def install(cls, mh):
tasks.install_master(cls.master, setup_dns=False)
args = [
"ipa-dns-install",
"--dnssec-master",
"--forwarder", cls.master.config.dns_forwarder,
"-U",
]
cls.master.run_command(args)
# Enable dns service on master as it has been installed without dns
# support before
Firewall(cls.master).enable_services(["dns"])
tasks.install_replica(cls.master, cls.replicas[0], setup_dns=True)
# backup trusted key
tasks.backup_file(cls.master, paths.DNSSEC_TRUSTED_KEY)
tasks.backup_file(cls.replicas[0], paths.DNSSEC_TRUSTED_KEY)
def install(cls, mh):
super(BaseTestLegacyClient, cls).install(mh)
tasks.kinit_admin(cls.master)
password_confirmation = (
cls.master.config.admin_password +
'\n' +
cls.master.config.admin_password
)
cls.master.run_command(['ipa', 'user-add', 'disabledipauser',
'--first', 'disabled',
'--last', 'ipauser',
'--password'],
stdin_text=password_confirmation)
cls.master.run_command(['ipa', 'user-disable', 'disabledipauser'])
cls.ad = cls.ad_domains[0].ads[0]
cls.legacy_client = cls.host_by_role(cls.required_extra_roles[0])
# Determine whether the subdomain AD is available
try:
child_ad = cls.host_by_role(cls.optional_extra_roles[0])
cls.ad_subdomain = '.'.join(
child_ad.hostname.split('.')[1:])
except LookupError:
cls.ad_subdomain = None
# Determine whether the tree domain AD is available
try:
cls.tree_ad = cls.host_by_role(cls.optional_extra_roles[1])
cls.ad_treedomain = '.'.join(
cls.tree_ad.hostname.split('.')[1:])
except LookupError:
cls.ad_treedomain = None
tasks.apply_common_fixes(cls.legacy_client)
for f in cls.backup_files:
tasks.backup_file(cls.legacy_client, f)
def test_server_option_with_unreachable_ad(self):
"""
Check trust can be established with partially unreachable AD topology
The SRV records for AD services can point to hosts unreachable for
ipa master. In this case we must be able to establish trust and
fetch domains list by using "--server" option.
This is the regression test for https://pagure.io/freeipa/issue/7895.
"""
# To simulate Windows Server advertising unreachable hosts in SRV
# records we create specially crafted zone file for BIND DNS server
tasks.backup_file(self.master, paths.NAMED_CONF)
ad_zone = textwrap.dedent('''
$ORIGIN {ad_dom}.
$TTL 86400
@ IN A {ad_ip}
IN NS {ad_host}.
IN SOA {ad_host}. hostmaster.{ad_dom}. 39 900 600 86400 3600
_msdcs IN NS {ad_host}.
_gc._tcp.Default-First-Site-Name._sites IN SRV 0 100 3268 unreachable.{ad_dom}.
_kerberos._tcp.Default-First-Site-Name._sites IN SRV 0 100 88 unreachable.{ad_dom}.
_ldap._tcp.Default-First-Site-Name._sites IN SRV 0 100 389 unreachable.{ad_dom}.
_gc._tcp IN SRV 0 100 3268 unreachable.{ad_dom}.
_kerberos._tcp IN SRV 0 100 88 unreachable.{ad_dom}.
_kpasswd._tcp IN SRV 0 100 464 unreachable.{ad_dom}.
_ldap._tcp IN SRV 0 100 389 unreachable.{ad_dom}.
_kerberos._udp IN SRV 0 100 88 unreachable.{ad_dom}.
_kpasswd._udp IN SRV 0 100 464 unreachable.{ad_dom}.
{ad_short} IN A {ad_ip}
unreachable IN A {unreachable}
DomainDnsZones IN A {ad_ip}
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones IN SRV 0 100 389 unreachable.{ad_dom}.
_ldap._tcp.DomainDnsZones IN SRV 0 100 389 unreachable.{ad_dom}.
ForestDnsZones IN A {ad_ip}
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones IN SRV 0 100 389 unreachable.{ad_dom}.
_ldap._tcp.ForestDnsZones IN SRV 0 100 389 unreachable.{ad_dom}.
'''.format( # noqa: E501
ad_ip=self.ad.ip, unreachable='192.168.254.254',
ad_host=self.ad.hostname, ad_dom=self.ad.domain.name,
ad_short=self.ad.shortname))
ad_zone_file = tasks.create_temp_file(self.master, directory='/etc')
self.master.put_file_contents(ad_zone_file, ad_zone)
self.master.run_command(
['chmod', '--reference', paths.NAMED_CONF, ad_zone_file])
self.master.run_command(
['chown', '--reference', paths.NAMED_CONF, ad_zone_file])
named_conf = self.master.get_file_contents(paths.NAMED_CONF,
encoding='utf-8')
named_conf += textwrap.dedent('''
zone "ad.test" {{
type master;
file "{}";
}};
'''.format(ad_zone_file))
self.master.put_file_contents(paths.NAMED_CONF, named_conf)
tasks.restart_named(self.master)
try:
# Check that trust can not be established without --server option
# This checks that our setup is correct
result = self.master.run_command(
['ipa', 'trust-add', self.ad.domain.name,
'--admin', 'Administrator', '--password'], raiseonerr=False,
stdin_text=self.master.config.ad_admin_password)
assert result.returncode == 1
assert 'CIFS server communication error: code "3221225653", ' \
'message "{Device Timeout}' in result.stderr_text
# Check that trust is successfully established with --server option
tasks.establish_trust_with_ad(
self.master, self.ad_domain,
extra_args=['--server', self.ad.hostname])
# Check domains can not be fetched without --server option
# This checks that our setup is correct
result = self.master.run_command(
['ipa', 'trust-fetch-domains', self.ad.domain.name],
raiseonerr=False)
assert result.returncode == 1
assert ('Fetching domains from trusted forest failed'
in result.stderr_text)
# Check that domains can be fetched with --server option
result = self.master.run_command(
['ipa', 'trust-fetch-domains', self.ad.domain.name,
'--server', self.ad.hostname],
raiseonerr=False)
assert result.returncode == 1
assert ('List of trust domains successfully refreshed'
in result.stdout_text)
finally:
self.remove_trust(self.ad)
tasks.restore_files(self.master)
self.master.run_command(['rm', '-f', ad_zone_file])
tasks.restart_named(self.master)
def test_extdom_plugin(self):
"""Extdom plugin should not return error (32)/'No such object'
Regression test for https://pagure.io/freeipa/issue/8044
If there is a timeout during a request to SSSD the extdom plugin
should not return error 'No such object' and the existing user should
not be added to negative cache on the client.
"""
extdom_dn = DN(
('cn', 'ipa_extdom_extop'), ('cn', 'plugins'),
('cn', 'config')
)
client = self.clients[0]
tasks.backup_file(self.master, paths.SSSD_CONF)
log_file = '{0}/sssd_{1}.log'.format(paths.VAR_LOG_SSSD_DIR,
client.domain.name)
logsize = len(client.get_file_contents(log_file))
res = self.master.run_command(['pidof', 'sssd_be'])
pid = res.stdout_text.strip()
test_id = 'id testuser@%s' % self.ad_domain
client.run_command(test_id)
conn = self.master.ldap_connect()
entry = conn.get_entry(extdom_dn) # pylint: disable=no-member
orig_extdom_timeout = entry.single_value.get('ipaextdommaxnsstimeout')
# set the extdom plugin timeout to 1s (1000)
entry.single_value['ipaextdommaxnsstimeout'] = 1000
conn.update_entry(entry) # pylint: disable=no-member
self.master.run_command(['ipactl', 'restart'])
domain = self.master.domain
tasks.modify_sssd_conf(
self.master,
domain.name,
{
'timeout': '999999'
}
)
remove_cache = 'sss_cache -E'
self.master.run_command(remove_cache)
client.run_command(remove_cache)
try:
# stop sssd_be, needed to simulate a timeout in the extdom plugin.
stop_sssdbe = self.master.run_command('kill -STOP %s' % pid)
client.run_command(test_id)
error = 'ldap_extended_operation result: No such object(32)'
sssd_log2 = client.get_file_contents(log_file)[logsize:]
assert error.encode() not in sssd_log2
finally:
if stop_sssdbe.returncode == 0:
self.master.run_command('kill -CONT %s' % pid)
# reconnect and set back to default extdom plugin
conn = self.master.ldap_connect()
entry = conn.get_entry(extdom_dn) # pylint: disable=no-member
entry.single_value['ipaextdommaxnsstimeout'] = orig_extdom_timeout
conn.update_entry(entry) # pylint: disable=no-member
tasks.restore_files(self.master)
self.master.run_command(['ipactl', 'restart'])