umount /mnt/samba/share1" + cmd = session_multihost.client[0].run_command(umount, raiseonerr=False) + assert cmd.returncode == 0 + kdestroy = 'kdestroy -A' + session_multihost.client[0].run_command(kdestroy, raiseonerr=False) + request.addfinalizer(cifsunmount) + + +@pytest.fixture(scope='function') +def backupsssdconf(session_multihost, request): + """ Backup and restore sssd.conf """ + bkup = 'cp -f %s %s.orig' % (SSSD_DEFAULT_CONF, + SSSD_DEFAULT_CONF) + session_multihost.client[0].run_command(bkup) + session_multihost.client[0].service_sssd('stop') + + def restoresssdconf(): + """ Restore sssd.conf """ + restore = 'cp -f %s.orig %s' % (SSSD_DEFAULT_CONF, SSSD_DEFAULT_CONF) + session_multihost.client[0].run_command(restore) + request.addfinalizer(restoresssdconf) + + +@pytest.fixture(scope='function') +def create_site(session_multihost, request): + ad2_hostname = session_multihost.ad[1].hostname + ad2_shostname = ad2_hostname.strip().split('.')[0] + site = "Raleigh" + + cmd_create_site = "powershell.exe -inputformat none -noprofile " \ + "'(New-ADReplicationSite -Name \"%s\" " \ + "-Confirm:$false)'" % site + cmd_move_ad2 = "powershell.exe -inputformat none -noprofile " \ + "'(Move-ADDirectoryServer -Identity \"%s\" -Site \"%s\" " \ + "-Confirm:$false)'" % (ad2_shostname, site) + + session_multihost.ad[0].run_command(cmd_create_site) + session_multihost.ad[0].run_command(cmd_move_ad2) + + def teardown_site(): + cmd_move_ad2back = "powershell.exe -inputformat none -noprofile " \ + "'(Move-ADDirectoryServer -Identity \"%s\" " \ + "-Site \"Default-First-Site-Name\" " \ + "-Confirm:$false)'" % ad2_shostname + cmd_remove_site2 = "powershell.exe -inputformat none -noprofile " \ + "'(Remove-ADReplicationSite \"%s\" " \ + "-Confirm:$false)'" % site + session_multihost.ad[0].run_command(cmd_move_ad2back) + session_multihost.ad[0].run_command(cmd_remove_site2) + + request.addfinalizer(teardown_site) + + +# ############## class scoped Fixtures ############################## + + +@pytest.fixture(scope="class") +def multihost(session_multihost, request): + """ Multihost fixture to be used by tests + :param obj session_multihost: multihost object + :return obj session_multihost: return multihost object + :Exceptions: None + """ + if hasattr(request.cls(), 'class_setup'): + request.cls().class_setup(session_multihost) + request.addfinalizer( + lambda: request.cls().class_teardown(session_multihost)) + return session_multihost + + +@pytest.fixture(scope="class") +def clear_sssd_cache(session_multihost): + """ Clear sssd cache """ + client = sssdTools(session_multihost.client[0]) + client.clear_sssd_cache() + + +@pytest.fixture(scope="class") +def joinad(session_multihost, request): + """ class fixture to join AD using realm """ + client = sssdTools(session_multihost.client[0], session_multihost.ad[0]) + client.disjoin_ad() # Make sure system is disjoined from AD + kinit = "kinit Administrator" + ad_password = session_multihost.ad[0].ssh_password + realm_output = client.join_ad() + try: + session_multihost.client[0].service_sssd('restart') + except SSSDException: + cmd = 'cat /etc/sssd/sssd.conf' + session_multihost.client[0].run_command(cmd) + journal = 'journalctl -x -n 150 --no-pager' + session_multihost.client[0].run_command(journal) + retry = 0 + while (retry != 5): + cmd = session_multihost.client[0].run_command(kinit, + stdin_text=ad_password, + raiseonerr=False) + if cmd.returncode == 0: + break + else: + retry += 1 + time.sleep(5) + + def disjoin(): + """ Disjoin system from Windows AD """ + client.disjoin_ad() + stop_sssd = 'systemctl stop sssd' + remove_keytab = 'rm -f /etc/krb5.keytab' + kdestroy_cmd = 'kdestroy -A' + session_multihost.client[0].run_command(stop_sssd) + session_multihost.client[0].run_command(remove_keytab) + session_multihost.client[0].run_command(kdestroy_cmd) + request.addfinalizer(disjoin) + +# ################### Session scoped fixtures ######################### + + +@pytest.fixture(scope="session", autouse=True) +def setup_session(request, session_multihost): + """ Setup Session """ + client = sssdTools(session_multihost.client[0]) + realm = session_multihost.ad[0].realm + ad_host = session_multihost.ad[0].sys_hostname + try: + master = sssdTools(session_multihost.master[0]) + except IndexError: + pass + else: + master.server_install_pkgs() + master.update_resolv_conf(session_multihost.ad[0].ip) + client.client_install_pkgs() + client.update_resolv_conf(session_multihost.ad[0].ip) + client.clear_sssd_cache() + client.systemsssdauth(realm, ad_host) + + def teardown_session(): + """ Teardown session """ + session_multihost.client[0].service_sssd('stop') + remove_sssd_conf = 'rm -f /etc/sssd/sssd.conf' + session_multihost.client[0].run_command(remove_sssd_conf) + request.addfinalizer(teardown_session) diff --git a/src/tests/multihost/adsites/pytest.ini b/src/tests/multihost/adsites/pytest.ini new file mode 100644 index 0000000000..4b0d37efe9 --- /dev/null +++ b/src/tests/multihost/adsites/pytest.ini @@ -0,0 +1,3 @@ +[pytest] +markers = + adsites: tests the require two domain controllers diff --git a/src/tests/multihost/adsites/readme.rst b/src/tests/multihost/adsites/readme.rst new file mode 100644 index 0000000000..3bdcb6a9aa --- /dev/null +++ b/src/tests/multihost/adsites/readme.rst @@ -0,0 +1,134 @@ +AD Provider Test Suite +====================== + +This directory contains test automation for SSSD AD Provider. + + +Fixtures +======== + + +session +******* + +* setup_session: This fixtures does the following tasks: + + + * Install common required packages like + * Updated /etc/resolv.conf with Windows IP Address + * Clear sssd cache + * Configure system to use sssd authentication + + +* teardown_session: This is not a fixtures but a teardown of ``setup_session`` + + * Restores resolv.conf + * Stop sssd service + * remove sssd.conf + + +class +***** + +* multihost: This fixture returns multihost object. Also using builtin request + fixture we pass ``class_setup`` and ``class_teardown``. If the test suite defines + class_setup and class_teardown functions, multihost object will be available + to execute any remote functions. + +* clear_sssd_cache: Stops sssd service. Removes cache files from + ``/var/lib/sss/db`` and starts sssd service. Sleeps for 10 seconds. + +* enable_autofs_schema: Backup sssd.conf and Edit sssd.conf and specify + ``autofs_provider = ad`` and ``debug_level = 9`` + +* enable_ad_sudoschema: Enable AD Sudo Schema + +* create_ad_sudousers: Create users in Windows Active Directory with username + from ``sudo_idmuser1`` to ``sudo_idmuser10``. + +* sudorules: Create AD sudo rules ``less_user_rule1`` to ``less_user_rule10``:: + + + # less_user_rule1, Sudoers, juno.test + dn: CN=less_user_rule1,OU=Sudoers,DC=juno,DC=test + objectClass: top + objectClass: sudoRole + cn: less_user_rule1 + distinguishedName: CN=less_user_rule1,OU=Sudoers,DC=juno,DC=test + instanceType: 4 + whenCreated: 20190416073735.0Z + whenChanged: 20190416073736.0Z + uSNCreated: 1283544 + uSNChanged: 1283547 + name: less_user_rule1 + objectGUID:: wYiyH7dlT0G/5y40LPgHpw== + objectCategory: CN=sudoRole,CN=Schema,CN=Configuration,DC=juno,DC=test + dSCorePropagationData: 16010101000000.0Z + sudoHost: ALL + sudoUser: sudo_idmuserN + sudoUser: sudo_idmus...@juno.test + sudoOption: !authenticate + sudoOption: !requiretty + sudoCommand: /usr/bin/less + +* joinad: Join the system to Windows AD using realm with membercli-software + being adcli. + + + +function +******** + +* smbconfig: Configure smb.conf :: + + [global] + workgroup = <DOMAIN> + security = ads + realm = <DOMAIN.COM> + netbios name = <samba-client-shortname> + kerberos method = secrets and keytab + client signing = yes + client use spnego = yes + log file = /var/log/samba/log.%m + max log size = 50 + log level = 9 + + +* create_adgrp: fixture to create AD Groups . Runs ``adgroup.ps1`` powershell + script. powershell script:: + + #Following Powershell script will add the group in AD server + #and set GroupScope as Global and GroupCtegory as Security and + #also set MemberOf BuiltIn group as Administrator + + Import-Module ActiveDirectory + + $grname = -join ((65..90) + (97..122) | Get-Random -Count 7 | % {[char]$_}) + + Write-Host $grname + + New-ADGroup -Name $grname -GroupScope Global -GroupCategory Security + + Add-ADPrincipalGroupMembership -MemberOf Administrators -Identity $grname + + + +* create_aduser_group: Creates AD user ``testuser<randomnumber>`` and AD Groups + ``testgroup<randomnumber>`` + +* add_nisobject: + + * uses Indirect parameterization and takes map name as the parameter from + test case. (example: ``/export``, ``/project1``) + * Installs nfs-utils package on nfs server and starts nfs-server. + * Add map based on request parameter. + + +* set_autofs_search_base: Enable autofs search base in sssd.conf + +* add_user_in_domain_local_group: Add domain local AD group + ``ltestgoup<randomnumber>`` + +* add_principals: Add ``HTTP`` and ``NFS`` service principals in Windows AD + + diff --git a/src/tests/multihost/adsites/test_adsites.py b/src/tests/multihost/adsites/test_adsites.py new file mode 100644 index 0000000000..58cb41db1d --- /dev/null +++ b/src/tests/multihost/adsites/test_adsites.py @@ -0,0 +1,262 @@ +from __future__ import print_function +import time +import pytest +from sssd.testlib.common.utils import sssdTools + + +@pytest.mark.adsites +class Testadsites(object): + """ + @Title: IDM-SSSD-TC: ad_provider: adsites: + Improve AD site discovery process + Test cases for BZ: 1819012 + + @Steps: + 1. Join client to AD + 2. Start SSSD and enable debug + 3. Create secondary site, move second domain controller to second site + """ + @pytest.mark.adsites + def test_001_ad_startup_discovery(self, multihost, adjoin): + """ + @Title: IDM-SSSD-TC: ad_startup_discovery + * grep sssd domain logs for cldap ping + * grep sssd logs for cldap ping parallel batch + * grep sssd logs for cldap ping domain discovery + """ + adjoin(membersw='adcli') + client = sssdTools(multihost.client[0], multihost.ad[0]) + domain = client.get_domain_section_name() + domain_section = 'domain/{}'.format(domain) + sssd_params = {'debug_level': '0xFFF0'} + client.sssd_conf(domain_section, sssd_params) + + ad1 = multihost.ad[0].hostname + ad2 = multihost.ad[1].hostname + multihost.client[0].service_sssd('start') + + cmd_id = 'id Administrator@%s' % domain + multihost.client[0].run_command(cmd_id) + + cmd_check_ping = 'grep -ire ad_cldap_ping_send ' \ + '/var/log/sssd/sssd_%s.log | ' \ + 'grep -ire \"Found 2 domain controllers in domain ' \ + 'Default-First-Site-Name._sites.%s\"'\ + % (domain, domain) + check_ping = multihost.client[0].run_command(cmd_check_ping, + raiseonerr=False) + assert check_ping.returncode == 0 + cmd_check_batch1 = 'grep -ire ad_cldap_ping_parallel_batch' \ + ' /var/log/sssd/sssd_%s.log | ' \ + 'grep -ire \" %s\"' % (domain, ad1) + check_batch1 = multihost.client[0].run_command(cmd_check_batch1, + raiseonerr=False) + cmd_check_batch2 = 'grep -ire ad_cldap_ping_parallel_batch' \ + ' /var/log/sssd/sssd_%s.log | ' \ + 'grep -ire \" %s\"' % (domain, ad2) + check_batch2 = multihost.client[0].run_command(cmd_check_batch2, + raiseonerr=False) + if check_batch1.returncode == 0 or check_batch2.returncode == 0: + assert True + else: + assert False + cmd_check_discovery = 'grep -ire ad_cldap_ping_domain_discovery_done' \ + ' /var/log/sssd/sssd_%s.log | ' \ + 'grep -ire \"Found 2 domain controllers in' \ + ' domain Default-First-Site-Name._sites.%s\"'\ + % (domain, domain) + check_discovery = multihost.client[0].run_command(cmd_check_discovery, + raiseonerr=False) + assert check_discovery.returncode == 0 + + @pytest.mark.adsites + def test_002_ad_startup_discovery_one_server_unreachable(self, multihost, + adjoin): + """ + @Title: IDM-SSSD-TC: ad_startup_discovery_one_server_unreachable + * grep sssd domain logs for cldap ping + * grep sssd logs for cldap ping parallel batch + * grep sssd logs for cldap ping domain discovery + """ + adjoin(membersw='adcli') + client = sssdTools(multihost.client[0], multihost.ad[0]) + domain = client.get_domain_section_name() + domain_section = 'domain/{}'.format(domain) + sssd_params = {'debug_level': '0xFFF0'} + client.sssd_conf(domain_section, sssd_params) + + ad1 = multihost.ad[0].hostname + ad2 = multihost.ad[1].hostname + ad2ip = multihost.ad[1].ip + + cmd_dnf_firewalld = 'dnf install -y firewalld' + multihost.client[0].run_command(cmd_dnf_firewalld) + cmd_start_firewalld = 'systemctl start firewalld' + multihost.client[0].run_command(cmd_start_firewalld) + fw_add = 'firewall-cmd --permanent --direct --add-rule ipv4 ' \ + 'filter OUTPUT 0 -d %s -j DROP' % ad2ip + fw_reload = 'firewall-cmd --reload' + multihost.client[0].run_command(fw_add, raiseonerr=True) + multihost.client[0].run_command(fw_reload, raiseonerr=True) + multihost.client[0].service_sssd('start') + + cmd_check_ping = 'grep -ire ad_cldap_ping_send ' \ + '/var/log/sssd/sssd_%s.log | ' \ + 'grep -ire \"Found 2 domain controllers in domain ' \ + 'Default-First-Site-Name._sites.%s\"'\ + % (domain, domain) + check_ping = multihost.client[0].run_command(cmd_check_ping, + raiseonerr=False) + assert check_ping.returncode == 0 + cmd_check_batch1 = 'grep -ire ad_cldap_ping_parallel_batch' \ + ' /var/log/sssd/sssd_%s.log | ' \ + 'grep -ire \" %s\"' % (domain, ad1) + check_batch1 = multihost.client[0].run_command(cmd_check_batch1, + raiseonerr=False) + cmd_check_batch2 = 'grep -ire ad_cldap_ping_parallel_batch' \ + ' /var/log/sssd/sssd_%s.log | ' \ + 'grep -ire \" %s\"' % (domain, ad2) + check_batch2 = multihost.client[0].run_command(cmd_check_batch2, + raiseonerr=False) + if check_batch1.returncode == 1 and check_batch2.returncode == 0: + assert True + else: + assert False + cmd_check_discovery = 'grep -ire ad_cldap_ping_domain_discovery_done' \ + ' /var/log/sssd/sssd_%s.log | ' \ + 'grep -ire \"Found 2 domain' \ + ' controllers in domain ' \ + 'Default-First-Site-Name._sites.%s\"'\ + % (domain, domain) + check_discovery = multihost.client[0].run_command(cmd_check_discovery, + raiseonerr=False) + assert check_discovery.returncode == 0 + + fw_stop = 'systemctl stop firewalld' + multihost.client[0].run_command(fw_stop, raiseonerr=True) + fw_remove = 'dnf remove -y firewalld' + multihost.client[0].run_command(fw_remove, raiseonerr=True) + + @pytest.mark.adsites + def test_003_ad_startup_discovery_two_different_sites(self, multihost, + adjoin, create_site): + """ + @Title: IDM-SSSD-TC: ad_startup_discovery_two_different_sites + * grep sssd domain logs for cldap ping + * grep sssd logs for cldap ping parallel batch + * grep sssd logs for cldap ping domain discovery + """ + adjoin(membersw='adcli') + client = sssdTools(multihost.client[0], multihost.ad[0]) + domain = client.get_domain_section_name() + domain_section = 'domain/{}'.format(domain) + sssd_params = {'debug_level': '0xFFF0'} + client.sssd_conf(domain_section, sssd_params) + + ad1 = multihost.ad[0].hostname + ad2 = multihost.ad[1].hostname + multihost.client[0].service_sssd('start') + + cmd_check_ping = 'grep -ire ad_cldap_ping_send' \ + ' /var/log/sssd/sssd_%s.log | ' \ + 'grep -ire \"Found 2 domain controllers in domain ' \ + 'Default-First-Site-Name._sites.%s\"'\ + % (domain, domain) + check_ping = multihost.client[0].run_command(cmd_check_ping, + raiseonerr=False) + assert check_ping.returncode == 0 + cmd_check_batch1 = 'grep -ire ad_cldap_ping_parallel_batch' \ + ' /var/log/sssd/sssd_%s.log | ' \ + 'grep -ire \" %s\"' % (domain, ad1) + check_batch1 = multihost.client[0].run_command(cmd_check_batch1, + raiseonerr=False) + cmd_check_batch2 = 'grep -ire ad_cldap_ping_parallel_batch' \ + ' /var/log/sssd/sssd_%s.log | ' \ + 'grep -ire \" %s\"' % (domain, ad2) + check_batch2 = multihost.client[0].run_command(cmd_check_batch2, + raiseonerr=False) + if check_batch1.returncode == 0 or check_batch2.returncode == 0: + assert True + else: + assert False + cmd_check_discovery = 'grep -ire ad_cldap_ping_domain_discovery_done' \ + ' /var/log/sssd/sssd_%s.log | ' \ + 'grep -ire \"Found 2 domain' \ + ' controllers in domain ' \ + 'Default-First-Site-Name._sites.%s\"'\ + % (domain, domain) + check_discovery = multihost.client[0].run_command(cmd_check_discovery, + raiseonerr=False) + assert check_discovery.returncode == 0 + + @pytest.mark.adsites + def test_004_ad_startup_discovery_one_server_unreachable(self, + multihost, + adjoin, + create_site): + """ + @Title: IDM-SSSD-TC: + ad_startup_discovery_two_different_sites_one_server_unreachable + * grep sssd domain logs for cldap ping + * grep sssd logs for cldap ping parallel batch + * grep sssd logs for cldap ping domain discovery + """ + adjoin(membersw='adcli') + client = sssdTools(multihost.client[0], multihost.ad[0]) + domain = client.get_domain_section_name() + domain_section = 'domain/{}'.format(domain) + sssd_params = {'debug_level': '0xFFF0'} + client.sssd_conf(domain_section, sssd_params) + + ad1 = multihost.ad[0].hostname + ad2 = multihost.ad[1].hostname + ad2ip = multihost.ad[1].ip + + cmd_dnf_firewalld = 'dnf install -y firewalld' + multihost.client[0].run_command(cmd_dnf_firewalld) + cmd_start_firewalld = 'systemctl start firewalld' + multihost.client[0].run_command(cmd_start_firewalld) + fw_add = 'firewall-cmd --permanent --direct --add-rule ipv4 ' \ + 'filter OUTPUT 0 -d %s -j DROP' % ad2ip + fw_reload = 'firewall-cmd --reload' + multihost.client[0].run_command(fw_add, raiseonerr=True) + multihost.client[0].run_command(fw_reload, raiseonerr=True) + + multihost.client[0].service_sssd('start') + + cmd_check_ping = 'grep -ire ad_cldap_ping_send' \ + ' /var/log/sssd/sssd_%s.log | ' \ + 'grep -ire \"Found 2 domain controllers in domain ' \ + 'Default-First-Site-Name._sites.%s\"'\ + % (domain, domain) + check_ping = multihost.client[0].run_command(cmd_check_ping, + raiseonerr=False) + assert check_ping.returncode == 0 + cmd_check_batch1 = 'grep -ire ad_cldap_ping_parallel_batch' \ + ' /var/log/sssd/sssd_%s.log | ' \ + 'grep -ire \" %s\"' % (domain, ad1) + check_batch1 = multihost.client[0].run_command(cmd_check_batch1, + raiseonerr=False) + cmd_check_batch2 = 'grep -ire ad_cldap_ping_parallel_batch' \ + ' /var/log/sssd/sssd_%s.log | ' \ + 'grep -ire \" %s\"' % (domain, ad2) + check_batch2 = multihost.client[0].run_command(cmd_check_batch2, + raiseonerr=False) + if check_batch1.returncode == 1 and check_batch2.returncode == 0: + assert True + else: + assert False + cmd_check_discovery = 'grep -ire ad_cldap_ping_domain_discovery_done' \ + ' /var/log/sssd/sssd_%s.log | ' \ + 'grep -ire \"Found 2 domain' \ + ' controllers in domain ' \ + 'Default-First-Site-Name._sites.%s\"'\ + % (domain, domain) + check_discovery = multihost.client[0].run_command(cmd_check_discovery, + raiseonerr=False) + assert check_discovery.returncode == 0 + + fw_stop = 'systemctl stop firewalld' + multihost.client[0].run_command(fw_stop, raiseonerr=True) + fw_remove = 'dnf remove -y firewalld' + multihost.client[0].run_command(fw_remove, raiseonerr=True) \ No newline at end of file From 00b08ebb75b4a6b7531daf55ba8e85ddca85d1d5 Mon Sep 17 00:00:00 2001 From: Jakub Vavra <jva...@redhat.com> Date: Fri, 25 Jun 2021 15:07:42 +0200 Subject: [PATCH 3/3] Tests: Initial draft of AD parameters tests ported from bash. --- .../multihost/ad/test_adparameters_all.py | 1156 +++++++++++++++++ 1 file changed, 1156 insertions(+) create mode 100644 src/tests/multihost/ad/test_adparameters_all.py diff --git a/src/tests/multihost/ad/test_adparameters_all.py b/src/tests/multihost/ad/test_adparameters_all.py new file mode 100644 index 0000000000..9224e2a026 --- /dev/null +++ b/src/tests/multihost/ad/test_adparameters_all.py @@ -0,0 +1,1156 @@ +""" AD-Provider AD Parameters Domain tests ported from bash + +:requirement: ad_parameters +:casecomponent: sssd +:subsystemteam: sst_idm_sssd +:upstream: yes +""" +import time +import pytest + +from sssd.testlib.common.utils import sssdTools + + +@pytest.fixture(scope="class") +def change_client_hostname(session_multihost, request): + """ Change client hostname to a truncated version in the AD domain""" + cmd = session_multihost.client[0].run_command('hostname', raiseonerr=False) + old_hostname = cmd.stdout_text.rstrip() + ad_domain = session_multihost.ad[0].domainname + try: + new_hostname = session_multihost.client[0].external_hostname.\ + split('.')[0] + except (KeyError, AttributeError): + new_hostname = old_hostname.split('.')[0] + if new_hostname.startswith('ci-'): + new_hostname = new_hostname[3:] + new_hostname = new_hostname[:15] + "." + ad_domain + session_multihost.client[0].run_command( + f'hostname {new_hostname}', raiseonerr=False + ) + + def restore(): + """ Restore hostname """ + session_multihost.client[0].run_command( + f'hostname {old_hostname}', + raiseonerr=False + ) + request.addfinalizer(restore) + + +@pytest.mark.adparameters +@pytest.mark.usefixtures("change_client_hostname") +class TestADParamsPorted(): + """ BZ Automated Test Cases for AD Parameters Domain ported from bash""" + + @staticmethod + @pytest.mark.tier1 + def test_0001_ad_parameters_domain(multihost, adjoin, create_aduser_group): + """ + :title: IDM-SSSD-TC: ad_provider: ad_parameters: Set ad domain to + AD DOMAIN1 + :id: 08a256e6-a56e-4726-adba-b9093dce8ede + :setup: + 1. Configure short domain name, clear cache and restart sssd. + 2. Create AD user and group. + :steps: + 1. Run getent passwd for the user and group + 2. Run getent group for the group + 3. Run check that su can switch to the ad user in short domain + 4. Check the sssd domain log + :expectedresults: + 1. User is found + 2. Group is found + 3. Su works as expected + 4. Log contains the expected lines + Option ad_domain has value ... + Option krb5_realm set to ... + :customerscenario: False + """ + adjoin(membersw='adcli') + # Create AD user and group + (aduser, adgroup) = create_aduser_group + # Configure sssd + multihost.client[0].service_sssd('stop') + client = sssdTools(multihost.client[0], multihost.ad[0]) + dom_section = f'domain/{client.get_domain_section_name()}' + ad_realm = multihost.ad[0].domainname.upper() + ad_domain_short = ad_realm.rsplit('.', 1)[0] + sssd_params = { + 'ldap_id_mapping': 'False', + 'ad_domain': ad_realm, + 'debug_level': '9', + 'use_fully_qualified_names': 'True', + 'cache_credentials': 'True', + 'krb5_store_password_if_offline': 'True', + 'full_name_format': '%2$s\\%1$s' + } + client.sssd_conf(dom_section, sssd_params) + client.clear_sssd_cache() + # Search for the user + usr_cmd = multihost.client[0].run_command( + f'getent passwd {ad_domain_short}\\\\{aduser}', + raiseonerr=False + ) + # Search for the group + grp_cmd = multihost.client[0].run_command( + f'getent group {ad_domain_short}\\\\{adgroup}', + raiseonerr=False + ) + # Run su command + su_cmd = multihost.client[0].run_command( + f'su - {ad_domain_short}\\\\{aduser} -c whoami', + raiseonerr=False + ) + # Download the sssd domain log + log_str = multihost.client[0].get_file_contents( + f"/var/log/sssd/sssd_{multihost.ad[0].domainname.lower()}.log").\ + decode('utf-8') + # Evaluate test results + assert f"Option ad_domain has value {ad_realm}" in log_str + assert f"Option krb5_realm set to {ad_realm}" in log_str + assert usr_cmd.returncode == 0, f"User {aduser} was not found." + assert grp_cmd.returncode == 0, f"Group {adgroup} was not found." + assert su_cmd.returncode == 0, "The su command failed!" + + @staticmethod + @pytest.mark.tier1 + def test_0002_ad_parameters_junk_domain(multihost, adjoin, + create_aduser_group): + """ + :title: IDM-SSSD-TC: ad_provider: ad_parameters: Set ad domain to junk + and first entry in keytab is valid bz1091957 + :id: 760bda92-a67b-42bd-a55f-89d57e16e294 + :setup: + 1. Configure junk domain name, clear cache and restart sssd. + 2. Create AD user. + :steps: + 1. Check the sssd domain log for expected messages. + 2. Search for a user and check messages for segfault + :expectedresults: + 1. Log contains the expected lines: + No principal matching <hostname>$@JUNK found in keytab. + No principal matching host/*@JUNK found in keytab. + Selected realm: <ad_realm> + 2. There is no segfault in the /var/log/messages. + :customerscenario: False + :bugzilla: + https://bugzilla.redhat.com/show_bug.cgi?id=1091957 + """ + adjoin(membersw='adcli') + client = sssdTools(multihost.client[0], multihost.ad[0]) + # Backup the configuration because with broken config we can't leave ad + client.backup_sssd_conf() + # Create AD user with posix attributes + (aduser, _) = create_aduser_group + # Configure sssd to ad_domain = junk + multihost.client[0].service_sssd('stop') + dom_section = f'domain/{client.get_domain_section_name()}' + ad_realm = multihost.ad[0].domainname.upper() + sssd_params = { + 'ldap_id_mapping': 'False', + 'ad_domain': 'junk', + 'ad_server': multihost.ad[0].hostname, + 'debug_level': '9', + 'use_fully_qualified_names': 'True', + 'cache_credentials': 'True', + 'krb5_store_password_if_offline' : 'True', + 'fallback_homedir': '/home/%d/%u', + 'full_name_format': '%2$s\\%1$s', + } + client.sssd_conf(dom_section, sssd_params) + client.clear_sssd_cache() + + # Download sssd domain log + log_str = multihost.client[0].get_file_contents( + f"/var/log/sssd/sssd_{multihost.ad[0].domainname.lower()}.log").\ + decode('utf-8') + + hostname_cmd = multihost.client[0].run_command( + 'hostname -s', + raiseonerr=False + ) + shortname = hostname_cmd.stdout_text.rstrip().upper() + + #shortname = multihost.client[0].external_hostname.upper().\ + # split('.')[0] + + # Clean /var/log/messages so previous content does not interfere + multihost.client[0].run_command('truncate --size 0 /var/log/messages', + raiseonerr=False) + # Run getent passwd + multihost.client[0].run_command( + f'getent passwd {ad_realm}\\\\{aduser}', + raiseonerr=False + ) + # Download /var/log/messages + log_msg_str = multihost.client[0].get_file_contents( + '/var/log/messages').decode('utf-8') + # Restore sssd.conf + client.restore_sssd_conf() + + # Evaluate test results + assert f"No principal matching {shortname}$@JUNK found in keytab." in\ + log_str + assert "No principal matching host/*@JUNK found in keytab." in log_str + assert f"Selected realm: {ad_realm}" in log_str + assert "segfault" not in log_msg_str, "Segfault present in the log!" + + @staticmethod + @pytest.mark.tier1 + def test_0003_ad_parameters_junk_domain_invalid_keytab( + multihost, + adjoin, + create_aduser_group + ): + """ + :title: IDM-SSSD-TC: ad_provider: ad_parameters: Set ad domain to junk + and first entry in keytab is invalid + :id: ed1a1607-f9f1-4d3c-afbe-c6c1a6ce330b + :setup: + 1. Create an AD user. + 2. Configure junk domain name in sssd.conf. + 3. Create keytab with first item with INVALIDDOMAIN.COM. + 4. Clear cache and restart sssd. + :steps: + 1. Run getent passwd for the user. + 2. Check the sssd domain log for expected messages. + :expectedresults: + 1. User is not found. + 2. Log contains the expected lines: + No principal matching host/*@JUNK found in keytab. + Selected realm: INVALIDDOMAIN.COM + Option krb5_realm set to JUNK + :teardown: + 1. Restore keytab. + 2. Remove AD user. + :customerscenario: False + :bugzilla: + https://bugzilla.redhat.com/show_bug.cgi?id=1091957 + """ + adjoin(membersw='adcli') + client = sssdTools(multihost.client[0], multihost.ad[0]) + # Backup the configuration because with broken config we can't leave ad + client.backup_sssd_conf() + # Create AD user with posix attributes + (aduser, _) = create_aduser_group + # Configure sssd with junk domain + multihost.client[0].service_sssd('stop') + dom_section = f'domain/{client.get_domain_section_name()}' + ad_realm = multihost.ad[0].domainname.upper() + ad_domain_short = ad_realm.rsplit('.', 1)[0] + sssd_params = { + 'ldap_id_mapping': 'False', + 'ad_domain': 'junk', + 'ad_server': multihost.ad[0].hostname, + 'debug_level': '9', + 'use_fully_qualified_names': 'True', + 'cache_credentials': 'True', + 'krb5_store_password_if_offline': 'True', + 'fallback_homedir': '/home/%d/%u', + 'full_name_format': '%2$s\\%1$s', + } + client.sssd_conf(dom_section, sssd_params) + client.sssd_conf(dom_section, {'krb5_realm': 'delme'}, action='delete') + # Backup keytab + multihost.client[0].run_command( + 'cp /etc/krb5.keytab /etc/krb5.keytab.working', + raiseonerr=False + ) + # Create invalid keytab /tmp/first_invalid.keytab + + hostname_cmd = multihost.client[0].run_command( + 'hostname -s', + raiseonerr=False + ) + shortname = hostname_cmd.stdout_text.rstrip().upper() + + #shortname = multihost.client[0].external_hostname.upper().split('.')[0] + ktutil_cmd = f'echo -e "addent -password -p host/{shortname}@' \ + f'INVALIDDOMAIN.COM -k 2 -e rc4-hmac\\nSecret123\\nrkt ' \ + f'/etc/krb5.keytab\\nwkt /tmp/first_invalid.' \ + f'keytab\\nquit\\n" | ktutil' + multihost.client[0].run_command(ktutil_cmd, raiseonerr=False) + # Get keytab info for debugging purposes + multihost.client[0].run_command( + 'file /tmp/first_invalid.keytab', + raiseonerr=False + ) + # Place keytab with invalid first item + multihost.client[0].run_command( + 'cp -f /tmp/first_invalid.keytab /etc/krb5.keytab; ' + 'restorecon /etc/krb5.keytab; ', + raiseonerr=False + ) + # Clear cache and restart SSSD + client.clear_sssd_cache() + # Search for the AD user + usr_cmd = multihost.client[0].run_command( + f'getent passwd {ad_domain_short}\\\\{aduser}', + raiseonerr=False + ) + # Download sssd log + log_str = multihost.client[0].get_file_contents( + f"/var/log/sssd/sssd_{multihost.ad[0].domainname.lower()}.log").\ + decode('utf-8') + # Restore keytab before test result evaluation + multihost.client[0].run_command( + 'cp -f /etc/krb5.keytab.working /etc/krb5.keytab; ' + 'restorecon /etc/krb5.keytab', + raiseonerr=False + ) + # Restore sssd config + client.restore_sssd_conf() + # Evaluate test results + assert usr_cmd.returncode == 2, f"{aduser} was unexpectedly found!" + assert "No principal matching host/*@JUNK found in keytab." in log_str + assert "Selected realm: INVALIDDOMAIN.COM" in log_str + assert "Option krb5_realm set to JUNK" in log_str + + @staticmethod + @pytest.mark.tier1 + def test_0004_ad_parameters_valid_domain_shorthost( + multihost, + adjoin, + create_aduser_group + ): + """ + :title: IDM-SSSD-TC: ad_provider: ad_parameters: ad domain is valid + and principal should default to SHORTHOST bz892197 + :id: 63700bc9-d9f7-4a15-94c8-b6ef23fd329b + :setup: + 1. Create an AD user. + 2. Clear cache and restart sssd. + :steps: + 1. Run getent passwd for the user. + 2. Check the sssd domain log for expected messages. + 3. Run su to the user. + :expectedresults: + 1. User is found. + 2. Log contains the expected line: + Trying to find principal <HOST_SHORT_PRINC>$@<AD_SERVER1_REALM> + 3. User is switched successfully. + :teardown: + 1. Remove AD user. + :customerscenario: False + :bugzilla: + https://bugzilla.redhat.com/show_bug.cgi?id=892197 + """ + adjoin(membersw='adcli') + client = sssdTools(multihost.client[0], multihost.ad[0]) + # Backup the configuration because with broken config we can't leave ad + client.backup_sssd_conf() + # Create AD user with posix attributes + (aduser, _) = create_aduser_group + # Configure sssd to disable ldap_id_mapping and enable logging + multihost.client[0].service_sssd('stop') + dom_section = f'domain/{client.get_domain_section_name()}' + ad_realm = multihost.ad[0].domainname.upper() + ad_domain_short = ad_realm.rsplit('.', 1)[0] + sssd_params = { + 'ldap_id_mapping': 'False', + 'ad_domain': multihost.ad[0].domainname, + 'debug_level': '9', + 'use_fully_qualified_names': 'True', + 'cache_credentials': 'True', + 'krb5_store_password_if_offline': 'True', + 'fallback_homedir': '/home/%d/%u', + 'full_name_format': '%2$s\\%1$s', + } + client.sssd_conf(dom_section, sssd_params) + # Clear cache and restart SSSD + client.clear_sssd_cache() + time.sleep(15) + # Download sssd log + log_str = multihost.client[0].get_file_contents( + f"/var/log/sssd/sssd_{multihost.ad[0].domainname.lower()}.log").\ + decode('utf-8') + + hostname_cmd = multihost.client[0].run_command( + 'hostname -s', + raiseonerr=False + ) + shortname = hostname_cmd.stdout_text.rstrip().upper() + #shortname = multihost.client[0].external_hostname.upper().\ + # split('.')[0] + # Search for the AD user + usr_cmd = multihost.client[0].run_command( + f'getent passwd {ad_domain_short}\\\\{aduser}', + raiseonerr=False + ) + # Run su + su_cmd = multihost.client[0].run_command( + f'su - {ad_domain_short}\\\\{aduser} -c whoami', + raiseonerr=False + ) + # Restore sssd config + client.restore_sssd_conf() + # Evaluate test results + assert f"Trying to find principal {shortname}$@{ad_realm}" in log_str + assert usr_cmd.returncode == 0, f"User {aduser} was not found." + assert su_cmd.returncode == 0, "The su command failed!" + + @staticmethod + @pytest.mark.tier1 + def test_0005_ad_parameters_blank_domain( + multihost, + adjoin, + create_aduser_group + ): + """ + :title: IDM-SSSD-TC: ad_provider: ad_parameters: Set ad domain to blank + should default to sssd domain + :id: 18f6ceac-283e-43e7-96b8-e4d8d7bda7d1 + :setup: + 1. Create an AD user. + 2. Configure blank domain name in sssd.conf. + 3. Clear cache and restart sssd. + :steps: + 1. Run getent passwd for the user. + 2. Check the sssd domain log for expected messages. + 3. Run su to the user. + :expectedresults: + 1. User is found + 2. Log contains the expected line: + Trying to find principal <HOST_SHORT_PRINC>$@<AD_SERVER1_REALM> + 3. User is switched successfully. + :teardown: + 1. Remove AD user. + :customerscenario: False + :bugzilla: + https://bugzilla.redhat.com/show_bug.cgi?id=892197 + """ + adjoin(membersw='adcli') + client = sssdTools(multihost.client[0], multihost.ad[0]) + # Backup the configuration because with broken config we can't leave ad + client.backup_sssd_conf() + # Create AD user with posix attributes + (aduser, adgroup) = create_aduser_group + # Configure sssd to disable ldap_id_mapping and enable logging + multihost.client[0].service_sssd('stop') + dom_section = f'domain/{client.get_domain_section_name()}' + ad_realm = multihost.ad[0].domainname.upper() + ad_domain_short = ad_realm.rsplit('.', 1)[0] + sssd_params = { + 'ldap_id_mapping': 'False', + 'ad_domain': '', + 'debug_level': '9', + 'use_fully_qualified_names': 'True', + 'cache_credentials': 'True', + 'krb5_store_password_if_offline': 'True', + 'fallback_homedir': '/home/%d/%u', + 'full_name_format': '%2$s\\%1$s', + } + client.sssd_conf(dom_section, sssd_params) + # Clear cache and restart SSSD + client.clear_sssd_cache() + time.sleep(15) + # Search for the AD user + usr_cmd = multihost.client[0].run_command( + f'getent passwd {ad_domain_short}\\\\{aduser}', + raiseonerr=False + ) + # Search for the AD group + grp_cmd = multihost.client[0].run_command( + f'getent group {ad_domain_short}\\\\{adgroup}', + raiseonerr=False + ) + # Run su + su_cmd = multihost.client[0].run_command( + f'su - {ad_domain_short}\\\\{aduser} -c whoami', + raiseonerr=False + ) + # Download sssd log + log_str = multihost.client[0].get_file_contents( + f"/var/log/sssd/sssd_{multihost.ad[0].domainname.lower()}.log").\ + decode('utf-8') + # Restore sssd config + client.restore_sssd_conf() + # Evaluate test results + assert "Option ad_domain has no value" in log_str + assert f"Option krb5_realm set to {ad_realm}" in log_str + assert usr_cmd.returncode == 0, f"User {aduser} was not found!" + assert grp_cmd.returncode == 0, f"Group {adgroup} was not found!" + assert su_cmd.returncode == 0, "The su command failed!" + + + @staticmethod + @pytest.mark.tier1 + def test_0006_ad_parameters_homedir_override_nss(multihost, adjoin, + create_aduser_group): + """ + :title: IDM-SSSD-TC: ad_provider: ad_parameters: override homedir to + UPN and login name in nss section bz1137015 + :id: ea57bb9b-802b-40e4-ad6a-7ae0b4d3f927 + :setup: + 1. Configure homedir override in nss section, + clear cache and restart sssd. + 2. Create an AD user. + :steps: + 1. Run getent passwd for the user and verify the home location. + :expectedresults: + 1. User is found and homedir is overridden. + :customerscenario: False + :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1137015 + """ + ad_domain = multihost.ad[0].domainname + + hostname_cmd = multihost.client[0].run_command( + 'hostname -s', + raiseonerr=False + ) + shortname = hostname_cmd.stdout_text.rstrip() + adjoin(membersw='adcli') + # Create AD user and group + (aduser, _) = create_aduser_group + # Configure sssd + multihost.client[0].service_sssd('stop') + client = sssdTools(multihost.client[0], multihost.ad[0]) + dom_section = f'domain/{client.get_domain_section_name()}' + + sssd_params = { + 'debug_level': '9', + 'use_fully_qualified_names': 'True', + 'cache_credentials': 'True', + 'ldap_id_mapping': 'False', + } + client.sssd_conf(dom_section, sssd_params) + client.sssd_conf('nss', {'override_homedir': '/home/%P/%u'}) + client.clear_sssd_cache() + # Search for the user + usr_cmd = multihost.client[0].run_command( + f'getent passwd {aduser}@{ad_domain}', + raiseonerr=False + ) + + # Evaluate test results + assert f'/home/{aduser}@{ad_domain.upper()}/{aduser}' in\ + usr_cmd.stdout_text + + @staticmethod + @pytest.mark.tier1 + def test_0007_ad_parameters_homedir_override_domain(multihost, adjoin, + create_aduser_group): + """ + :title: IDM-SSSD-TC: ad_provider: ad_parameters: override homedir + to UPN and login name in domain section + :id: 76b021af-37cb-49a4-8109-d2cf99f05c48 + :setup: + 1. Configure homedir override in domain section, + clear cache and restart sssd. + 2. Create an AD user. + :steps: + 1. Run getent passwd for the user and verify the home location. + :expectedresults: + 1. User is found and homedir is overridden. + :customerscenario: False + :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1137015 + """ + ad_domain = multihost.ad[0].domainname + hostname_cmd = multihost.client[0].run_command( + 'hostname -s', + raiseonerr=False + ) + shortname = hostname_cmd.stdout_text.rstrip() + adjoin(membersw='adcli') + # Create AD user and group + (aduser, _) = create_aduser_group + # Configure sssd + multihost.client[0].service_sssd('stop') + client = sssdTools(multihost.client[0], multihost.ad[0]) + dom_section = f'domain/{client.get_domain_section_name()}' + sssd_params = { + 'debug_level': '9', + 'use_fully_qualified_names': 'True', + 'cache_credentials': 'True', + 'ldap_id_mapping': 'False', + 'override_homedir': '/home/%P/%u' + } + client.sssd_conf(dom_section, sssd_params) + client.clear_sssd_cache() + # Search for the user + usr_cmd = multihost.client[0].run_command( + f'getent passwd {aduser}@{ad_domain}', + raiseonerr=False + ) + + # Evaluate test results + assert f'/home/{aduser}@{ad_domain.upper()}/{aduser}' in\ + usr_cmd.stdout_text + + @staticmethod + @pytest.mark.tier1 + def test_0008_ad_parameters_homedir_override_both(multihost, adjoin, + create_aduser_group): + """ + :title: IDM-SSSD-TC: ad_provider: ad_parameters: override homedir + in both nss and domain section + :id: ffa3f09e-7f16-463f-9828-edf9491bfb2e + :setup: + 1. Configure homedir override both in nss and domain sections, + clear cache and restart sssd. + 2. Create an AD user. + :steps: + 1. Run getent passwd for the user and verify the home location. + :expectedresults: + 1. User is found and homedir is overridden by domain template. + :customerscenario: False + :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1137015 + """ + ad_domain = multihost.ad[0].domainname + hostname_cmd = multihost.client[0].run_command( + 'hostname -s', + raiseonerr=False + ) + shortname = hostname_cmd.stdout_text.rstrip() + adjoin(membersw='adcli') + # Create AD user and group + (aduser, _) = create_aduser_group + # Configure sssd + multihost.client[0].service_sssd('stop') + client = sssdTools(multihost.client[0], multihost.ad[0]) + dom_section = f'domain/{client.get_domain_section_name()}' + sssd_params = { + 'debug_level': '9', + 'use_fully_qualified_names': 'True', + 'cache_credentials': 'True', + 'ldap_id_mapping': 'False', + 'override_homedir': '/home/%u/%P', + } + client.sssd_conf(dom_section, sssd_params) + client.sssd_conf('nss', {'override_homedir': '/home/%P/%u'}) + client.clear_sssd_cache() + # Search for the user + usr_cmd = multihost.client[0].run_command( + f'getent passwd {aduser}@{ad_domain}', + raiseonerr=False + ) + # Evaluate test results + assert f'/home/{aduser}/{aduser}@{ad_domain.upper()}' in\ + usr_cmd.stdout_text + + @staticmethod + @pytest.mark.tier1 + def test_0009_ad_parameters_ldap_sasl_full(multihost, adjoin, + create_aduser_group): + """ + :title: IDM-SSSD-TC: ad_provider: ad_parameters: Using full principal + bz877972 + :id: 9b71822b-09e0-48f9-9163-3b547364364e + :setup: + 1. Configure ldap_sasl_authid to host/<HOSTNAME>@<AD_REALM> + clear cache and restart sssd. + 2. Create an AD user. + :steps: + 1. Run getent passwd for the user. + 2. Run su for the user. + 3. Check sssd domain log for expected messages: + Option ldap_sasl_authid has value host/<HOSTNAME>@<AD_REALM> + authid contains realm [<AD_REALM>] + Will look for host/<HOSTNAME>@<AD_REALM> in + Trying to find principal host/<HOSTNAME>@<AD_REALM> in keytab + Principal matched to the sample (host/<HOSTNAME>@<AD_REALM>) + :expectedresults: + 1. User is found. + 2. Su passes. + 3. Expected lines are in the log. + :customerscenario: False + :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=877972 + """ + ad_domain = multihost.ad[0].domainname + + hostname_cmd = multihost.client[0].run_command( + 'hostname -s', + raiseonerr=False + ) + shortname = hostname_cmd.stdout_text.rstrip() + adjoin(membersw='adcli') + # Create AD user + (aduser, _) = create_aduser_group + # Configure sssd + ad_realm = multihost.ad[0].domainname.upper() + multihost.client[0].service_sssd('stop') + client = sssdTools(multihost.client[0], multihost.ad[0]) + dom_section = f'domain/{client.get_domain_section_name()}' + sssd_params = { + 'debug_level': '9', + 'ad_domain': multihost.ad[0].domainname.lower(), + 'ad_server': multihost.ad[0].hostname, + 'use_fully_qualified_names': 'False', + 'cache_credentials': 'True', + #'ldap_id_mapping': 'False', + 'ldap_sasl_authid': f'host/{shortname}.{ad_domain}@{ad_realm}', + } + client.sssd_conf(dom_section, sssd_params) + client.clear_sssd_cache() + # Search for the user + usr_cmd = multihost.client[0].run_command( + f'getent passwd {aduser}', + raiseonerr=False + ) + # Run su command + su_cmd = multihost.client[0].run_command( + f'su - {aduser} -c whoami', + raiseonerr=False + ) + # Download the sssd domain log + log_str = multihost.client[0].get_file_contents( + f"/var/log/sssd/sssd_{multihost.ad[0].domainname.lower()}.log"). \ + decode('utf-8') + + # TODO: DELETE + multihost.client[0].run_command( + f"cat /var/log/sssd/sssd_{multihost.ad[0].domainname.lower()}.log", + raiseonerr=False + ) + + assert f"Option ldap_sasl_authid has value host/{shortname}.{ad_domain}@{ad_realm}" in log_str + assert f"authid contains realm" in log_str + assert f"Will look for host/{shortname}.{ad_domain}@{ad_realm} in" in log_str + assert f"Trying to find principal host/{shortname}.{ad_domain}@{ad_realm} in keytab" in log_str + assert f"Principal matched to the sample (host/{shortname}.{ad_domain}@{ad_realm})" in log_str + assert usr_cmd.returncode == 0, f"User {aduser} was not found!" + assert su_cmd.returncode == 0, f"Su for user {aduser} failed!" + + @staticmethod + @pytest.mark.tier1 + def test_0010_ad_parameters_ldap_sasl_short(multihost, adjoin, + create_aduser_group): + """ + :title: IDM-SSSD-TC: ad_provider: ad_parameters: Using short principal + :id: 6f1cc204-0dd3-40eb-a3e2-a113cc7c2df3 + :setup: + 1. Configure , + clear cache and restart sssd. + 2. Create an AD user. + :steps: + 1. Run getent passwd for the user and verify the home location. + :expectedresults: + 1. User is found and homedir is overridden. + :customerscenario: False + :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1137015 + """ + ad_domain = multihost.ad[0].domainname + hostname_cmd = multihost.client[0].run_command( + 'hostname -s', + raiseonerr=False + ) + shortname = hostname_cmd.stdout_text.rstrip() + adjoin(membersw='adcli') + # Create AD user + (aduser, _) = create_aduser_group + # Configure sssd + ad_realm = multihost.ad[0].domainname.upper() + multihost.client[0].service_sssd('stop') + client = sssdTools(multihost.client[0], multihost.ad[0]) + dom_section = f'domain/{client.get_domain_section_name()}' + sssd_params = { + 'debug_level': '9', + 'ad_domain': multihost.ad[0].domainname.lower(), + 'ad_server': multihost.ad[0].hostname, + 'use_fully_qualified_names': 'False', + 'cache_credentials': 'True', + #'ldap_id_mapping': 'False', + 'ldap_sasl_authid': f'host/{shortname}', + } + client.sssd_conf(dom_section, sssd_params) + client.clear_sssd_cache() + # Search for the user + usr_cmd = multihost.client[0].run_command( + f'getent passwd {aduser}', + raiseonerr=False + ) + # Run su command + su_cmd = multihost.client[0].run_command( + f'su - {aduser} -c whoami', + raiseonerr=False + ) + # Download the sssd domain log + log_str = multihost.client[0].get_file_contents( + f"/var/log/sssd/sssd_{multihost.ad[0].domainname.lower()}.log"). \ + decode('utf-8') + + # TODO: DELETE + multihost.client[0].run_command( + f"cat /var/log/sssd/sssd_{multihost.ad[0].domainname.lower()}.log", + raiseonerr=False + ) + # Evaluate test results + assert f"Option ldap_sasl_authid has value host/{shortname}" in log_str + assert f"authid contains realm" not in log_str + assert f"Will look for host/{shortname}.{ad_domain}@{ad_realm} in" in log_str + assert f"Trying to find principal host/{shortname}.{ad_domain}@{ad_realm} in keytab" in log_str + assert f"Principal matched to the sample (host/{shortname}.{ad_domain}@{ad_realm})" in log_str + assert usr_cmd.returncode == 0, f"User {aduser} was not found!" + assert su_cmd.returncode == 0, f"Su for user {aduser} failed!" + +# rlPhaseStartTest "Using full principal bz877972" +# +# default_sssd_conf +# unindent <<<" +# ad_server = $AD_SERVER1 +# ad_domain = $AD_DOMAIN1 +# ldap_sasl_authid=host/$HOSTNAME@$AD_SERVER1_REALM +# " >> /etc/sssd/sssd.conf +# sssd_clear_logs +# sssd_restart_clean +# sssd_unprivileged_user_test +# +# rlAssertGrep "Option ldap_sasl_authid has value host/$HOSTNAME@$AD_SERVER1_REALM" "/var/log/sssd/sssd_$AD_DOMAIN1.log" +# rlAssertGrep "authid contains realm \[$AD_SERVER1_REALM\]" "/var/log/sssd/sssd_$AD_DOMAIN1.log" +# rlAssertGrep "Will look for host/$HOSTNAME@$AD_SERVER1_REALM in" "/var/log/sssd/sssd_$AD_DOMAIN1.log" +# rlAssertGrep "Trying to find principal host/$HOSTNAME@$AD_SERVER1_REALM in keytab" "/var/log/sssd/sssd_$AD_DOMAIN1.log" +# rlAssertGrep "Principal matched to the sample (host/$HOSTNAME@$AD_SERVER1_REALM)" "/var/log/sssd/sssd_$AD_DOMAIN1.log" +# +# rlRun "getent passwd testuser01-${JOBID}" +# rlRun "su_success testuser01-${JOBID} Secret123" +# rlPhaseEnd +# +# +# rlPhaseStartTest "Using short principal" +# +# default_sssd_conf +# unindent <<<" +# ad_server = $AD_SERVER1 +# ad_domain = $AD_DOMAIN1 +# ldap_sasl_authid=host/$HOSTNAME +# " >> /etc/sssd/sssd.conf +# sssd_clear_logs +# sssd_restart_clean +# sssd_unprivileged_user_test +# +# rlAssertGrep "Option ldap_sasl_authid set to host/$HOSTNAME" "/var/log/sssd/sssd_$AD_DOMAIN1.log" +# rlAssertNotGrep "authid contains realm" "/var/log/sssd/sssd_$AD_DOMAIN1.log" +# rlAssertGrep "Will look for host/$HOSTNAME@$AD_SERVER1_REALM in" "/var/log/sssd/sssd_$AD_DOMAIN1.log" +# rlAssertGrep "Trying to find principal host/$HOSTNAME@$AD_SERVER1_REALM in keytab" "/var/log/sssd/sssd_$AD_DOMAIN1.log" +# rlAssertGrep "Principal matched to the sample (host/$HOSTNAME@$AD_SERVER1_REALM)" "/var/log/sssd/sssd_$AD_DOMAIN1.log" +# +# rlRun "getent passwd testuser01-${JOBID}" +# rlRun "su_success testuser01-${JOBID} Secret123" +# +# rlPhaseEnd + + @staticmethod + @pytest.mark.tier1 + def test_0011_ad_parameters_server_resolvable(multihost, adjoin, + create_aduser_group): + """ + :title: IDM-SSSD-TC: ad_provider: ad_parameters: Set ad server to + resolvable hostname + :id: 4493644f-9a03-4c50-9d87-3683d05152a0 + :setup: + 1. Configure, ad_server to resolvable name + clear cache and restart sssd. + 2. Create an AD user and group. + :steps: + 1. Run getent passwd for the user and get uid. + 2. Run getent group for the group and get gid. + 3. Run getent passwd with uid. + 4. Run getent passwd with gid. + 5. Run su for the user. + 6. Search logs for specific messages in sssd domain log. + Option ad_domain has value <AD_DOMAIN1>. + Option krb5_realm set to <AD_SERVER1_REALM>. + :expectedresults: + 1. User is found. + 2. Group is found. + 3. User is found by uid. + 4. Group is found by gid. + 5. Su passes. + 6. The lines are present in the log. + :customerscenario: False + """ + ad_domain = multihost.ad[0].domainname + hostname_cmd = multihost.client[0].run_command( + 'hostname -s', + raiseonerr=False + ) + shortname = hostname_cmd.stdout_text.rstrip() + adjoin(membersw='adcli') + # Create AD user + (aduser, adgroup) = create_aduser_group + # Configure sssd + ad_realm = multihost.ad[0].domainname.upper() + multihost.client[0].service_sssd('stop') + client = sssdTools(multihost.client[0], multihost.ad[0]) + dom_section = f'domain/{client.get_domain_section_name()}' + sssd_params = { + 'debug_level': '9', + 'ad_domain': multihost.ad[0].domainname.lower(), + 'ad_server': multihost.ad[0].hostname, + 'use_fully_qualified_names': 'False', + 'cache_credentials': 'True', + } + client.sssd_conf(dom_section, sssd_params) + client.clear_sssd_cache() + + # Search for the user and get its uid + usr_cmd = multihost.client[0].run_command( + f'getent passwd {aduser} | cut -d: -f3', + raiseonerr=False + ) + uid = usr_cmd.stdout_text.rstrip() + + # Search for the group and get its gid + grp_cmd = multihost.client[0].run_command( + f'getent group {adgroup} | cut -d: -f3', + raiseonerr=False + ) + gid = grp_cmd.stdout_text.rstrip() + # Search for the user by uid + uid_cmd = multihost.client[0].run_command( + f'getent passwd {uid}', + raiseonerr=False + ) + # Search for the group by gid + gid_cmd = multihost.client[0].run_command( + f'getent group {gid}', + raiseonerr=False + ) + # Run su command + su_cmd = multihost.client[0].run_command( + f'su - {aduser} -c whoami', + raiseonerr=False + ) + + # Download the sssd domain log + log_str = multihost.client[0].get_file_contents( + f"/var/log/sssd/sssd_{multihost.ad[0].domainname.lower()}.log"). \ + decode('utf-8') + + assert f"Option ad_domain has value {multihost.ad[0].domainname.lower()}" in log_str + assert f"Option krb5_realm set to {ad_realm}" in log_str + assert usr_cmd.returncode == 0, f"User {aduser} was not found!" + assert grp_cmd.returncode == 0, f"Group {adgroup} was not found!" + assert uid_cmd.returncode == 0, f"User with {uid} was not found!" + assert gid_cmd.returncode == 0, f"Group with {gid} was not found!" + assert su_cmd.returncode == 0, "The su command failed!" + + @staticmethod + @pytest.mark.tier1 + def test_0012_ad_parameters_server_unresolvable(multihost, adjoin, + create_aduser_group): + """ + :title: IDM-SSSD-TC: ad_provider: ad_parameters: Set ad server to + unresolvable hostname + :id: d3e96e63-5e17-4bc9-b35e-86b80fa3bcec + :setup: + 1. Configure, ad_server to an unresolvable name + clear cache and restart sssd. + 2. Create an AD user and group. + :steps: + 1. Run getent passwd for the user. + 2. Search logs for specific message(s) in sssd domain log. + Failed to resolve server 'unresolved.<AD_DOMAIN1>' + Going offline + :expectedresults: + 1. User is not found. + 2. The line(s) are present in the log. + :customerscenario: False + """ + ad_domain = multihost.ad[0].domainname + # hostname_cmd = multihost.client[0].run_command( + # 'hostname -s', + # raiseonerr=False + # ) + # shortname = hostname_cmd.stdout_text.rstrip() + adjoin(membersw='adcli') + # Create AD user + (aduser, adgroup) = create_aduser_group + # Configure sssd + ad_realm = multihost.ad[0].domainname.upper() + multihost.client[0].service_sssd('stop') + client = sssdTools(multihost.client[0], multihost.ad[0]) + dom_section = f'domain/{client.get_domain_section_name()}' + sssd_params = { + 'debug_level': '9', + 'ad_domain': multihost.ad[0].domainname.lower(), + 'ad_server': f'unresolved.{multihost.ad[0].domainname.lower()}', + 'use_fully_qualified_names': 'False', + 'cache_credentials': 'True', + } + client.sssd_conf(dom_section, sssd_params) + client.clear_sssd_cache() + + # Search for the user and get its uid + usr_cmd = multihost.client[0].run_command( + f'getent passwd {aduser}', + raiseonerr=False + ) + + # Download the sssd domain log + log_str = multihost.client[0].get_file_contents( + f"/var/log/sssd/sssd_{multihost.ad[0].domainname.lower()}.log"). \ + decode('utf-8') + + assert f"Failed to resolve server 'unresolved." \ + f"{multihost.ad[0].domainname.lower()}': " \ + f"Domain name not found" in log_str + assert f"Going offline" in log_str + assert usr_cmd.returncode == 2, f"User {aduser} was found!" + + @staticmethod + @pytest.mark.tier1 + def test_0013_ad_parameters_server_srv_record(multihost, adjoin, + create_aduser_group): + """ + :title: IDM-SSSD-TC: ad_provider: ad_parameters: Set ad server to + blank which defaults to srv record + :id: f87672d8-d462-4673-a4d7-6b55a4c05925 + :setup: + 1. Configure, ad_server to _srv_ record + clear cache and restart sssd. + 2. Create an AD user and group. + :steps: + 1. Run getent passwd for the user. + 2. Run getent group for the group. + 3. Run su for the user. + 4. Search logs for specific message(s) in sssd domain log. + Marking SRV lookup of service 'AD' as 'resolved' + :expectedresults: + 1. User is found. + 2. Group is found. + 3. Su passes. + 4. The line(s) are present in the log. + :customerscenario: False + """ + ad_domain = multihost.ad[0].domainname + hostname_cmd = multihost.client[0].run_command( + 'hostname -s', + raiseonerr=False + ) + shortname = hostname_cmd.stdout_text.rstrip() + adjoin(membersw='adcli') + # Create AD user + (aduser, adgroup) = create_aduser_group + # Configure sssd + ad_realm = multihost.ad[0].domainname.upper() + multihost.client[0].service_sssd('stop') + client = sssdTools(multihost.client[0], multihost.ad[0]) + dom_section = f'domain/{client.get_domain_section_name()}' + sssd_params = { + 'debug_level': '9', + 'ad_domain': multihost.ad[0].domainname.lower(), + 'ad_server': '_srv_', + 'use_fully_qualified_names': 'False', + 'cache_credentials': 'True', + } + client.sssd_conf(dom_section, sssd_params) + client.clear_sssd_cache() + + # Search for the user and get its uid + usr_cmd = multihost.client[0].run_command( + f'getent passwd {aduser}', + raiseonerr=False + ) + uid = usr_cmd.stdout_text.rstrip() + + # Search for the group and get its gid + grp_cmd = multihost.client[0].run_command( + f'getent group {adgroup}', + raiseonerr=False + ) + # Run su command + su_cmd = multihost.client[0].run_command( + f'su - {aduser} -c whoami', + raiseonerr=False + ) + + # Download the sssd domain log + log_str = multihost.client[0].get_file_contents( + f"/var/log/sssd/sssd_{multihost.ad[0].domainname.lower()}.log"). \ + decode('utf-8') + + assert f"Marking SRV lookup of service 'AD' as 'resolved'" in log_str + assert usr_cmd.returncode == 0, f"User {aduser} was not found!" + assert grp_cmd.returncode == 0, f"Group {adgroup} was not found!" + assert su_cmd.returncode == 0, "The su command failed!" + + @staticmethod + @pytest.mark.tier1 + def test_0014_ad_parameters_server_blank(multihost, adjoin, + create_aduser_group): + """ + :title: IDM-SSSD-TC: ad_provider: ad_parameters: Set ad server to + blank which defaults to srv record + :id: b7d7b556-22a6-41d8-93db-6834ef3e9688 + :setup: + 1. Configure, ad_server to blank + clear cache and restart sssd. + 2. Create an AD user and group. + :steps: + 1. Run getent passwd for the user. + 2. Run getent group for the group. + 3. Run su for the user. + 4. Search logs for specific message(s) in sssd domain log. + No AD server set, will use service discovery + :expectedresults: + 1. User is found. + 2. Group is found. + 3. Su passes. + 4. The line(s) are present in the log. + :customerscenario: False + """ + ad_domain = multihost.ad[0].domainname + hostname_cmd = multihost.client[0].run_command( + 'hostname -s', + raiseonerr=False + ) + shortname = hostname_cmd.stdout_text.rstrip() + adjoin(membersw='adcli') + # Create AD user + (aduser, adgroup) = create_aduser_group + # Configure sssd + ad_realm = multihost.ad[0].domainname.upper() + multihost.client[0].service_sssd('stop') + client = sssdTools(multihost.client[0], multihost.ad[0]) + dom_section = f'domain/{client.get_domain_section_name()}' + sssd_params = { + 'debug_level': '9', + 'ad_domain': multihost.ad[0].domainname.lower(), + 'ad_server': '', + 'use_fully_qualified_names': 'False', + 'cache_credentials': 'True', + } + client.sssd_conf(dom_section, sssd_params) + client.clear_sssd_cache() + + # Search for the user and get its uid + usr_cmd = multihost.client[0].run_command( + f'getent passwd {aduser}', + raiseonerr=False + ) + uid = usr_cmd.stdout_text.rstrip() + + # Search for the group and get its gid + grp_cmd = multihost.client[0].run_command( + f'getent group {adgroup}', + raiseonerr=False + ) + # Run su command + su_cmd = multihost.client[0].run_command( + f'su - {aduser} -c whoami', + raiseonerr=False + ) + + # Download the sssd domain log + log_str = multihost.client[0].get_file_contents( + f"/var/log/sssd/sssd_{multihost.ad[0].domainname.lower()}.log"). \ + decode('utf-8') + + assert f"No AD server set, will use service discovery" in log_str + assert usr_cmd.returncode == 0, f"User {aduser} was not found!" + assert grp_cmd.returncode == 0, f"Group {adgroup} was not found!" + assert su_cmd.returncode == 0, "The su command failed!" + +# rlPhaseStartTest "Set ad server to blank which defaults to srv record" +# sed -i 's/ad_server=_srv_/ad_server=/' /etc/sssd/sssd.conf +# +# sssd_clear_logs +# sssd_restart_clean +# +# rlRun "getent passwd testuser01-${JOBID}" +# rlRun "getent group testgroup01-${JOBID}" +# rlRun "su_success testuser01-${JOBID} Secret123" +# rlAssertGrep "No AD server set, will use service discovery" "/var/log/sssd/sssd_$AD_DOMAIN1.log" +# rlPhaseEnd \ No newline at end of file
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure