Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

roles: adding gpo management to samba role #106

Merged
merged 1 commit into from
Sep 25, 2024
Merged

roles: adding gpo management to samba role #106

merged 1 commit into from
Sep 25, 2024

Conversation

danlavu
Copy link

@danlavu danlavu commented Jun 19, 2024
edited
Loading

  • added SambaSite object
  • added SambaComputer object
  • added GenericGPO class and methods
  • added some ldap variables to perform ldap functions

@danlavu danlavu added the enhancement New feature or request label Jun 19, 2024
@danlavu danlavu self-assigned this Jun 19, 2024
@danlavu danlavu marked this pull request as draft June 19, 2024 00:41
@danlavu danlavu force-pushed the gpo-samba branch 4 times, most recently from 442c11e to 1c200c0 Compare June 21, 2024 03:53
@danlavu danlavu force-pushed the gpo-samba branch 3 times, most recently from fc4e6ed to 66c2c69 Compare July 23, 2024 22:30
@danlavu danlavu force-pushed the gpo-samba branch 4 times, most recently from 2b2adee to 2d68966 Compare September 16, 2024 03:06
@danlavu danlavu mentioned this pull request Sep 16, 2024
Closed
@danlavu danlavu force-pushed the gpo-samba branch 2 times, most recently from 506357b to f315790 Compare September 16, 2024 04:59
@danlavu
Copy link
Author

danlavu commented Sep 16, 2024

I don't see why the type assignments are throwing the mypy errors.

sssd_test_framework/roles/samba.py:1022: error: Cannot assign to a method  [method-assign]
sssd_test_framework/roles/samba.py:1022: error: Incompatible types in assignment (expression has type "type[str]", variable has type "Callable[[str], str]")  [assignment]
sssd_test_framework/roles/samba.py:1031: error: Incompatible types in assignment (expression has type "list[SambaObject]", target has type "str")  [assignment]

For now I added ignores, the black failure, if I shorten the line, black just ends up reformatting it. It's exactly 120 chars.

sssd_test_framework/roles/samba.py:1043:120: E501 line too long (120 > 119 characters)

@danlavu
Copy link
Author

danlavu commented Sep 16, 2024
edited
Loading

It's working, and the failure is expected.

"sbose
Yes, fix for SSSD/sssd#7451 is missing."

collecting ... 

Selected tests will use the following hosts:
  client: client.test
  samba: dc.samba.test
  nfs: nfs.test

collected 616 items / 582 deselected / 34 selected

tests/test_gpo.py::test_gpo__is_set_to_enforcing[su] (samba) 
tests/test_gpo.py::test_gpo__is_set_to_enforcing[ssh] (samba) 
tests/test_gpo.py::test_gpo__is_set_to_enforcing_with_no_policy[su] (samba) 
tests/test_gpo.py::test_gpo__is_set_to_enforcing_with_no_policy[ssh] (samba) 
tests/test_gpo.py::test_gpo__is_set_to_permissive_and_users_are_allowed[su] (samba) 
tests/test_gpo.py::test_gpo__is_set_to_permissive_and_users_are_allowed[ssh] (samba) 
tests/test_gpo.py::test_gpo__is_set_to_permissive_and_users_are_denied[su] (samba) 
tests/test_gpo.py::test_gpo__is_set_to_permissive_and_users_are_denied[ssh] (samba) 
tests/test_gpo.py::test_gpo__is_set_to_disabled_and_all_users_are_allowed[su] (samba) 
tests/test_gpo.py::test_gpo__is_set_to_disabled_and_all_users_are_allowed[ssh] (samba) 
tests/test_gpo.py::test_gpo__implicit_deny_is_set_to_true[ssh] (samba) 
tests/test_gpo.py::test_gpo__implicit_deny_is_set_to_true[su] (samba) 
tests/test_gpo.py::test_gpo__domain_and_sites_inheritance_when_site_is_enforcing[ssh] (samba) 
tests/test_gpo.py::test_gpo__domain_and_sites_inheritance_when_site_is_enforcing[su] (samba) 
tests/test_gpo.py::test_gpo__domain_and_sites_inheritance[ssh] (samba) 
tests/test_gpo.py::test_gpo__domain_and_sites_inheritance[su] (samba) 
tests/test_gpo.py::test_gpo__ou_and_domain_inheritance[ssh] (samba) 
tests/test_gpo.py::test_gpo__ou_and_domain_inheritance[su] (samba) 
tests/test_gpo.py::test_gpo__map_interactive_disabling_login_su_and_su_l (samba) 
tests/test_gpo.py::test_gpo__map_remote_interactive_disabling_sshd (samba) 
tests/test_gpo.py::test_gpo__works_when_the_server_is_unreachable[ssh] (samba) 
tests/test_gpo.py::test_gpo__works_when_the_server_is_unreachable[su] (samba) 
tests/test_gpo.py::test_gpo__honors_the_ad_site_parameter[ssh] (samba) 
tests/test_gpo.py::test_gpo__honors_the_ad_site_parameter[su] (samba) 
tests/test_gpo.py::test_gpo__ignores_invalid_and_unnecessary_keys_and_values[ssh] (samba) 
tests/test_gpo.py::test_gpo__ignores_invalid_and_unnecessary_keys_and_values[su] (samba) 
tests/test_gpo.py::test_gpo__finds_all_groups_when_auto_private_groups_is_set_true[ssh] (samba) 
tests/test_gpo.py::test_gpo__finds_all_groups_when_auto_private_groups_is_set_true[su] (samba) 
tests/test_gpo.py::test_gpo__works_when_auto_private_group_is_used_with_posix_accounts[true-ssh] (samba) PASSED      [  2%]PASSED     [  5%]PASSED [  8%]PASSED [ 11%]PASSED [ 14%]PASSED [ 17%]PASSED [ 20%]PASSED [ 23%]PASSED [ 26%]PASSED [ 29%]PASSED [ 32%]PASSED [ 35%]PASSED [ 38%]PASSED [ 41%]PASSED [ 44%]PASSED [ 47%]PASSED [ 50%]PASSED [ 52%]PASSED [ 55%]PASSED [ 58%]PASSED [ 61%]PASSED [ 64%]PASSED [ 67%]PASSED [ 70%]PASSED [ 73%]PASSED [ 76%]PASSED [ 79%]PASSED [ 82%]FAILED [ 85%]

@danlavu danlavu assigned pbrezina and spoore1 and unassigned danlavu Sep 16, 2024
@danlavu danlavu requested review from spoore1 and pbrezina September 16, 2024 12:47
@danlavu danlavu marked this pull request as ready for review September 16, 2024 17:17
@danlavu danlavu force-pushed the gpo-samba branch 3 times, most recently from e88705b to c677682 Compare September 16, 2024 18:58
@danlavu danlavu force-pushed the gpo-samba branch 2 times, most recently from 9dd19bd to 572c1d2 Compare September 16, 2024 19:31
spoore1
spoore1 previously approved these changes Sep 16, 2024
View reviewed changes
pbrezina
pbrezina requested changes Sep 18, 2024
View reviewed changes
Copy link
Member

@pbrezina pbrezina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, you probably want to move the methods from GenericProvider to GenericADProvider.

There are some comments inside, otherwise LGTM. Good job!

sssd_test_framework/roles/ad.py Outdated Show resolved Hide resolved
sssd_test_framework/roles/ad.py Outdated Show resolved Hide resolved
sssd_test_framework/roles/generic.py Outdated Show resolved Hide resolved
sssd_test_framework/roles/generic.py Outdated Show resolved Hide resolved
sssd_test_framework/roles/generic.py Outdated Show resolved Hide resolved
sssd_test_framework/roles/generic.py Outdated Show resolved Hide resolved
@danlavu danlavu requested review from pbrezina September 18, 2024 22:21
pbrezina
pbrezina approved these changes Sep 20, 2024
View reviewed changes
Copy link
Member

@pbrezina pbrezina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code-wise ack. I did not test it.

pbrezina
pbrezina requested changes Sep 20, 2024
View reviewed changes
sssd_test_framework/roles/ad.py Outdated Show resolved Hide resolved
@danlavu danlavu force-pushed the gpo-samba branch 3 times, most recently from 51fe80c to fb3e546 Compare September 20, 2024 17:57
@danlavu
Copy link
Author

danlavu commented Sep 20, 2024

@pbrezina, you haven't tested it, so here is my output from the latest update and updated test code, SSSD/sssd#7595

The failure is expected, as I mentioned before.

/home/dlavu/git/sssd/.venv/bin/python /opt/pycharm-2024.1.3/plugins/python/helpers/pycharm/_jb_pytest_runner.py --path tests -- --mh-config=mhc.yaml -v --mh-collect-logs=always -k test_gpo__ 
Testing started at 1:56 PM ...
Launching pytest with arguments --mh-config=mhc.yaml -v --mh-collect-logs=always -k test_gpo__ tests --no-header --no-summary -q in /home/dlavu/git/sssd/src/tests/system

Multihost configuration:
  provisioned_topologies:
  - client
  - ipa
  - ipa-trust-samba
  - ldap
  - samba
  domains:
  - id: sssd
    hosts:
    - hostname: client.test
      role: client
      artifacts:
      - /etc/sssd/*
      - /var/log/sssd/*
      - /var/lib/sss/db/*
    - hostname: master.ldap.test
      role: ldap
      config:
        binddn: cn=Directory Manager
        bindpw: Secret123
        client:
          ldap_tls_reqcert: demand
          ldap_tls_cacert: /data/certs/ca.crt
          dns_discovery_domain: ldap.test
          id_provider: ldap
          ldap_uri: ldap://master.ldap.test
    - hostname: master.ipa.test
      role: ipa
      config:
        client:
          ipa_domain: ipa.test
          krb5_keytab: /enrollment/ipa.test.keytab
          ldap_krb5_keytab: /enrollment/ipa.test.keytab
          id_provider: ipa
          access_provider: ipa
          ipa_server: master.ipa.test
          dyndns_update: false
    - hostname: dc.ad.test
      role: ad
      os:
        family: windows
      conn:
        type: ssh
        username: [email protected]
        password: vagrant
      config:
        adminpw: vagrant
        client:
          ad_domain: ad.test
          id_provider: ad
          access_provider: ad
          ad_server: dc.ad.test
          dyndns_update: false
    - hostname: dc.samba.test
      role: samba
      config:
        binddn: CN=Administrator,CN=Users,DC=samba,DC=test
        bindpw: Secret123
        client:
          ad_domain: samba.test
          krb5_keytab: /enrollment/samba.test.keytab
          ldap_krb5_keytab: /enrollment/samba.test.keytab
          id_provider: ad
          access_provider: ad
          ad_server: dc.samba.test
          dyndns_update: false
    - hostname: nfs.test
      role: nfs
      config:
        exports_dir: /dev/shm/exports
    - hostname: kdc.test
      role: kdc
      config:
        realm: TEST
        domain: test
        client:
          krb5_server: kdc.test
          krb5_kpasswd: kdc.test
          krb5_realm: TEST
          auth_provider: krb5

Detected topology:
  - id: sssd
    hosts:
      client: 1
      ldap: 1
      ipa: 1
      ad: 1
      samba: 1
      nfs: 1
      kdc: 1

Additional settings:
  config file: mhc.yaml
  log path: None
  lazy ssh: False
  topology filter: 
  require exact topology: False
  collect artifacts: on-failure
  artifacts directory: artifacts
  collect logs: always

============================= test session starts ==============================
collecting ... 

Selected tests will use the following hosts:
  client: client.test
  ad: dc.ad.test
  samba: dc.samba.test
  nfs: nfs.test

collected 616 items / 542 deselected / 74 selected

tests/test_gpo.py::test_gpo__is_set_to_enforcing[su] (ad) 
tests/test_gpo.py::test_gpo__is_set_to_enforcing[ssh] (ad) 
tests/test_gpo.py::test_gpo__is_set_to_enforcing_with_no_policy[su] (ad) 
tests/test_gpo.py::test_gpo__is_set_to_enforcing_with_no_policy[ssh] (ad) 
tests/test_gpo.py::test_gpo__is_set_to_permissive_and_users_are_allowed[su] (ad) 
tests/test_gpo.py::test_gpo__is_set_to_permissive_and_users_are_allowed[ssh] (ad) 
tests/test_gpo.py::test_gpo__is_set_to_permissive_and_users_are_denied[su] (ad) 
tests/test_gpo.py::test_gpo__is_set_to_permissive_and_users_are_denied[ssh] (ad) 
tests/test_gpo.py::test_gpo__is_set_to_disabled_and_all_users_are_allowed[su] (ad) 
tests/test_gpo.py::test_gpo__is_set_to_disabled_and_all_users_are_allowed[ssh] (ad) 
tests/test_gpo.py::test_gpo__implicit_deny_is_set_to_true[ssh] (ad) 
tests/test_gpo.py::test_gpo__implicit_deny_is_set_to_true[su] (ad) 
tests/test_gpo.py::test_gpo__domain_and_sites_inheritance_when_site_is_enforcing[ssh] (ad) 
tests/test_gpo.py::test_gpo__domain_and_sites_inheritance_when_site_is_enforcing[su] (ad) 
tests/test_gpo.py::test_gpo__domain_and_sites_inheritance[ssh] (ad) 
tests/test_gpo.py::test_gpo__domain_and_sites_inheritance[su] (ad) 
tests/test_gpo.py::test_gpo__ou_and_domain_inheritance[ssh] (ad) 
tests/test_gpo.py::test_gpo__ou_and_domain_inheritance[su] (ad) 
tests/test_gpo.py::test_gpo__sites_inheritance_using_gpo_link_order[ssh] (ad) 
tests/test_gpo.py::test_gpo__sites_inheritance_using_gpo_link_order[su] (ad) 
tests/test_gpo.py::test_gpo__map_interactive_disabling_login_su_and_su_l (ad) 
tests/test_gpo.py::test_gpo__map_remote_interactive_disabling_sshd (ad) 
tests/test_gpo.py::test_gpo__works_when_the_server_is_unreachable[ssh] (ad) 
tests/test_gpo.py::test_gpo__works_when_the_server_is_unreachable[su] (ad) 
tests/test_gpo.py::test_gpo__honors_the_ad_site_parameter[ssh] (ad) 
tests/test_gpo.py::test_gpo__honors_the_ad_site_parameter[su] (ad) 
tests/test_gpo.py::test_gpo__only_needs_host_security_filters_and_permissions[ssh] (ad) 
tests/test_gpo.py::test_gpo__only_needs_host_security_filters_and_permissions[su] (ad) 
tests/test_gpo.py::test_gpo__ignores_invalid_and_unnecessary_keys_and_values[ssh] (ad) 
tests/test_gpo.py::test_gpo__skips_unreadable_gpo_policies[su] (ad) 
tests/test_gpo.py::test_gpo__finds_all_groups_when_auto_private_groups_is_set_true[ssh] (ad) 
tests/test_gpo.py::test_gpo__finds_all_groups_when_auto_private_groups_is_set_true[su] (ad) 
tests/test_gpo.py::test_gpo__works_when_auto_private_group_is_used_with_posix_accounts[true-ssh] (ad) 
tests/test_gpo.py::test_gpo__works_when_auto_private_group_is_used_with_posix_accounts[true-su] (ad) 
tests/test_gpo.py::test_gpo__works_when_auto_private_group_is_used_with_posix_accounts[false-ssh] (ad) 
tests/test_gpo.py::test_gpo__works_when_auto_private_group_is_used_with_posix_accounts[false-su] (ad) 
tests/test_gpo.py::test_gpo__works_when_auto_private_group_is_used_with_posix_accounts[hybrid-ssh] (ad) 
tests/test_gpo.py::test_gpo__works_when_auto_private_group_is_used_with_posix_accounts[hybrid-su] (ad) 
tests/test_gpo.py::test_gpo__is_set_to_enforcing[su] (samba) 
tests/test_gpo.py::test_gpo__is_set_to_enforcing[ssh] (samba) 
tests/test_gpo.py::test_gpo__is_set_to_enforcing_with_no_policy[su] (samba) 
tests/test_gpo.py::test_gpo__is_set_to_enforcing_with_no_policy[ssh] (samba) 
tests/test_gpo.py::test_gpo__is_set_to_permissive_and_users_are_allowed[su] (samba) 
tests/test_gpo.py::test_gpo__is_set_to_permissive_and_users_are_denied[ssh] (samba) 
tests/test_gpo.py::test_gpo__is_set_to_disabled_and_all_users_are_allowed[su] (samba) 
tests/test_gpo.py::test_gpo__is_set_to_disabled_and_all_users_are_allowed[ssh] (samba) 
tests/test_gpo.py::test_gpo__implicit_deny_is_set_to_true[ssh] (samba) 
tests/test_gpo.py::test_gpo__implicit_deny_is_set_to_true[su] (samba) 
tests/test_gpo.py::test_gpo__domain_and_sites_inheritance_when_site_is_enforcing[ssh] (samba) 
tests/test_gpo.py::test_gpo__domain_and_sites_inheritance_when_site_is_enforcing[su] (samba) 
tests/test_gpo.py::test_gpo__domain_and_sites_inheritance[ssh] (samba) 
tests/test_gpo.py::test_gpo__domain_and_sites_inheritance[su] (samba) 
tests/test_gpo.py::test_gpo__ou_and_domain_inheritance[ssh] (samba) 
tests/test_gpo.py::test_gpo__ou_and_domain_inheritance[su] (samba) 
tests/test_gpo.py::test_gpo__map_interactive_disabling_login_su_and_su_l (samba) 
tests/test_gpo.py::test_gpo__map_remote_interactive_disabling_sshd (samba) 
tests/test_gpo.py::test_gpo__works_when_the_server_is_unreachable[ssh] (samba) 
tests/test_gpo.py::test_gpo__works_when_the_server_is_unreachable[su] (samba) 
tests/test_gpo.py::test_gpo__honors_the_ad_site_parameter[ssh] (samba) 
tests/test_gpo.py::test_gpo__honors_the_ad_site_parameter[su] (samba) 
tests/test_gpo.py::test_gpo__ignores_invalid_and_unnecessary_keys_and_values[ssh] (samba) 
tests/test_gpo.py::test_gpo__ignores_invalid_and_unnecessary_keys_and_values[su] (samba) 
tests/test_gpo.py::test_gpo__finds_all_groups_when_auto_private_groups_is_set_true[ssh] (samba) 
tests/test_gpo.py::test_gpo__finds_all_groups_when_auto_private_groups_is_set_true[su] (samba) 
tests/test_gpo.py::test_gpo__works_when_auto_private_group_is_used_with_posix_accounts[true-ssh] (samba) 
tests/test_gpo.py::test_gpo__works_when_auto_private_group_is_used_with_posix_accounts[true-su] (samba) 
tests/test_gpo.py::test_gpo__works_when_auto_private_group_is_used_with_posix_accounts[false-ssh] (samba) 
tests/test_gpo.py::test_gpo__works_when_auto_private_group_is_used_with_posix_accounts[false-su] (samba) 
tests/test_gpo.py::test_gpo__works_when_auto_private_group_is_used_with_posix_accounts[hybrid-ssh] (samba) 
tests/test_gpo.py::test_gpo__works_when_auto_private_group_is_used_with_posix_accounts[hybrid-su] (samba) 

========== 4 failed, 70 passed, 542 deselected in 1538.46s (0:25:38) ===========
PASSED         [  1%]PASSED        [  2%]PASSED [  4%]PASSED [  5%]PASSED [  6%]PASSED [  8%]PASSED [  9%]PASSED [ 10%]PASSED [ 12%]PASSED [ 13%]PASSED [ 14%]PASSED [ 16%]PASSED [ 17%]PASSED [ 18%]PASSED [ 20%]PASSED [ 21%]PASSED  [ 22%]PASSED   [ 24%]PASSED [ 25%]PASSED [ 27%]PASSED [ 28%]PASSED [ 29%]PASSED [ 31%]PASSED [ 32%]PASSED [ 33%]PASSED [ 35%]PASSED [ 36%]PASSED [ 37%]PASSED [ 39%]
tests/test_gpo.py::test_gpo__ignores_invalid_and_unnecessary_keys_and_values[su] (ad) PASSED [ 40%]
tests/test_gpo.py::test_gpo__skips_unreadable_gpo_policies[ssh] (ad) PASSED [ 41%]PASSED [ 43%]PASSED [ 44%]PASSED [ 45%]FAILED [ 47%]
tests/test_gpo.py:988 (test_gpo__works_when_auto_private_group_is_used_with_posix_accounts[true-ssh] (ad))
client = <sssd_test_framework.roles.client.Client object at 0x7f2eaf1202d0>
provider = <sssd_test_framework.roles.ad.AD object at 0x7f2eaf120310>
method = 'ssh', auto_private_groups = 'true'

    @pytest.mark.importance("critical")
    @pytest.mark.parametrize("method", ["ssh", "su"])
    @pytest.mark.parametrize("auto_private_groups", ["true", "false", "hybrid"])
    @pytest.mark.topology(KnownTopologyGroup.AnyAD)
    @pytest.mark.ticket(gh=7452)
    def test_gpo__works_when_auto_private_group_is_used_with_posix_accounts(
        client: Client, provider: GenericADProvider, method: str, auto_private_groups: str
    ):
        """
        :title: GPO evaluation fails when auto_private_groups used with posix accounts
        :setup:
            1. Create the following user 'user1' and 'deny_user1' with uids and gids
            2. Create and link the GPO 'site policy' and add 'user1' and 'Domain Admins' to
               SeInteractiveLogonRight key. Add 'deny_user1 to SeDenyInteractiveLogonRight key'
            3. Configure sssd.conf with 'ad_gpo_access_control = enforcing',
               'auto_private_groups = parameter' and 'ldap_id_mapping = false'
            4. Start SSSD
        :steps:
            1. Authenticate as 'user1'
            2. Authenticate as 'deny_user1'
        :expectedresults:
            1. Authentication is successful
            2. Authenticated user is unsuccessful
        :customerscenario: True
        """
        user1 = provider.user("user1").add(uid=10000, gid=10000)
        deny_user1 = provider.user("deny_user1").add(uid=10001, gid=10001)
    
        provider.gpo("site policy").add().policy(
            {
                "SeInteractiveLogonRight": [user1, provider.group("Domain Admins")],
                "SeDenyInteractiveLogonRight": [deny_user1],
            }
        ).link()
    
        client.sssd.domain["ad_gpo_access_control"] = "enforcing"
        client.sssd.domain["auto_private_groups"] = auto_private_groups
        client.sssd.domain["ldap_id_mapping"] = "false"
        client.sssd.start()
    
>       assert client.auth.parametrize(method).password(
            "user1", password="Secret123"
        ), "Allowed user authentication failed!"
E       AssertionError: Allowed user authentication failed!
E       assert False
E        +  where False = password('user1', password='Secret123')
E        +    where password = <sssd_test_framework.utils.authentication.SSHAuthenticationUtils object at 0x7f2eaf123e90>.password
E        +      where <sssd_test_framework.utils.authentication.SSHAuthenticationUtils object at 0x7f2eaf123e90> = parametrize('ssh')
E        +        where parametrize = <sssd_test_framework.utils.authentication.AuthenticationUtils object at 0x7f2eaf122e10>.parametrize
E        +          where <sssd_test_framework.utils.authentication.AuthenticationUtils object at 0x7f2eaf122e10> = <sssd_test_framework.roles.client.Client object at 0x7f2eaf1202d0>.auth

tests/test_gpo.py:1029: AssertionError
FAILED [ 48%]
tests/test_gpo.py:988 (test_gpo__works_when_auto_private_group_is_used_with_posix_accounts[true-su] (ad))
client = <sssd_test_framework.roles.client.Client object at 0x7f2eaef6fd50>
provider = <sssd_test_framework.roles.ad.AD object at 0x7f2eaef6e2d0>
method = 'su', auto_private_groups = 'true'

    @pytest.mark.importance("critical")
    @pytest.mark.parametrize("method", ["ssh", "su"])
    @pytest.mark.parametrize("auto_private_groups", ["true", "false", "hybrid"])
    @pytest.mark.topology(KnownTopologyGroup.AnyAD)
    @pytest.mark.ticket(gh=7452)
    def test_gpo__works_when_auto_private_group_is_used_with_posix_accounts(
        client: Client, provider: GenericADProvider, method: str, auto_private_groups: str
    ):
        """
        :title: GPO evaluation fails when auto_private_groups used with posix accounts
        :setup:
            1. Create the following user 'user1' and 'deny_user1' with uids and gids
            2. Create and link the GPO 'site policy' and add 'user1' and 'Domain Admins' to
               SeInteractiveLogonRight key. Add 'deny_user1 to SeDenyInteractiveLogonRight key'
            3. Configure sssd.conf with 'ad_gpo_access_control = enforcing',
               'auto_private_groups = parameter' and 'ldap_id_mapping = false'
            4. Start SSSD
        :steps:
            1. Authenticate as 'user1'
            2. Authenticate as 'deny_user1'
        :expectedresults:
            1. Authentication is successful
            2. Authenticated user is unsuccessful
        :customerscenario: True
        """
        user1 = provider.user("user1").add(uid=10000, gid=10000)
        deny_user1 = provider.user("deny_user1").add(uid=10001, gid=10001)
    
        provider.gpo("site policy").add().policy(
            {
                "SeInteractiveLogonRight": [user1, provider.group("Domain Admins")],
                "SeDenyInteractiveLogonRight": [deny_user1],
            }
        ).link()
    
        client.sssd.domain["ad_gpo_access_control"] = "enforcing"
        client.sssd.domain["auto_private_groups"] = auto_private_groups
        client.sssd.domain["ldap_id_mapping"] = "false"
        client.sssd.start()
    
>       assert client.auth.parametrize(method).password(
            "user1", password="Secret123"
        ), "Allowed user authentication failed!"

tests/test_gpo.py:1029: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
../../../../pytest-mh/pytest_mh/_private/multihost.py:966: in wrapper
    return method(self, *args, **kwargs)
../../../../sssd-test-framework/sssd_test_framework/utils/authentication.py:270: in password
    rc, _, _, _ = self.password_with_output(username, password)
../../../../pytest-mh/pytest_mh/_private/multihost.py:966: in wrapper
    return method(self, *args, **kwargs)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <sssd_test_framework.utils.authentication.SUAuthenticationUtils object at 0x7f2eaef6e650>
username = 'user1', password = 'Secret123'

    def password_with_output(self, username: str, password: str) -> tuple[int, int, str, str]:
        """
        Call ``su - $username`` and authenticate the user with password and captures standard output and error.
    
        :param username: Username.
        :type username: str
        :param password: User password.
        :type password: str
        :return: Tuple containing [return code, command code, stdout, stderr].
        :rtype: Tuple[int, int, str, str]
        """
    
        result = self.host.conn.expect_nobody(
            rf"""
            # Disable debug output
            # exp_internal 0
    
            proc exitmsg {{ msg code }} {{
                # Close spawned program, if we are in the prompt
                catch close
    
                # Wait for the exit code
                lassign [wait] pid spawnid os_error_flag rc
    
                puts ""
                puts "expect result: $msg"
                puts "expect exit code: $code"
                puts "expect spawn exit code: $rc"
                exit $code
            }}
    
            # It takes some time to get authentication failure
            set timeout {DEFAULT_AUTHENTICATION_TIMEOUT}
            set prompt "\n.*\[#\$>\] $"
    
            spawn su - "{username}"
    
            expect {{
                "Password:" {{send "{password}\n"}}
                timeout {{exitmsg "Unexpected output" 201}}
                eof {{exitmsg "Unexpected end of file" 202}}
            }}
    
            expect {{
                -re $prompt {{exitmsg "Password authentication successful" 0}}
                "Authentication failure" {{exitmsg "Authentication failure" 1}}
                "su: Permission denied" {{exitmsg "Permission denied" 2}}
                timeout {{exitmsg "Unexpected output" 201}}
                eof {{exitmsg "Unexpected end of file" 202}}
            }}
    
            exitmsg "Unexpected code path" 203
        """,
            verbose=False,
        )
    
        if result.rc > 200:
>           raise ExpectScriptError(result.rc)
E           sssd_test_framework.misc.errors.ExpectScriptError: Unexpected end of file

../../../../sssd-test-framework/sssd_test_framework/utils/authentication.py:247: ExpectScriptError
PASSED [ 50%]PASSED [ 51%]PASSED [ 52%]PASSED [ 54%]PASSED      [ 55%]PASSED     [ 56%]PASSED [ 58%]PASSED [ 59%]PASSED [ 60%]
tests/test_gpo.py::test_gpo__is_set_to_permissive_and_users_are_allowed[ssh] (samba) PASSED [ 62%]
tests/test_gpo.py::test_gpo__is_set_to_permissive_and_users_are_denied[su] (samba) PASSED [ 63%]PASSED [ 64%]PASSED [ 66%]PASSED [ 67%]PASSED [ 68%]PASSED [ 70%]PASSED [ 71%]PASSED [ 72%]PASSED [ 74%]PASSED [ 75%]PASSED [ 77%]PASSED [ 78%]PASSED [ 79%]PASSED [ 81%]PASSED [ 82%]PASSED [ 83%]PASSED [ 85%]PASSED [ 86%]PASSED [ 87%]PASSED [ 89%]PASSED [ 90%]PASSED [ 91%]FAILED [ 93%]
tests/test_gpo.py:988 (test_gpo__works_when_auto_private_group_is_used_with_posix_accounts[true-ssh] (samba))
client = <sssd_test_framework.roles.client.Client object at 0x7f2eaeec3790>
provider = <sssd_test_framework.roles.samba.Samba object at 0x7f2eaef10790>
method = 'ssh', auto_private_groups = 'true'

    @pytest.mark.importance("critical")
    @pytest.mark.parametrize("method", ["ssh", "su"])
    @pytest.mark.parametrize("auto_private_groups", ["true", "false", "hybrid"])
    @pytest.mark.topology(KnownTopologyGroup.AnyAD)
    @pytest.mark.ticket(gh=7452)
    def test_gpo__works_when_auto_private_group_is_used_with_posix_accounts(
        client: Client, provider: GenericADProvider, method: str, auto_private_groups: str
    ):
        """
        :title: GPO evaluation fails when auto_private_groups used with posix accounts
        :setup:
            1. Create the following user 'user1' and 'deny_user1' with uids and gids
            2. Create and link the GPO 'site policy' and add 'user1' and 'Domain Admins' to
               SeInteractiveLogonRight key. Add 'deny_user1 to SeDenyInteractiveLogonRight key'
            3. Configure sssd.conf with 'ad_gpo_access_control = enforcing',
               'auto_private_groups = parameter' and 'ldap_id_mapping = false'
            4. Start SSSD
        :steps:
            1. Authenticate as 'user1'
            2. Authenticate as 'deny_user1'
        :expectedresults:
            1. Authentication is successful
            2. Authenticated user is unsuccessful
        :customerscenario: True
        """
        user1 = provider.user("user1").add(uid=10000, gid=10000)
        deny_user1 = provider.user("deny_user1").add(uid=10001, gid=10001)
    
        provider.gpo("site policy").add().policy(
            {
                "SeInteractiveLogonRight": [user1, provider.group("Domain Admins")],
                "SeDenyInteractiveLogonRight": [deny_user1],
            }
        ).link()
    
        client.sssd.domain["ad_gpo_access_control"] = "enforcing"
        client.sssd.domain["auto_private_groups"] = auto_private_groups
        client.sssd.domain["ldap_id_mapping"] = "false"
        client.sssd.start()
    
>       assert client.auth.parametrize(method).password(
            "user1", password="Secret123"
        ), "Allowed user authentication failed!"
E       AssertionError: Allowed user authentication failed!
E       assert False
E        +  where False = password('user1', password='Secret123')
E        +    where password = <sssd_test_framework.utils.authentication.SSHAuthenticationUtils object at 0x7f2eaef6b350>.password
E        +      where <sssd_test_framework.utils.authentication.SSHAuthenticationUtils object at 0x7f2eaef6b350> = parametrize('ssh')
E        +        where parametrize = <sssd_test_framework.utils.authentication.AuthenticationUtils object at 0x7f2eaef6ad90>.parametrize
E        +          where <sssd_test_framework.utils.authentication.AuthenticationUtils object at 0x7f2eaef6ad90> = <sssd_test_framework.roles.client.Client object at 0x7f2eaeec3790>.auth

tests/test_gpo.py:1029: AssertionError
FAILED [ 94%]
tests/test_gpo.py:988 (test_gpo__works_when_auto_private_group_is_used_with_posix_accounts[true-su] (samba))
client = <sssd_test_framework.roles.client.Client object at 0x7f2eaef68050>
provider = <sssd_test_framework.roles.samba.Samba object at 0x7f2eaf285010>
method = 'su', auto_private_groups = 'true'

    @pytest.mark.importance("critical")
    @pytest.mark.parametrize("method", ["ssh", "su"])
    @pytest.mark.parametrize("auto_private_groups", ["true", "false", "hybrid"])
    @pytest.mark.topology(KnownTopologyGroup.AnyAD)
    @pytest.mark.ticket(gh=7452)
    def test_gpo__works_when_auto_private_group_is_used_with_posix_accounts(
        client: Client, provider: GenericADProvider, method: str, auto_private_groups: str
    ):
        """
        :title: GPO evaluation fails when auto_private_groups used with posix accounts
        :setup:
            1. Create the following user 'user1' and 'deny_user1' with uids and gids
            2. Create and link the GPO 'site policy' and add 'user1' and 'Domain Admins' to
               SeInteractiveLogonRight key. Add 'deny_user1 to SeDenyInteractiveLogonRight key'
            3. Configure sssd.conf with 'ad_gpo_access_control = enforcing',
               'auto_private_groups = parameter' and 'ldap_id_mapping = false'
            4. Start SSSD
        :steps:
            1. Authenticate as 'user1'
            2. Authenticate as 'deny_user1'
        :expectedresults:
            1. Authentication is successful
            2. Authenticated user is unsuccessful
        :customerscenario: True
        """
        user1 = provider.user("user1").add(uid=10000, gid=10000)
        deny_user1 = provider.user("deny_user1").add(uid=10001, gid=10001)
    
        provider.gpo("site policy").add().policy(
            {
                "SeInteractiveLogonRight": [user1, provider.group("Domain Admins")],
                "SeDenyInteractiveLogonRight": [deny_user1],
            }
        ).link()
    
        client.sssd.domain["ad_gpo_access_control"] = "enforcing"
        client.sssd.domain["auto_private_groups"] = auto_private_groups
        client.sssd.domain["ldap_id_mapping"] = "false"
        client.sssd.start()
    
>       assert client.auth.parametrize(method).password(
            "user1", password="Secret123"
        ), "Allowed user authentication failed!"

tests/test_gpo.py:1029: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
../../../../pytest-mh/pytest_mh/_private/multihost.py:966: in wrapper
    return method(self, *args, **kwargs)
../../../../sssd-test-framework/sssd_test_framework/utils/authentication.py:270: in password
    rc, _, _, _ = self.password_with_output(username, password)
../../../../pytest-mh/pytest_mh/_private/multihost.py:966: in wrapper
    return method(self, *args, **kwargs)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <sssd_test_framework.utils.authentication.SUAuthenticationUtils object at 0x7f2eaef6ab50>
username = 'user1', password = 'Secret123'

    def password_with_output(self, username: str, password: str) -> tuple[int, int, str, str]:
        """
        Call ``su - $username`` and authenticate the user with password and captures standard output and error.
    
        :param username: Username.
        :type username: str
        :param password: User password.
        :type password: str
        :return: Tuple containing [return code, command code, stdout, stderr].
        :rtype: Tuple[int, int, str, str]
        """
    
        result = self.host.conn.expect_nobody(
            rf"""
            # Disable debug output
            # exp_internal 0
    
            proc exitmsg {{ msg code }} {{
                # Close spawned program, if we are in the prompt
                catch close
    
                # Wait for the exit code
                lassign [wait] pid spawnid os_error_flag rc
    
                puts ""
                puts "expect result: $msg"
                puts "expect exit code: $code"
                puts "expect spawn exit code: $rc"
                exit $code
            }}
    
            # It takes some time to get authentication failure
            set timeout {DEFAULT_AUTHENTICATION_TIMEOUT}
            set prompt "\n.*\[#\$>\] $"
    
            spawn su - "{username}"
    
            expect {{
                "Password:" {{send "{password}\n"}}
                timeout {{exitmsg "Unexpected output" 201}}
                eof {{exitmsg "Unexpected end of file" 202}}
            }}
    
            expect {{
                -re $prompt {{exitmsg "Password authentication successful" 0}}
                "Authentication failure" {{exitmsg "Authentication failure" 1}}
                "su: Permission denied" {{exitmsg "Permission denied" 2}}
                timeout {{exitmsg "Unexpected output" 201}}
                eof {{exitmsg "Unexpected end of file" 202}}
            }}
    
            exitmsg "Unexpected code path" 203
        """,
            verbose=False,
        )
    
        if result.rc > 200:
>           raise ExpectScriptError(result.rc)
E           sssd_test_framework.misc.errors.ExpectScriptError: Unexpected end of file

../../../../sssd-test-framework/sssd_test_framework/utils/authentication.py:247: ExpectScriptError
PASSED [ 95%]PASSED [ 97%]PASSED [ 98%]PASSED [100%]
Process finished with exit code 1

@danlavu danlavu requested a review from spoore1 September 23, 2024 11:44
pbrezina
pbrezina approved these changes Sep 24, 2024
View reviewed changes
Copy link
Member

@pbrezina pbrezina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, code-wise ack.

spoore1
spoore1 approved these changes Sep 25, 2024
View reviewed changes
Copy link
Contributor

@spoore1 spoore1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@pbrezina
roles: extended gpo feature to samba role
603e4d1 
* added SambaSite object
* added SambaComputer object
* added GenericGPO class and methods
* added some ldap variables to perform ldap functions
@pbrezina pbrezina merged commit 83d7b28 into SSSD:master Sep 25, 2024
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pbrezina pbrezina pbrezina approved these changes

@spoore1 spoore1 spoore1 approved these changes

Assignees

@spoore1 spoore1

@pbrezina pbrezina

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@danlavu @spoore1 @pbrezina