URL: https://github.com/SSSD/sssd/pull/5689 Author: jakub-vavra-cz Title: #5689: Tests: Add tests ported from bash for AD Parameters Domain Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5689/head:pr5689 git checkout pr5689
From f03901b9f4682f68696abe9742a5aad22b931cfe Mon Sep 17 00:00:00 2001 From: Jakub Vavra <jva...@redhat.com> Date: Fri, 25 Jun 2021 15:07:42 +0200 Subject: [PATCH] Tests: Initial draft of AD parameters tests ported from bash. --- .../multihost/ad/test_adparameters_all.py | 1144 +++++++++++++++++ 1 file changed, 1144 insertions(+) create mode 100644 src/tests/multihost/ad/test_adparameters_all.py diff --git a/src/tests/multihost/ad/test_adparameters_all.py b/src/tests/multihost/ad/test_adparameters_all.py new file mode 100644 index 0000000000..b39bc88bab --- /dev/null +++ b/src/tests/multihost/ad/test_adparameters_all.py @@ -0,0 +1,1144 @@ +""" AD-Provider AD Parameters Domain tests ported from bash + +:requirement: ad_parameters +:casecomponent: sssd +:subsystemteam: sst_idm_sssd +:upstream: yes +""" +import time +import pytest + +from sssd.testlib.common.utils import sssdTools + + +@pytest.fixture(scope="class") +def change_client_hostname(session_multihost, request): + """ Change client hostname to a truncated version in the AD domain""" + cmd = session_multihost.client[0].run_command('hostname', raiseonerr=False) + old_hostname = cmd.stdout_text.rstrip() + ad_domain = session_multihost.ad[0].domainname + try: + new_hostname = session_multihost.client[0].external_hostname.\ + split('.')[0] + except (KeyError, AttributeError): + new_hostname = old_hostname.split('.')[0] + if new_hostname.startswith('ci-'): + new_hostname = new_hostname[3:] + new_hostname = new_hostname[:15] + "." + ad_domain + session_multihost.client[0].run_command( + f'hostname {new_hostname}', raiseonerr=False + ) + + def restore(): + """ Restore hostname """ + session_multihost.client[0].run_command( + f'hostname {old_hostname}', + raiseonerr=False + ) + request.addfinalizer(restore) + + +@pytest.mark.adparameters +@pytest.mark.usefixtures("change_client_hostname") +class TestADParamsPorted(): + """ BZ Automated Test Cases for AD Parameters Domain ported from bash""" + + @staticmethod + @pytest.mark.tier1 + def test_0001_ad_parameters_domain(multihost, adjoin, create_aduser_group): + """ + :title: IDM-SSSD-TC: ad_provider: ad_parameters: Set ad domain to + AD DOMAIN1 + :id: 08a256e6-a56e-4726-adba-b9093dce8ede + :setup: + 1. Configure short domain name, clear cache and restart sssd. + 2. Create AD user and group. + :steps: + 1. Run getent passwd for the user and group + 2. Run getent group for the group + 3. Run check that su can switch to the ad user in short domain + 4. Check the sssd domain log + :expectedresults: + 1. User is found + 2. Group is found + 3. Su works as expected + 4. Log contains the expected lines + Option ad_domain has value ... + Option krb5_realm set to ... + :customerscenario: False + """ + adjoin(membersw='adcli') + # Create AD user and group + (aduser, adgroup) = create_aduser_group + # Configure sssd + multihost.client[0].service_sssd('stop') + client = sssdTools(multihost.client[0], multihost.ad[0]) + dom_section = f'domain/{client.get_domain_section_name()}' + ad_realm = multihost.ad[0].domainname.upper() + ad_domain_short = ad_realm.rsplit('.', 1)[0] + sssd_params = { + 'ldap_id_mapping': 'False', + 'ad_domain': ad_realm, + 'debug_level': '9', + 'use_fully_qualified_names': 'True', + 'cache_credentials': 'True', + 'krb5_store_password_if_offline': 'True', + 'full_name_format': '%2$s\\%1$s' + } + client.sssd_conf(dom_section, sssd_params) + client.clear_sssd_cache() + # Search for the user + usr_cmd = multihost.client[0].run_command( + f'getent passwd {ad_domain_short}\\\\{aduser}', + raiseonerr=False + ) + # Search for the group + grp_cmd = multihost.client[0].run_command( + f'getent group {ad_domain_short}\\\\{adgroup}', + raiseonerr=False + ) + # Run su command + su_cmd = multihost.client[0].run_command( + f'su - {ad_domain_short}\\\\{aduser} -c whoami', + raiseonerr=False + ) + # Download the sssd domain log + log_str = multihost.client[0].get_file_contents( + f"/var/log/sssd/sssd_{multihost.ad[0].domainname.lower()}.log").\ + decode('utf-8') + # Evaluate test results + assert f"Option ad_domain has value {ad_realm}" in log_str + assert f"Option krb5_realm set to {ad_realm}" in log_str + assert usr_cmd.returncode == 0, f"User {aduser} was not found." + assert grp_cmd.returncode == 0, f"Group {adgroup} was not found." + assert su_cmd.returncode == 0, "The su command failed!" + + @staticmethod + @pytest.mark.tier1 + def test_0002_ad_parameters_junk_domain(multihost, adjoin, + create_aduser_group): + """ + :title: IDM-SSSD-TC: ad_provider: ad_parameters: Set ad domain to junk + and first entry in keytab is valid bz1091957 + :id: 760bda92-a67b-42bd-a55f-89d57e16e294 + :setup: + 1. Configure junk domain name, clear cache and restart sssd. + 2. Create AD user. + :steps: + 1. Check the sssd domain log for expected messages. + 2. Search for a user and check messages for segfault + :expectedresults: + 1. Log contains the expected lines: + No principal matching <hostname>$@JUNK found in keytab. + No principal matching host/*@JUNK found in keytab. + Selected realm: <ad_realm> + 2. There is no segfault in the /var/log/messages. + :customerscenario: False + :bugzilla: + https://bugzilla.redhat.com/show_bug.cgi?id=1091957 + """ + adjoin(membersw='adcli') + client = sssdTools(multihost.client[0], multihost.ad[0]) + # Backup the configuration because with broken config we can't leave ad + client.backup_sssd_conf() + # Create AD user with posix attributes + (aduser, _) = create_aduser_group + # Configure sssd to ad_domain = junk + multihost.client[0].service_sssd('stop') + dom_section = f'domain/{client.get_domain_section_name()}' + ad_realm = multihost.ad[0].domainname.upper() + sssd_params = { + 'ldap_id_mapping': 'False', + 'ad_domain': 'junk', + 'ad_server': multihost.ad[0].hostname, + 'debug_level': '9', + 'use_fully_qualified_names': 'True', + 'cache_credentials': 'True', + 'krb5_store_password_if_offline' : 'True', + 'fallback_homedir': '/home/%d/%u', + 'full_name_format': '%2$s\\%1$s', + } + client.sssd_conf(dom_section, sssd_params) + client.clear_sssd_cache() + + # Download sssd domain log + log_str = multihost.client[0].get_file_contents( + f"/var/log/sssd/sssd_{multihost.ad[0].domainname.lower()}.log").\ + decode('utf-8') + + hostname_cmd = multihost.client[0].run_command( + 'hostname -s', + raiseonerr=False + ) + shortname = hostname_cmd.stdout_text.rstrip().upper() + + #shortname = multihost.client[0].external_hostname.upper().\ + # split('.')[0] + + # Clean /var/log/messages so previous content does not interfere + multihost.client[0].run_command('truncate --size 0 /var/log/messages', + raiseonerr=False) + # Run getent passwd + multihost.client[0].run_command( + f'getent passwd {ad_realm}\\\\{aduser}', + raiseonerr=False + ) + # Download /var/log/messages + log_msg_str = multihost.client[0].get_file_contents( + '/var/log/messages').decode('utf-8') + # Restore sssd.conf + client.restore_sssd_conf() + + # Evaluate test results + assert f"No principal matching {shortname}$@JUNK found in keytab." in\ + log_str + assert "No principal matching host/*@JUNK found in keytab." in log_str + assert f"Selected realm: {ad_realm}" in log_str + assert "segfault" not in log_msg_str, "Segfault present in the log!" + + @staticmethod + @pytest.mark.tier1 + def test_0003_ad_parameters_junk_domain_invalid_keytab( + multihost, + adjoin, + create_aduser_group + ): + """ + :title: IDM-SSSD-TC: ad_provider: ad_parameters: Set ad domain to junk + and first entry in keytab is invalid + :id: ed1a1607-f9f1-4d3c-afbe-c6c1a6ce330b + :setup: + 1. Create an AD user. + 2. Configure junk domain name in sssd.conf. + 3. Create keytab with first item with INVALIDDOMAIN.COM. + 4. Clear cache and restart sssd. + :steps: + 1. Run getent passwd for the user. + 2. Check the sssd domain log for expected messages. + :expectedresults: + 1. User is not found. + 2. Log contains the expected lines: + No principal matching host/*@JUNK found in keytab. + Selected realm: INVALIDDOMAIN.COM + Option krb5_realm set to JUNK + :teardown: + 1. Restore keytab. + 2. Remove AD user. + :customerscenario: False + :bugzilla: + https://bugzilla.redhat.com/show_bug.cgi?id=1091957 + """ + adjoin(membersw='adcli') + client = sssdTools(multihost.client[0], multihost.ad[0]) + # Backup the configuration because with broken config we can't leave ad + client.backup_sssd_conf() + # Create AD user with posix attributes + (aduser, _) = create_aduser_group + # Configure sssd with junk domain + multihost.client[0].service_sssd('stop') + dom_section = f'domain/{client.get_domain_section_name()}' + ad_realm = multihost.ad[0].domainname.upper() + ad_domain_short = ad_realm.rsplit('.', 1)[0] + sssd_params = { + 'ldap_id_mapping': 'False', + 'ad_domain': 'junk', + 'ad_server': multihost.ad[0].hostname, + 'debug_level': '9', + 'use_fully_qualified_names': 'True', + 'cache_credentials': 'True', + 'krb5_store_password_if_offline': 'True', + 'fallback_homedir': '/home/%d/%u', + 'full_name_format': '%2$s\\%1$s', + } + client.sssd_conf(dom_section, sssd_params) + client.sssd_conf(dom_section, {'krb5_realm': 'delme'}, action='delete') + # Backup keytab + multihost.client[0].run_command( + 'cp /etc/krb5.keytab /etc/krb5.keytab.working', + raiseonerr=False + ) + # Create invalid keytab /tmp/first_invalid.keytab + + hostname_cmd = multihost.client[0].run_command( + 'hostname -s', + raiseonerr=False + ) + shortname = hostname_cmd.stdout_text.rstrip().upper() + + #shortname = multihost.client[0].external_hostname.upper().split('.')[0] + ktutil_cmd = f'echo -e "addent -password -p host/{shortname}@' \ + f'INVALIDDOMAIN.COM -k 2 -e rc4-hmac\\nSecret123\\nrkt ' \ + f'/etc/krb5.keytab\\nwkt /tmp/first_invalid.' \ + f'keytab\\nquit\\n" | ktutil' + multihost.client[0].run_command(ktutil_cmd, raiseonerr=False) + # Get keytab info for debugging purposes + multihost.client[0].run_command( + 'file /tmp/first_invalid.keytab', + raiseonerr=False + ) + # Place keytab with invalid first item + multihost.client[0].run_command( + 'cp -f /tmp/first_invalid.keytab /etc/krb5.keytab; ' + 'restorecon /etc/krb5.keytab; ', + raiseonerr=False + ) + # Clear cache and restart SSSD + client.clear_sssd_cache() + # Search for the AD user + usr_cmd = multihost.client[0].run_command( + f'getent passwd {ad_domain_short}\\\\{aduser}', + raiseonerr=False + ) + # Download sssd log + log_str = multihost.client[0].get_file_contents( + f"/var/log/sssd/sssd_{multihost.ad[0].domainname.lower()}.log").\ + decode('utf-8') + # Restore keytab before test result evaluation + multihost.client[0].run_command( + 'cp -f /etc/krb5.keytab.working /etc/krb5.keytab; ' + 'restorecon /etc/krb5.keytab', + raiseonerr=False + ) + # Restore sssd config + client.restore_sssd_conf() + # Evaluate test results + assert usr_cmd.returncode == 2, f"{aduser} was unexpectedly found!" + assert "No principal matching host/*@JUNK found in keytab." in log_str + assert "Selected realm: INVALIDDOMAIN.COM" in log_str + assert "Option krb5_realm set to JUNK" in log_str + + @staticmethod + @pytest.mark.tier1 + def test_0004_ad_parameters_valid_domain_shorthost( + multihost, + adjoin, + create_aduser_group + ): + """ + :title: IDM-SSSD-TC: ad_provider: ad_parameters: ad domain is valid + and principal should default to SHORTHOST bz892197 + :id: 63700bc9-d9f7-4a15-94c8-b6ef23fd329b + :setup: + 1. Create an AD user. + 2. Clear cache and restart sssd. + :steps: + 1. Run getent passwd for the user. + 2. Check the sssd domain log for expected messages. + 3. Run su to the user. + :expectedresults: + 1. User is found. + 2. Log contains the expected line: + Trying to find principal <HOST_SHORT_PRINC>$@<AD_SERVER1_REALM> + 3. User is switched successfully. + :teardown: + 1. Remove AD user. + :customerscenario: False + :bugzilla: + https://bugzilla.redhat.com/show_bug.cgi?id=892197 + """ + adjoin(membersw='adcli') + client = sssdTools(multihost.client[0], multihost.ad[0]) + # Backup the configuration because with broken config we can't leave ad + client.backup_sssd_conf() + # Create AD user with posix attributes + (aduser, _) = create_aduser_group + # Configure sssd to disable ldap_id_mapping and enable logging + multihost.client[0].service_sssd('stop') + dom_section = f'domain/{client.get_domain_section_name()}' + ad_realm = multihost.ad[0].domainname.upper() + ad_domain_short = ad_realm.rsplit('.', 1)[0] + sssd_params = { + 'ldap_id_mapping': 'False', + 'ad_domain': multihost.ad[0].domainname, + 'debug_level': '9', + 'use_fully_qualified_names': 'True', + 'cache_credentials': 'True', + 'krb5_store_password_if_offline': 'True', + 'fallback_homedir': '/home/%d/%u', + 'full_name_format': '%2$s\\%1$s', + } + client.sssd_conf(dom_section, sssd_params) + # Clear cache and restart SSSD + client.clear_sssd_cache() + time.sleep(15) + # Download sssd log + log_str = multihost.client[0].get_file_contents( + f"/var/log/sssd/sssd_{multihost.ad[0].domainname.lower()}.log").\ + decode('utf-8') + + hostname_cmd = multihost.client[0].run_command( + 'hostname -s', + raiseonerr=False + ) + shortname = hostname_cmd.stdout_text.rstrip().upper() + #shortname = multihost.client[0].external_hostname.upper().\ + # split('.')[0] + # Search for the AD user + usr_cmd = multihost.client[0].run_command( + f'getent passwd {ad_domain_short}\\\\{aduser}', + raiseonerr=False + ) + # Run su + su_cmd = multihost.client[0].run_command( + f'su - {ad_domain_short}\\\\{aduser} -c whoami', + raiseonerr=False + ) + # Restore sssd config + client.restore_sssd_conf() + # Evaluate test results + assert f"Trying to find principal {shortname}$@{ad_realm}" in log_str + assert usr_cmd.returncode == 0, f"User {aduser} was not found." + assert su_cmd.returncode == 0, "The su command failed!" + + @staticmethod + @pytest.mark.tier1 + def test_0005_ad_parameters_blank_domain( + multihost, + adjoin, + create_aduser_group + ): + """ + :title: IDM-SSSD-TC: ad_provider: ad_parameters: Set ad domain to blank + should default to sssd domain + :id: 18f6ceac-283e-43e7-96b8-e4d8d7bda7d1 + :setup: + 1. Create an AD user. + 2. Configure blank domain name in sssd.conf. + 3. Clear cache and restart sssd. + :steps: + 1. Run getent passwd for the user. + 2. Check the sssd domain log for expected messages. + 3. Run su to the user. + :expectedresults: + 1. User is found + 2. Log contains the expected line: + Trying to find principal <HOST_SHORT_PRINC>$@<AD_SERVER1_REALM> + 3. User is switched successfully. + :teardown: + 1. Remove AD user. + :customerscenario: False + :bugzilla: + https://bugzilla.redhat.com/show_bug.cgi?id=892197 + """ + adjoin(membersw='adcli') + client = sssdTools(multihost.client[0], multihost.ad[0]) + # Backup the configuration because with broken config we can't leave ad + client.backup_sssd_conf() + # Create AD user with posix attributes + (aduser, adgroup) = create_aduser_group + # Configure sssd to disable ldap_id_mapping and enable logging + multihost.client[0].service_sssd('stop') + dom_section = f'domain/{client.get_domain_section_name()}' + ad_realm = multihost.ad[0].domainname.upper() + ad_domain_short = ad_realm.rsplit('.', 1)[0] + sssd_params = { + 'ldap_id_mapping': 'False', + 'ad_domain': '', + 'debug_level': '9', + 'use_fully_qualified_names': 'True', + 'cache_credentials': 'True', + 'krb5_store_password_if_offline': 'True', + 'fallback_homedir': '/home/%d/%u', + 'full_name_format': '%2$s\\%1$s', + } + client.sssd_conf(dom_section, sssd_params) + # Clear cache and restart SSSD + client.clear_sssd_cache() + time.sleep(15) + # Search for the AD user + usr_cmd = multihost.client[0].run_command( + f'getent passwd {ad_domain_short}\\\\{aduser}', + raiseonerr=False + ) + # Search for the AD group + grp_cmd = multihost.client[0].run_command( + f'getent group {ad_domain_short}\\\\{adgroup}', + raiseonerr=False + ) + # Run su + su_cmd = multihost.client[0].run_command( + f'su - {ad_domain_short}\\\\{aduser} -c whoami', + raiseonerr=False + ) + # Download sssd log + log_str = multihost.client[0].get_file_contents( + f"/var/log/sssd/sssd_{multihost.ad[0].domainname.lower()}.log").\ + decode('utf-8') + # Restore sssd config + client.restore_sssd_conf() + # Evaluate test results + assert "Option ad_domain has no value" in log_str + assert f"Option krb5_realm set to {ad_realm}" in log_str + assert usr_cmd.returncode == 0, f"User {aduser} was not found!" + assert grp_cmd.returncode == 0, f"Group {adgroup} was not found!" + assert su_cmd.returncode == 0, "The su command failed!" + + + @staticmethod + @pytest.mark.tier1 + def test_0006_ad_parameters_homedir_override_nss(multihost, adjoin, + create_aduser_group): + """ + :title: IDM-SSSD-TC: ad_provider: ad_parameters: override homedir to + UPN and login name in nss section bz1137015 + :id: ea57bb9b-802b-40e4-ad6a-7ae0b4d3f927 + :setup: + 1. Configure homedir override in nss section, + clear cache and restart sssd. + 2. Create an AD user. + :steps: + 1. Run getent passwd for the user and verify the home location. + :expectedresults: + 1. User is found and homedir is overridden. + :customerscenario: False + :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1137015 + """ + ad_domain = multihost.ad[0].domainname + + hostname_cmd = multihost.client[0].run_command( + 'hostname -s', + raiseonerr=False + ) + shortname = hostname_cmd.stdout_text.rstrip() + adjoin(membersw='adcli') + # Create AD user and group + (aduser, _) = create_aduser_group + # Configure sssd + multihost.client[0].service_sssd('stop') + client = sssdTools(multihost.client[0], multihost.ad[0]) + dom_section = f'domain/{client.get_domain_section_name()}' + + sssd_params = { + 'debug_level': '9', + 'use_fully_qualified_names': 'True', + 'cache_credentials': 'True', + 'ldap_id_mapping': 'False', + } + client.sssd_conf(dom_section, sssd_params) + client.sssd_conf('nss', {'override_homedir': '/home/%P/%u'}) + client.clear_sssd_cache() + # Search for the user + usr_cmd = multihost.client[0].run_command( + f'getent passwd {aduser}@{ad_domain}', + raiseonerr=False + ) + + # Evaluate test results + assert f'/home/{aduser}@{ad_domain.upper()}/{aduser}' in\ + usr_cmd.stdout_text + + @staticmethod + @pytest.mark.tier1 + def test_0007_ad_parameters_homedir_override_domain(multihost, adjoin, + create_aduser_group): + """ + :title: IDM-SSSD-TC: ad_provider: ad_parameters: override homedir + to UPN and login name in domain section + :id: 76b021af-37cb-49a4-8109-d2cf99f05c48 + :setup: + 1. Configure homedir override in domain section, + clear cache and restart sssd. + 2. Create an AD user. + :steps: + 1. Run getent passwd for the user and verify the home location. + :expectedresults: + 1. User is found and homedir is overridden. + :customerscenario: False + :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1137015 + """ + ad_domain = multihost.ad[0].domainname + hostname_cmd = multihost.client[0].run_command( + 'hostname -s', + raiseonerr=False + ) + shortname = hostname_cmd.stdout_text.rstrip() + adjoin(membersw='adcli') + # Create AD user and group + (aduser, _) = create_aduser_group + # Configure sssd + multihost.client[0].service_sssd('stop') + client = sssdTools(multihost.client[0], multihost.ad[0]) + dom_section = f'domain/{client.get_domain_section_name()}' + sssd_params = { + 'debug_level': '9', + 'use_fully_qualified_names': 'True', + 'cache_credentials': 'True', + 'ldap_id_mapping': 'False', + 'override_homedir': '/home/%P/%u' + } + client.sssd_conf(dom_section, sssd_params) + client.clear_sssd_cache() + # Search for the user + usr_cmd = multihost.client[0].run_command( + f'getent passwd {aduser}@{ad_domain}', + raiseonerr=False + ) + + # Evaluate test results + assert f'/home/{aduser}@{ad_domain.upper()}/{aduser}' in\ + usr_cmd.stdout_text + + @staticmethod + @pytest.mark.tier1 + def test_0008_ad_parameters_homedir_override_both(multihost, adjoin, + create_aduser_group): + """ + :title: IDM-SSSD-TC: ad_provider: ad_parameters: override homedir + in both nss and domain section + :id: ffa3f09e-7f16-463f-9828-edf9491bfb2e + :setup: + 1. Configure homedir override both in nss and domain sections, + clear cache and restart sssd. + 2. Create an AD user. + :steps: + 1. Run getent passwd for the user and verify the home location. + :expectedresults: + 1. User is found and homedir is overridden by domain template. + :customerscenario: False + :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1137015 + """ + ad_domain = multihost.ad[0].domainname + hostname_cmd = multihost.client[0].run_command( + 'hostname -s', + raiseonerr=False + ) + shortname = hostname_cmd.stdout_text.rstrip() + adjoin(membersw='adcli') + # Create AD user and group + (aduser, _) = create_aduser_group + # Configure sssd + multihost.client[0].service_sssd('stop') + client = sssdTools(multihost.client[0], multihost.ad[0]) + dom_section = f'domain/{client.get_domain_section_name()}' + sssd_params = { + 'debug_level': '9', + 'use_fully_qualified_names': 'True', + 'cache_credentials': 'True', + 'ldap_id_mapping': 'False', + 'override_homedir': '/home/%u/%P', + } + client.sssd_conf(dom_section, sssd_params) + client.sssd_conf('nss', {'override_homedir': '/home/%P/%u'}) + client.clear_sssd_cache() + # Search for the user + usr_cmd = multihost.client[0].run_command( + f'getent passwd {aduser}@{ad_domain}', + raiseonerr=False + ) + # Evaluate test results + assert f'/home/{aduser}/{aduser}@{ad_domain.upper()}' in\ + usr_cmd.stdout_text + + @staticmethod + @pytest.mark.tier1 + def test_0009_ad_parameters_ldap_sasl_full(multihost, adjoin, + create_aduser_group): + """ + :title: IDM-SSSD-TC: ad_provider: ad_parameters: Using full principal + bz877972 + :id: 9b71822b-09e0-48f9-9163-3b547364364e + :setup: + 1. Configure ldap_sasl_authid to host/<HOSTNAME>@<AD_REALM> + clear cache and restart sssd. + 2. Create an AD user. + :steps: + 1. Run getent passwd for the user. + 2. Run su for the user. + 3. Check sssd domain log for expected messages: + Option ldap_sasl_authid has value host/<HOSTNAME>@<AD_REALM> + authid contains realm [<AD_REALM>] + Will look for host/<HOSTNAME>@<AD_REALM> in + Trying to find principal host/<HOSTNAME>@<AD_REALM> in keytab + Principal matched to the sample (host/<HOSTNAME>@<AD_REALM>) + :expectedresults: + 1. User is found. + 2. Su passes. + 3. Expected lines are in the log. + :customerscenario: False + :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=877972 + """ + ad_domain = multihost.ad[0].domainname + + hostname_cmd = multihost.client[0].run_command( + 'hostname -s', + raiseonerr=False + ) + shortname = hostname_cmd.stdout_text.rstrip() + adjoin(membersw='adcli') + # Create AD user + (aduser, _) = create_aduser_group + # Configure sssd + ad_realm = multihost.ad[0].domainname.upper() + multihost.client[0].service_sssd('stop') + client = sssdTools(multihost.client[0], multihost.ad[0]) + dom_section = f'domain/{client.get_domain_section_name()}' + sssd_params = { + 'debug_level': '9', + 'ad_domain': multihost.ad[0].domainname.lower(), + 'ad_server': multihost.ad[0].hostname, + 'use_fully_qualified_names': 'False', + 'cache_credentials': 'True', + #'ldap_id_mapping': 'False', + 'ldap_sasl_authid': f'host/{shortname}.{ad_domain}@{ad_realm}', + } + client.sssd_conf(dom_section, sssd_params) + client.clear_sssd_cache() + # Search for the user + usr_cmd = multihost.client[0].run_command( + f'getent passwd {aduser}', + raiseonerr=False + ) + # Run su command + su_cmd = multihost.client[0].run_command( + f'su - {aduser} -c whoami', + raiseonerr=False + ) + # Download the sssd domain log + log_str = multihost.client[0].get_file_contents( + f"/var/log/sssd/sssd_{multihost.ad[0].domainname.lower()}.log"). \ + decode('utf-8') + + # TODO: DELETE + multihost.client[0].run_command( + f"cat /var/log/sssd/sssd_{multihost.ad[0].domainname.lower()}.log", + raiseonerr=False + ) + + assert f"Option ldap_sasl_authid has value host/{shortname}.{ad_domain}@{ad_realm}" in log_str + assert f"authid contains realm" in log_str + assert f"Will look for host/{shortname}.{ad_domain}@{ad_realm} in" in log_str + assert f"Trying to find principal host/{shortname}.{ad_domain}@{ad_realm} in keytab" in log_str + assert f"Principal matched to the sample (host/{shortname}.{ad_domain}@{ad_realm})" in log_str + assert usr_cmd.returncode == 0, f"User {aduser} was not found!" + assert su_cmd.returncode == 0, f"Su for user {aduser} failed!" + + @staticmethod + @pytest.mark.tier1 + def test_0010_ad_parameters_ldap_sasl_short(multihost, adjoin, + create_aduser_group): + """ + :title: IDM-SSSD-TC: ad_provider: ad_parameters: Using short principal + :id: 6f1cc204-0dd3-40eb-a3e2-a113cc7c2df3 + :setup: + 1. Configure , + clear cache and restart sssd. + 2. Create an AD user. + :steps: + 1. Run getent passwd for the user and verify the home location. + :expectedresults: + 1. User is found and homedir is overridden. + :customerscenario: False + :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1137015 + """ + ad_domain = multihost.ad[0].domainname + hostname_cmd = multihost.client[0].run_command( + 'hostname -s', + raiseonerr=False + ) + shortname = hostname_cmd.stdout_text.rstrip() + adjoin(membersw='adcli') + # Create AD user + (aduser, _) = create_aduser_group + # Configure sssd + ad_realm = multihost.ad[0].domainname.upper() + multihost.client[0].service_sssd('stop') + client = sssdTools(multihost.client[0], multihost.ad[0]) + dom_section = f'domain/{client.get_domain_section_name()}' + sssd_params = { + 'debug_level': '9', + 'ad_domain': multihost.ad[0].domainname.lower(), + 'ad_server': multihost.ad[0].hostname, + 'use_fully_qualified_names': 'False', + 'cache_credentials': 'True', + #'ldap_id_mapping': 'False', + 'ldap_sasl_authid': f'host/{shortname}', + } + client.sssd_conf(dom_section, sssd_params) + client.clear_sssd_cache() + # Search for the user + usr_cmd = multihost.client[0].run_command( + f'getent passwd {aduser}', + raiseonerr=False + ) + # Run su command + su_cmd = multihost.client[0].run_command( + f'su - {aduser} -c whoami', + raiseonerr=False + ) + # Download the sssd domain log + log_str = multihost.client[0].get_file_contents( + f"/var/log/sssd/sssd_{multihost.ad[0].domainname.lower()}.log"). \ + decode('utf-8') + + # TODO: DELETE + multihost.client[0].run_command( + f"cat /var/log/sssd/sssd_{multihost.ad[0].domainname.lower()}.log", + raiseonerr=False + ) + # Evaluate test results + assert f"Option ldap_sasl_authid has value host/{shortname}" in log_str + assert f"authid contains realm" not in log_str + assert f"Will look for host/{shortname}.{ad_domain}@{ad_realm} in" in log_str + assert f"Trying to find principal host/{shortname}.{ad_domain}@{ad_realm} in keytab" in log_str + assert f"Principal matched to the sample (host/{shortname}.{ad_domain}@{ad_realm})" in log_str + assert usr_cmd.returncode == 0, f"User {aduser} was not found!" + assert su_cmd.returncode == 0, f"Su for user {aduser} failed!" + +# rlPhaseStartTest "Using full principal bz877972" +# +# default_sssd_conf +# unindent <<<" +# ad_server = $AD_SERVER1 +# ad_domain = $AD_DOMAIN1 +# ldap_sasl_authid=host/$HOSTNAME@$AD_SERVER1_REALM +# " >> /etc/sssd/sssd.conf +# sssd_clear_logs +# sssd_restart_clean +# sssd_unprivileged_user_test +# +# rlAssertGrep "Option ldap_sasl_authid has value host/$HOSTNAME@$AD_SERVER1_REALM" "/var/log/sssd/sssd_$AD_DOMAIN1.log" +# rlAssertGrep "authid contains realm \[$AD_SERVER1_REALM\]" "/var/log/sssd/sssd_$AD_DOMAIN1.log" +# rlAssertGrep "Will look for host/$HOSTNAME@$AD_SERVER1_REALM in" "/var/log/sssd/sssd_$AD_DOMAIN1.log" +# rlAssertGrep "Trying to find principal host/$HOSTNAME@$AD_SERVER1_REALM in keytab" "/var/log/sssd/sssd_$AD_DOMAIN1.log" +# rlAssertGrep "Principal matched to the sample (host/$HOSTNAME@$AD_SERVER1_REALM)" "/var/log/sssd/sssd_$AD_DOMAIN1.log" +# +# rlRun "getent passwd testuser01-${JOBID}" +# rlRun "su_success testuser01-${JOBID} Secret123" +# rlPhaseEnd +# +# +# rlPhaseStartTest "Using short principal" +# +# default_sssd_conf +# unindent <<<" +# ad_server = $AD_SERVER1 +# ad_domain = $AD_DOMAIN1 +# ldap_sasl_authid=host/$HOSTNAME +# " >> /etc/sssd/sssd.conf +# sssd_clear_logs +# sssd_restart_clean +# sssd_unprivileged_user_test +# +# rlAssertGrep "Option ldap_sasl_authid set to host/$HOSTNAME" "/var/log/sssd/sssd_$AD_DOMAIN1.log" +# rlAssertNotGrep "authid contains realm" "/var/log/sssd/sssd_$AD_DOMAIN1.log" +# rlAssertGrep "Will look for host/$HOSTNAME@$AD_SERVER1_REALM in" "/var/log/sssd/sssd_$AD_DOMAIN1.log" +# rlAssertGrep "Trying to find principal host/$HOSTNAME@$AD_SERVER1_REALM in keytab" "/var/log/sssd/sssd_$AD_DOMAIN1.log" +# rlAssertGrep "Principal matched to the sample (host/$HOSTNAME@$AD_SERVER1_REALM)" "/var/log/sssd/sssd_$AD_DOMAIN1.log" +# +# rlRun "getent passwd testuser01-${JOBID}" +# rlRun "su_success testuser01-${JOBID} Secret123" +# +# rlPhaseEnd + + @staticmethod + @pytest.mark.tier1 + def test_0011_ad_parameters_server_resolvable(multihost, adjoin, + create_aduser_group): + """ + :title: IDM-SSSD-TC: ad_provider: ad_parameters: Set ad server to + resolvable hostname + :id: 4493644f-9a03-4c50-9d87-3683d05152a0 + :setup: + 1. Configure, ad_server to resolvable name + clear cache and restart sssd. + 2. Create an AD user and group. + :steps: + 1. Run getent passwd for the user and get uid. + 2. Run getent group for the group and get gid. + 3. Run getent passwd with uid. + 4. Run getent passwd with gid. + 5. Run su for the user. + 6. Search logs for specific messages in sssd domain log. + Option ad_domain has value <AD_DOMAIN1>. + Option krb5_realm set to <AD_SERVER1_REALM>. + :expectedresults: + 1. User is found. + 2. Group is found. + 3. User is found by uid. + 4. Group is found by gid. + 5. Su passes. + 6. The lines are present in the log. + :customerscenario: False + """ + ad_domain = multihost.ad[0].domainname + hostname_cmd = multihost.client[0].run_command( + 'hostname -s', + raiseonerr=False + ) + shortname = hostname_cmd.stdout_text.rstrip() + adjoin(membersw='adcli') + # Create AD user + (aduser, adgroup) = create_aduser_group + # Configure sssd + ad_realm = multihost.ad[0].domainname.upper() + multihost.client[0].service_sssd('stop') + client = sssdTools(multihost.client[0], multihost.ad[0]) + dom_section = f'domain/{client.get_domain_section_name()}' + sssd_params = { + 'debug_level': '9', + 'ad_domain': multihost.ad[0].domainname.lower(), + 'ad_server': multihost.ad[0].hostname, + 'use_fully_qualified_names': 'False', + 'cache_credentials': 'True', + } + client.sssd_conf(dom_section, sssd_params) + client.clear_sssd_cache() + + # Search for the user and get its uid + usr_cmd = multihost.client[0].run_command( + f'getent passwd {aduser} | cut -d: -f3', + raiseonerr=False + ) + uid = usr_cmd.stdout_text.rstrip() + + # Search for the group and get its gid + grp_cmd = multihost.client[0].run_command( + f'getent group {adgroup} | cut -d: -f3', + raiseonerr=False + ) + gid = grp_cmd.stdout_text.rstrip() + # Search for the user by uid + uid_cmd = multihost.client[0].run_command( + f'getent passwd {uid}', + raiseonerr=False + ) + # Search for the group by gid + gid_cmd = multihost.client[0].run_command( + f'getent group {gid}', + raiseonerr=False + ) + # Run su command + su_cmd = multihost.client[0].run_command( + f'su - {aduser} -c whoami', + raiseonerr=False + ) + + # Download the sssd domain log + log_str = multihost.client[0].get_file_contents( + f"/var/log/sssd/sssd_{multihost.ad[0].domainname.lower()}.log"). \ + decode('utf-8') + + assert f"Option ad_domain has value {multihost.ad[0].domainname.lower()}" in log_str + assert f"Option krb5_realm set to {ad_realm}" in log_str + assert usr_cmd.returncode == 0, f"User {aduser} was not found!" + assert grp_cmd.returncode == 0, f"Group {adgroup} was not found!" + assert uid_cmd.returncode == 0, f"User with {uid} was not found!" + assert gid_cmd.returncode == 0, f"Group with {gid} was not found!" + assert su_cmd.returncode == 0, "The su command failed!" + + @staticmethod + @pytest.mark.tier1 + def test_0012_ad_parameters_server_unresolvable(multihost, adjoin, + create_aduser_group): + """ + :title: IDM-SSSD-TC: ad_provider: ad_parameters: Set ad server to + unresolvable hostname + :id: d3e96e63-5e17-4bc9-b35e-86b80fa3bcec + :setup: + 1. Configure, ad_server to an unresolvable name + clear cache and restart sssd. + 2. Create an AD user and group. + :steps: + 1. Run getent passwd for the user. + 2. Search logs for specific message(s) in sssd domain log. + Failed to resolve server 'unresolved.<AD_DOMAIN1>' + Going offline + :expectedresults: + 1. User is not found. + 2. The line(s) are present in the log. + :customerscenario: False + """ + ad_domain = multihost.ad[0].domainname + # hostname_cmd = multihost.client[0].run_command( + # 'hostname -s', + # raiseonerr=False + # ) + # shortname = hostname_cmd.stdout_text.rstrip() + adjoin(membersw='adcli') + # Create AD user + (aduser, adgroup) = create_aduser_group + # Configure sssd + ad_realm = multihost.ad[0].domainname.upper() + multihost.client[0].service_sssd('stop') + client = sssdTools(multihost.client[0], multihost.ad[0]) + dom_section = f'domain/{client.get_domain_section_name()}' + sssd_params = { + 'debug_level': '9', + 'ad_domain': multihost.ad[0].domainname.lower(), + 'ad_server': f'unresolved.{multihost.ad[0].domainname.lower()}', + 'use_fully_qualified_names': 'False', + 'cache_credentials': 'True', + } + client.sssd_conf(dom_section, sssd_params) + client.clear_sssd_cache() + + # Search for the user and get its uid + usr_cmd = multihost.client[0].run_command( + f'getent passwd {aduser}', + raiseonerr=False + ) + + # Download the sssd domain log + log_str = multihost.client[0].get_file_contents( + f"/var/log/sssd/sssd_{multihost.ad[0].domainname.lower()}.log"). \ + decode('utf-8') + + assert f"Failed to resolve server 'unresolved." \ + f"{multihost.ad[0].domainname.lower()}': " \ + f"Domain name not found" in log_str + assert f"Going offline" in log_str + assert usr_cmd.returncode == 2, f"User {aduser} was found!" + + @staticmethod + @pytest.mark.tier1 + def test_0013_ad_parameters_server_srv_record(multihost, adjoin, + create_aduser_group): + """ + :title: IDM-SSSD-TC: ad_provider: ad_parameters: Set ad server to + blank which defaults to srv record + :id: f87672d8-d462-4673-a4d7-6b55a4c05925 + :setup: + 1. Configure, ad_server to _srv_ record + clear cache and restart sssd. + 2. Create an AD user and group. + :steps: + 1. Run getent passwd for the user. + 2. Run getent group for the group. + 3. Run su for the user. + 4. Search logs for specific message(s) in sssd domain log. + Marking SRV lookup of service 'AD' as 'resolved' + :expectedresults: + 1. User is found. + 2. Group is found. + 3. Su passes. + 4. The line(s) are present in the log. + :customerscenario: False + """ + ad_domain = multihost.ad[0].domainname + hostname_cmd = multihost.client[0].run_command( + 'hostname -s', + raiseonerr=False + ) + shortname = hostname_cmd.stdout_text.rstrip() + adjoin(membersw='adcli') + # Create AD user + (aduser, adgroup) = create_aduser_group + # Configure sssd + ad_realm = multihost.ad[0].domainname.upper() + multihost.client[0].service_sssd('stop') + client = sssdTools(multihost.client[0], multihost.ad[0]) + dom_section = f'domain/{client.get_domain_section_name()}' + sssd_params = { + 'debug_level': '9', + 'ad_domain': multihost.ad[0].domainname.lower(), + 'ad_server': '_srv_', + 'use_fully_qualified_names': 'False', + 'cache_credentials': 'True', + } + client.sssd_conf(dom_section, sssd_params) + client.clear_sssd_cache() + + # Search for the user and get its uid + usr_cmd = multihost.client[0].run_command( + f'getent passwd {aduser}', + raiseonerr=False + ) + uid = usr_cmd.stdout_text.rstrip() + + # Search for the group and get its gid + grp_cmd = multihost.client[0].run_command( + f'getent group {adgroup}', + raiseonerr=False + ) + # Run su command + su_cmd = multihost.client[0].run_command( + f'su - {aduser} -c whoami', + raiseonerr=False + ) + + # Download the sssd domain log + log_str = multihost.client[0].get_file_contents( + f"/var/log/sssd/sssd_{multihost.ad[0].domainname.lower()}.log"). \ + decode('utf-8') + + assert f"Marking SRV lookup of service 'AD' as 'resolved'" in log_str + assert usr_cmd.returncode == 0, f"User {aduser} was not found!" + assert grp_cmd.returncode == 0, f"Group {adgroup} was not found!" + assert su_cmd.returncode == 0, "The su command failed!" + + @staticmethod + @pytest.mark.tier1 + def test_0014_ad_parameters_server_blank(multihost, adjoin, + create_aduser_group): + """ + :title: IDM-SSSD-TC: ad_provider: ad_parameters: Set ad server to + blank which defaults to srv record + :id: b7d7b556-22a6-41d8-93db-6834ef3e9688 + :setup: + 1. Configure, ad_server to blank + clear cache and restart sssd. + 2. Create an AD user and group. + :steps: + 1. Run getent passwd for the user. + 2. Run getent group for the group. + 3. Run su for the user. + 4. Search logs for specific message(s) in sssd domain log. + No AD server set, will use service discovery + :expectedresults: + 1. User is found. + 2. Group is found. + 3. Su passes. + 4. The line(s) are present in the log. + :customerscenario: False + """ + ad_domain = multihost.ad[0].domainname + hostname_cmd = multihost.client[0].run_command( + 'hostname -s', + raiseonerr=False + ) + shortname = hostname_cmd.stdout_text.rstrip() + adjoin(membersw='adcli') + # Create AD user + (aduser, adgroup) = create_aduser_group + # Configure sssd + ad_realm = multihost.ad[0].domainname.upper() + multihost.client[0].service_sssd('stop') + client = sssdTools(multihost.client[0], multihost.ad[0]) + dom_section = f'domain/{client.get_domain_section_name()}' + sssd_params = { + 'debug_level': '9', + 'ad_domain': multihost.ad[0].domainname.lower(), + 'ad_server': '', + 'use_fully_qualified_names': 'False', + 'cache_credentials': 'True', + } + client.sssd_conf(dom_section, sssd_params) + client.clear_sssd_cache() + + # Search for the user and get its uid + usr_cmd = multihost.client[0].run_command( + f'getent passwd {aduser}', + raiseonerr=False + ) + uid = usr_cmd.stdout_text.rstrip() + + # Search for the group and get its gid + grp_cmd = multihost.client[0].run_command( + f'getent group {adgroup}', + raiseonerr=False + ) + # Run su command + su_cmd = multihost.client[0].run_command( + f'su - {aduser} -c whoami', + raiseonerr=False + ) + + # Download the sssd domain log + log_str = multihost.client[0].get_file_contents( + f"/var/log/sssd/sssd_{multihost.ad[0].domainname.lower()}.log"). \ + decode('utf-8') + + assert f"No AD server set, will use service discovery" in log_str + assert usr_cmd.returncode == 0, f"User {aduser} was not found!" + assert grp_cmd.returncode == 0, f"Group {adgroup} was not found!" + assert su_cmd.returncode == 0, "The su command failed!"
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure