def test_ipahealthcheck_hidden_replica(self):
"""Ensure that ipa-healthcheck runs successfully on all members
of an IPA cluster that includes a hidden replica.
"""
os_version = (tasks.get_platform(self.master),
tasks.get_platform_version(self.master))
pki_version = tasks.get_pki_version(self.master)
# verify state
self._check_config([self.master], [self.replicas[0]])
# A DNA range is needed on the replica for ipa-healthcheck to work.
# Create a user so that the replica gets a range.
tasks.user_add(self.replicas[0], 'testuser')
tasks.user_del(self.replicas[0], 'testuser')
for srv in (self.master, self.replicas[0]):
returncode, _unused = run_healthcheck(srv, failures_only=True)
pki_too_old = \
(os_version[0] == 'fedora'
and pki_version < tasks.parse_version('11.1.0'))\
or (os_version[0] == 'rhel'
and os_version[1][0] == 8
and pki_version < tasks.parse_version('10.12.0'))\
or (os_version[0] == 'rhel'
and os_version[1][0] == 9
and pki_version < tasks.parse_version('11.0.4'))
with xfail_context(pki_too_old,
'https://pagure.io/freeipa/issue/8582'):
assert returncode == 0
def test_override_gid_subdomain(self):
"""Test that override_gid is working for subdomain
This is a regression test for sssd bug:
https://pagure.io/SSSD/sssd/issue/4061
"""
tasks.clear_sssd_cache(self.master)
user = self.users['child_ad']['name']
gid = 10264
# verify the user can be retrieved initially
self.master.run_command(['id', user])
with self.override_gid_setup(gid):
test_gid = self.master.run_command(['id', user])
sssd_version = tasks.get_sssd_version(self.master)
with xfail_context(sssd_version < tasks.parse_version('2.3.0'),
'https://pagure.io/SSSD/sssd/issue/4061'):
assert 'gid={id}'.format(id=gid) in test_gid.stdout_text
def test_trustdomain_disable_disables_subdomain(self):
"""Test that users from disabled trustdomains can not use ipa resources
This is a regression test for sssd bug:
https://pagure.io/SSSD/sssd/issue/4078
"""
user = self.users['child_ad']['name']
# verify the user can be retrieved initially
self.master.run_command(['id', user])
with self.disabled_trustdomain():
res = self.master.run_command(['id', user], raiseonerr=False)
sssd_version = tasks.get_sssd_version(self.master)
with xfail_context(sssd_version < tasks.parse_version('2.2.3'),
'https://pagure.io/SSSD/sssd/issue/4078'):
assert res.returncode == 1
assert 'no such user' in res.stderr_text
# verify the user can be retrieved after re-enabling trustdomain
self.master.run_command(['id', user])
def test_aduser_with_idview(self):
"""Test that trusted AD users should not lose their AD domains.
This is a regression test for sssd bug:
https://pagure.io/SSSD/sssd/issue/4173
1. Override AD user's UID, GID by adding it in ID view on IPA server.
2. Stop the SSSD, and clear SSSD cache and restart SSSD on a IPA client
3. getent with UID from ID view should return AD domain
after default memcache_timeout.
"""
client = self.clients[0]
user = self.users['ad']['name']
idview = 'testview'
def verify_retrieved_users_domain():
# Wait for the record to expire in SSSD's cache
# (memcache_timeout default value is 300s).
test_user = ['su', user, '-c', 'sleep 360; getent passwd 10001']
result = client.run_command(test_user)
assert user in result.stdout_text
# verify the user can be retrieved initially
tasks.clear_sssd_cache(self.master)
self.master.run_command(['id', user])
self.master.run_command(['ipa', 'idview-add', idview])
self.master.run_command(['ipa', 'idoverrideuser-add', idview, user])
self.master.run_command([
'ipa', 'idview-apply', idview,
'--hosts={0}'.format(client.hostname)
])
self.master.run_command([
'ipa', 'idoverrideuser-mod', idview, user, '--uid=10001',
'--gid=10000'
])
try:
clear_sssd_cache(client)
sssd_version = tasks.get_sssd_version(client)
with xfail_context(sssd_version < tasks.parse_version('2.3.0'),
'https://pagure.io/SSSD/sssd/issue/4173'):
verify_retrieved_users_domain()
finally:
self.master.run_command(['ipa', 'idview-del', idview])