URL: https://github.com/SSSD/sssd/pull/5817 Author: shridhargadekar Title: #5817: Tests: pam_sss_gss.so doesn't work with large kerberos tickets #5815 Action: opened
PR body: """ Verifies: #5568 Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1948657 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5817/head:pr5817 git checkout pr5817
From 119794f2ef5492dcaa82c3ecd004416c0ee26b04 Mon Sep 17 00:00:00 2001 From: Shridhar Gadekar <sgade...@sgadekar.pnq.csb> Date: Wed, 6 Oct 2021 18:49:05 +0530 Subject: [PATCH] Tests: pam_sss_gss.so doesn't work with large kerberos tickets #5815 Verifies: #5568 Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1948657 --- src/tests/multihost/ipa/test_adtrust.py | 76 +++++++++++++++++++++++++ 1 file changed, 76 insertions(+) diff --git a/src/tests/multihost/ipa/test_adtrust.py b/src/tests/multihost/ipa/test_adtrust.py index b3dae24700..d5f039b0f6 100644 --- a/src/tests/multihost/ipa/test_adtrust.py +++ b/src/tests/multihost/ipa/test_adtrust.py @@ -292,3 +292,79 @@ def test_nss_get_by_name_with_private_group(self, multihost): assert cmd_adm.returncode == 0, 'Something wrong with setup!' assert cmd_usr.returncode == 0, \ f"pysss_nss_idmap.getsidbyname for {username} failed" + + def test_sudo_kerberos_ticket(self, multihost, create_aduser_group): + """ + :title: Verify pam_sss_gss.so can handle large kerberos ticket + for sudo + :id: 456ea53b-6702-4b8e-beb1-eee841b85fed + :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1948657 + :steps: + 1. Add sudo rule in IPA-server for AD-users + 2. Modify /etc/krb5.conf.d/kcm_default_ccache to specify location + of storing a TGT + 3. Enable pam_sss_gss.so for auth in /etc/pam.d/{sudo,sudo-i} files + 4. Add a sudo rule for AD-user + 5. Log in on ipa-client as AD-user + 6. Run kinit and fetch tgt + 7. Run sudo command + 8. Remove sudo cache + 9. Run sudo command again + :expectedresults: + 1. Should succeed + 2. Should succeed + 3. Should succeed + 4. Should succeed + 5. Should succeed + 6. Should succeed + 7. Should not ask password, and should succeed + 8. Should succeed + 9. Should not ask password, and should succeed + """ + (aduser, adgroup) = create_aduser_group + client = sssdTools(multihost.client[0], multihost.ad[0]) + ipaserver = sssdTools(multihost.master[0]) + cmd = 'dnf install -y sssd sssd-kcm' + multihost.client[0].run_command(cmd, raiseonerr=False) + domain_name = ipaserver.get_domain_section_name() + domain_section = 'domain/{}'.format(domain_name) + params = {'pam_gssapi_services': 'sudo, sudo-i'} + client.sssd_conf(domain_section, params) + krbkcm = '/etc/krb5.conf.d/kcm_default_ccache' + bk_krbkcm = '/tmp/kcm_default_ccache' + src = 'KCM:' + dest = 'FILE:/tmp/krb5cc_%{uid}' + multihost.client[0].run_command(f'cp {krbkcm} {bk_krbkcm}') + cmd = "echo -e '[libdefaults]\n' \ + ' default_ccache_name = FILE:/tmp/krb5cc_%{uid}:'" + multihost.client[0].run_command(cmd, raiseonerr=False) + multihost.client[0].service_sssd('restart') + pam_sss_gss = "auth sufficient pam_sss_gss.so debug" + for pam_file in "/etc/pam.d/sudo-i", "/etc/pam.d/sudo": + cmd = f'sed -i "1 i\{pam_sss_gss}" {pam_file}' + multihost.client[0].run_command(cmd, raiseonerr=False) + cmd = f'echo "{aduser} ALL=(ALL) ALL" >> /etc/sudoers' + multihost.client[0].run_command(cmd, raiseonerr=False) + try: + ssh = SSHClient(multihost.client[0].sys_hostname, + username=aduser, password='Secret123') + + except paramiko.ssh_exception.AuthenticationException: + pytest.fail(f'{aduser} failed to login') + else: + (_, _, exit_status) = ssh.execute_cmd(f'kinit {aduser}', + stdin='Secret123') + assert exit_status == 0 + (stdout, _, exit_status) = ssh.execute_cmd('sudo id') + assert 'uid=0(root)' in stdout.readlines() + (stdout, _, exit_status) = ssh.execute_cmd('sudo -k') + (stdout, _, exit_status) = ssh.execute_cmd('sudo -l') + assert '(ALL) ALL' in stdout.readlines() + client.sssd_conf(domain_section, params, action='delete') + for pam_file in "/etc/pam.d/sudo-i", "/etc/pam.d/sudo": + cmd = f'sed -i "1d" {pam_file}' + multihost.client[0].run_command(cmd, raiseonerr=False) + cmd = f'sed -i "$ d" /etc/sudoers' + multihost.client[0].run_command(cmd, raiseonerr=False) + cmd = f'mv {bk_krbkcm} {krbkcm}' + multihost.client[0].run_command(cmd, raiseonerr=False)
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure