From 3fd19c8025784269d5e08c553f83a097dc666870 Mon Sep 17 00:00:00 2001 From: Dan Lavu Date: Sun, 30 Apr 2023 01:11:39 -0400 Subject: [PATCH] Adding test case for bz2167728 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Cleaned up lines since the character count has increased * Added test ids to existing tests Signed-off-by: Dan Lavu Reviewed-by: Jakub Vávra Reviewed-by: Madhuri Upadhye (cherry picked from commit 95678ad7e4f18e47cd67aabe660e0c26c07a2ffa) --- .../admultidomain/test_multidomain.py | 120 ++++++++++++------ .../admultidomain/test_multiforest.py | 21 +-- 2 files changed, 92 insertions(+), 49 deletions(-) diff --git a/src/tests/multihost/admultidomain/test_multidomain.py b/src/tests/multihost/admultidomain/test_multidomain.py index 1506033e8a2..bf1512d8e25 100644 --- a/src/tests/multihost/admultidomain/test_multidomain.py +++ b/src/tests/multihost/admultidomain/test_multidomain.py @@ -1,3 +1,5 @@ +import re + import pytest from sssd.testlib.common.utils import sssdTools @@ -7,11 +9,11 @@ @pytest.mark.admultidomain class TestADMultiDomain(object): - def test_0001_bz2013297(multihost, newhostname, adchildjoin): + @staticmethod + def test_0001_bz2013297(self, multihost, newhostname, adchildjoin): """ - :title: IDM-SSSD-TC: ad_provider: forests: disabled root ad domain - causes subdomains to be marked offline - :id: + :title: IDM-SSSD-TC: ad_provider: forests: disabled root domain causes subdomains to be marked offline + :id: 3055d093-8449-4146-a6e1-b221dee35395 :setup: 1. Configure parent and child domain 2. Join client to child domain @@ -35,7 +37,6 @@ def test_0001_bz2013297(multihost, newhostname, adchildjoin): child_domain = multihost.ad[1].domainname ad_server = multihost.ad[1].hostname - # Configure sssd multihost.client[0].service_sssd('stop') client = sssdTools(multihost.client[0], multihost.ad[1]) client.backup_sssd_conf() @@ -47,24 +48,18 @@ def test_0001_bz2013297(multihost, newhostname, adchildjoin): 'ad_server': ad_server, 'cache_credentials': 'True', } - client.sssd_conf(dom_section, sssd_params) + client.sssd_conf(dom_section, sssd_params, action='update') client.clear_sssd_cache() + multihost.client[0].service_sssd('start') - # Search for the user in root domain getent_root_user1 = multihost.client[0].run_command( - f'getent passwd user1@{ad_domain}', - raiseonerr=False - ) - # Search for the user in child domain + f'getent passwd user1@{ad_domain}', raiseonerr=False) getent_child_user1 = multihost.client[0].run_command( - f'getent passwd child_user1@{child_domain}', - raiseonerr=False - ) + f'getent passwd child_user1@{child_domain}', raiseonerr=False) client.restore_sssd_conf() client.clear_sssd_cache() - # Evaluate test results assert getent_root_user1.returncode == 0 assert getent_child_user1.returncode == 0 @@ -77,32 +72,26 @@ def test_0001_bz2013297(multihost, newhostname, adchildjoin): 'ad_server': ad_server, 'ad_enabled_domains': child_domain } - client.sssd_conf(dom_section, sssd_params) + client.sssd_conf(dom_section, sssd_params, action='update') client.clear_sssd_cache() + multihost.client[0].service_sssd('start') - # Search for the user in root domain getent_root_user2 = multihost.client[0].run_command( - f'getent passwd user1@{ad_domain}', - raiseonerr=False - ) - # Search for the user in child domain + f'getent passwd user1@{ad_domain}', raiseonerr=False) getent_child_user2 = multihost.client[0].run_command( - f'getent passwd child_user1@{child_domain}', - raiseonerr=False - ) + f'getent passwd child_user1@{child_domain}', raiseonerr=False) client.restore_sssd_conf() client.clear_sssd_cache() - # Evaluate test results assert getent_root_user2.returncode == 2 assert getent_child_user2.returncode == 0 - def test_0002_bz2018432(multihost, newhostname, adjoin): + @staticmethod + def test_0002_bz2018432(self, multihost, newhostname, adjoin): """ - :title: IDM-SSSD-TC: ad_provider: forests: based SSSD adds more AD - domains than it should be based on the configuration file - :id: + :title: IDM-SSSD-TC: ad_provider: forests: sssctl domain_list shows more domains than it should + :id: b2c9efc8-b3a6-4216-99d6-7ae1d868c43f :setup: 1. Configure several domains, this suite contains 4 trusted domains 2. Join client to parent domain @@ -115,8 +104,6 @@ def test_0002_bz2018432(multihost, newhostname, adjoin): adjoin(membersw='adcli') ad_domain = multihost.ad[0].domainname ad_server = multihost.ad[0].hostname - - # Configure sssd multihost.client[0].service_sssd('stop') client = sssdTools(multihost.client[0], multihost.ad[0]) client.backup_sssd_conf() @@ -128,13 +115,11 @@ def test_0002_bz2018432(multihost, newhostname, adjoin): 'ad_server': ad_server, 'cache_credentials': 'True' } - client.sssd_conf(dom_section, sssd_params) + client.sssd_conf(dom_section, sssd_params, action='update') client.clear_sssd_cache() - # List domains - # The lists have to be manipulated, the DC in the other forest - # needs to be removed as well as implicit_files from the output - domain_list_cmd = multihost.client[0].run_command( - 'sssctl domain-list', raiseonerr=False) + multihost.client[0].service_sssd('start') + # The output needs to be pruned of servers that are not apart of the forest and 'implicit files' + domain_list_cmd = multihost.client[0].run_command('sssctl domain-list', raiseonerr=False) domain_list = domain_list_cmd.stdout_text.split('\n') if "" in domain_list: domain_list.remove("") @@ -143,11 +128,68 @@ def test_0002_bz2018432(multihost, newhostname, adjoin): multihost_list = [] for x in multihost.ad: multihost_list.append(x.domainname) - # This is necessary because the AD server in the second forest needs to - # be removed from the list. multihost_list.pop() domain_list.sort() multihost_list.sort() assert domain_list == multihost_list + + @staticmethod + def test_0003_bz2167728(self, multihost, newhostname, adchildjoin): + """ + :title: IDM-SSSD-TC: ad_provider: forests: bz2167728 Auth fails if client cannot speak to forest root domain + :id: e9ba9423-0a42-4379-a900-637c79ff0e5c + :setup: + 1. Clear out the contents of [domain_realm] in /etc/krb5.conf + 2. Join client to child domain + :steps: + 1. Lookup root, child and tree domain users + :expectedresults: + 1. All lookups should work + :customerscenario: True + """ + client = sssdTools(multihost.client[0], multihost.ad[1]) + krb5 = multihost.client[0].get_file_contents('/etc/krb5.conf', encoding='utf-8') + resolv = multihost.client[0].get_file_contents('/etc/resolv.conf', encoding='utf-8') + domain = multihost.ad[0].domainname + ip = multihost.ad[0].ip + child_domain = multihost.ad[1].domainname + child_ip = multihost.ad[1].ip + tree_domain = multihost.ad[2].domainname + tree_ip = multihost.ad[2].ip + + # To verify this bug the contents of /etc/krb5.conf needs to have no [realm] entries + for x in multihost.ad: + _domain = x.domainname + _domain_upper = _domain.capitalize() + _krb5 = multihost.client[0].get_file_contents('/etc/krb5.conf', encoding='utf-8') + _krb5_1 = re.sub(f"^.{_domain} = {_domain_upper}", "", re.sub(f"^{_domain} = {_domain_upper}", "", _krb5)) + multihost.client[0].put_file_contents('/etc/krb5.conf', _krb5_1) + adchildjoin(membersw='adcli') + + multihost.client[0].service_sssd('stop') + client.backup_sssd_conf() + sssd_domain = f'domain/{client.get_domain_section_name()}' + sssd_params = {'debug_level': '9'} + client.sssd_conf(sssd_domain, sssd_params, action='update') + + client.update_resolv_conf(child_ip) + client.update_resolv_conf(ip) + client.update_resolv_conf(tree_ip) + + multihost.client[0].service_sssd('start') + + getent1 = multihost.client[0].run_command(f'getent passwd user1@{domain}', raiseonerr=False) + getent2 = multihost.client[0].run_command(f'getent passwd child_user1@{child_domain}', raiseonerr=False) + getent3 = multihost.client[0].run_command(f'getent passwd tree_user1@{tree_domain}', raiseonerr=False) + + multihost.client[0].put_file_contents('/etc/krb5.conf', krb5) + multihost.client[0].run_command('chattr -i /etc/resolv.conf', raiseonerror=False) + multihost.client[0].put_file_contents('/etc/resolv.conf', resolv) + multihost.client[0].run_command('chattr +i /etc/resolv.conf', raiseonerror=False) + client.restore_sssd_conf() + + assert getent1.returncode == 0, f'Could not find user1@{domain}!' + assert getent2.returncode == 0, f'Could not find child_user1@{child_domain}!' + assert getent3.returncode == 0, f'Could not find tree_user1@{tree_domain}!' diff --git a/src/tests/multihost/admultidomain/test_multiforest.py b/src/tests/multihost/admultidomain/test_multiforest.py index 351fdefcd45..cd710036b0a 100644 --- a/src/tests/multihost/admultidomain/test_multiforest.py +++ b/src/tests/multihost/admultidomain/test_multiforest.py @@ -1,5 +1,4 @@ import subprocess -import time import pytest @@ -10,6 +9,7 @@ @pytest.mark.admultiforest class TestADMultiForest(object): + @staticmethod def test_0001_multiforest(self, multihost, newhostname, adjoin): """ :title: IDM-SSSD-TC: ad_provider: admultiforest : Authentication against two forests @@ -102,16 +102,17 @@ def test_0001_multiforest(self, multihost, newhostname, adjoin): id_domain1_user1 = multihost.client[0].run_command(f'id user1@{ad1_domain}', raiseonerr=False) id_domain1_user2 = multihost.client[0].run_command(f'id user2@{ad1_domain}', raiseonerr=False) - multihost.client[0].put_file_contents('/etc/hosts.bak', hosts) + multihost.client[0].put_file_contents('/etc/hosts', hosts) multihost.client[0].put_file_contents('/etc/krb5.conf', krb5) multihost.client[0].run_command(cleanup_krb5) client.restore_sssd_conf() - assert getent_domain_user1.rc == 0, f"Could not find user1 {getent_domain_user1}!" - assert getent_domain_user2.rc == 0, f"Could not find user1 {getent_domain_user2}!" - assert id_domain_user1.rc == 0, f"Could not find user1 {id_domain1_user1}!" - assert id_domain_user2.rc == 0, f"Could not find user2 {id_domain_user2}!" - assert getent_domain1_user1.rc == 0, f"Could not find user1 {getent_domain1_user1}!" - assert getent_domain1_user2.rc == 0, f"Could not find user2 {getent_domain1_user2}!" - assert id_domain1_user1.rc == 0, f"Could not find user1 {id_domain1_user1}!" - assert id_domain1_user2.rc == 0, f"Could not find user2 {id_domain1_user2}!" + assert getent_domain_user1.returncode == 0, f"Could not find user1 {getent_domain_user1}!" + assert getent_domain_user2.returncode == 0, f"Could not find user1 {getent_domain_user2}!" + assert id_domain_user1.returncode == 0, f"Could not find user1 {id_domain1_user1}!" + assert id_domain_user2.returncode == 0, f"Could not find user2 {id_domain_user2}!" + assert getent_domain1_user1.returncode == 0, f"Could not find user1 {getent_domain1_user1}!" + assert getent_domain1_user2.returncode == 0, f"Could not find user2 {getent_domain1_user2}!" + assert id_domain1_user1.returncode == 0, f"Could not find user1 {id_domain1_user1}!" + assert id_domain1_user2.returncode == 0, f"Could not find user2 {id_domain1_user2}!" +