def test_login_wrong_password(self, user_creation_deletion):
"""Test ipa user login with wrong password
When ipa user login to machine using wrong password, it
should log proper message
related: https://github.com/SSSD/sssd/issues/5139
"""
# try to login with wrong password
sssd_version = tasks.get_sssd_version(self.master)
if (sssd_version < tasks.parse_version('2.3.0')):
pytest.xfail('Fix is part of sssd 2.3.0 and is'
' available from fedora32 onwards')
sshconn = paramiko.SSHClient()
sshconn.set_missing_host_key_policy(paramiko.AutoAddPolicy())
since = time.strftime('%H:%M:%S')
try:
sshconn.connect(self.master.hostname,
username=self.testuser,
password='******')
except paramiko.AuthenticationException:
pass
sshconn.close()
# check if proper message logged
exp_msg = ("pam_sss(sshd:auth): received for user {}: 7"
" (Authentication failure)".format(self.testuser))
result = self.master.run_command(['journalctl',
'-u', 'sshd',
'--since={}'.format(since)])
assert exp_msg in result.stdout_text
def test_override_gid_subdomain(self):
"""Test that override_gid is working for subdomain
This is a regression test for sssd bug:
https://pagure.io/SSSD/sssd/issue/4061
"""
tasks.clear_sssd_cache(self.master)
user = self.users['child_ad']['name']
gid = 10264
# verify the user can be retrieved initially
self.master.run_command(['id', user])
with self.override_gid_setup(gid):
test_gid = self.master.run_command(['id', user])
sssd_version = tasks.get_sssd_version(self.master)
with xfail_context(sssd_version < tasks.parse_version('2.3.0'),
'https://pagure.io/SSSD/sssd/issue/4061'):
assert 'gid={id}'.format(id=gid) in test_gid.stdout_text
def test_trustdomain_disable_disables_subdomain(self):
"""Test that users from disabled trustdomains can not use ipa resources
This is a regression test for sssd bug:
https://pagure.io/SSSD/sssd/issue/4078
"""
user = self.users['child_ad']['name']
# verify the user can be retrieved initially
self.master.run_command(['id', user])
with self.disabled_trustdomain():
res = self.master.run_command(['id', user], raiseonerr=False)
sssd_version = tasks.get_sssd_version(self.master)
with xfail_context(sssd_version < tasks.parse_version('2.2.3'),
'https://pagure.io/SSSD/sssd/issue/4078'):
assert res.returncode == 1
assert 'no such user' in res.stderr_text
# verify the user can be retrieved after re-enabling trustdomain
self.master.run_command(['id', user])
def test_aduser_with_idview(self):
"""Test that trusted AD users should not lose their AD domains.
This is a regression test for sssd bug:
https://pagure.io/SSSD/sssd/issue/4173
1. Override AD user's UID, GID by adding it in ID view on IPA server.
2. Stop the SSSD, and clear SSSD cache and restart SSSD on a IPA client
3. getent with UID from ID view should return AD domain
after default memcache_timeout.
"""
client = self.clients[0]
user = self.users['ad']['name']
idview = 'testview'
def verify_retrieved_users_domain():
# Wait for the record to expire in SSSD's cache
# (memcache_timeout default value is 300s).
test_user = ['su', user, '-c', 'sleep 360; getent passwd 10001']
result = client.run_command(test_user)
assert user in result.stdout_text
# verify the user can be retrieved initially
tasks.clear_sssd_cache(self.master)
self.master.run_command(['id', user])
self.master.run_command(['ipa', 'idview-add', idview])
self.master.run_command(['ipa', 'idoverrideuser-add', idview, user])
self.master.run_command([
'ipa', 'idview-apply', idview,
'--hosts={0}'.format(client.hostname)
])
self.master.run_command([
'ipa', 'idoverrideuser-mod', idview, user, '--uid=10001',
'--gid=10000'
])
try:
clear_sssd_cache(client)
sssd_version = tasks.get_sssd_version(client)
with xfail_context(sssd_version < tasks.parse_version('2.3.0'),
'https://pagure.io/SSSD/sssd/issue/4173'):
verify_retrieved_users_domain()
finally:
self.master.run_command(['ipa', 'idview-del', idview])