def test_master_install_ca1(self):
install_server_external_ca_step1(self.master)
# Sign CA, transport it to the host and get ipa a root ca paths.
root_ca_fname1 = tasks.create_temp_file(self.master,
directory=paths.TMP,
suffix="root_ca.crt")
ipa_ca_fname1 = tasks.create_temp_file(self.master,
directory=paths.TMP,
suffix="ipa_ca.crt")
ipa_csr = self.master.get_file_contents(paths.ROOT_IPA_CSR)
external_ca = ExternalCA()
root_ca = external_ca.create_ca(cn='RootCA1')
ipa_ca = external_ca.sign_csr(ipa_csr)
self.master.put_file_contents(root_ca_fname1, root_ca)
self.master.put_file_contents(ipa_ca_fname1, ipa_ca)
# Step 2 of ipa-server-install.
install_server_external_ca_step2(self.master, ipa_ca_fname1,
root_ca_fname1)
cert_nick = "caSigningCert cert-pki-ca"
result = self.master.run_command([
'certutil', '-L', '-d', paths.PKI_TOMCAT_ALIAS_DIR, '-n', cert_nick
])
assert "CN=RootCA1" in result.stdout_text
def test_master_install_ca2(self):
root_ca_fname2 = tasks.create_temp_file(self.master,
directory=paths.TMP,
suffix="root_ca.crt")
ipa_ca_fname2 = tasks.create_temp_file(self.master,
directory=paths.TMP,
suffix="ipa_ca.crt")
self.master.run_command(
[paths.IPA_CACERT_MANAGE, 'renew', '--external-ca'])
ipa_csr = self.master.get_file_contents(paths.IPA_CA_CSR)
external_ca = ExternalCA()
root_ca = external_ca.create_ca(cn='RootCA2')
ipa_ca = external_ca.sign_csr(ipa_csr)
self.master.put_file_contents(root_ca_fname2, root_ca)
self.master.put_file_contents(ipa_ca_fname2, ipa_ca)
# Step 2 of ipa-server-install.
self.master.run_command([
paths.IPA_CACERT_MANAGE, 'renew', '--external-cert-file',
ipa_ca_fname2, '--external-cert-file', root_ca_fname2
])
cert_nick = "caSigningCert cert-pki-ca"
result = self.master.run_command([
'certutil', '-L', '-d', paths.PKI_TOMCAT_ALIAS_DIR, '-n', cert_nick
])
assert "CN=RootCA2" in result.stdout_text
def test_sss_ssh_authorizedkeys(self):
"""Login via Ssh using private-key for ipa-user should work.
Test for : https://pagure.io/SSSD/sssd/issue/3937
Steps:
1) setup user with ssh-key and certificate stored in ipaserver
2) simulate p11_child timeout
3) try to login via ssh using private key.
"""
user = '******'
passwd = 'Secret123'
user_key = tasks.create_temp_file(self.master, create_file=False)
pem_file = tasks.create_temp_file(self.master)
# Create a user with a password
tasks.create_active_user(
self.master,
user,
passwd,
extra_args=['--homedir', '/home/{}'.format(user)])
tasks.kinit_admin(self.master)
tasks.run_command_as_user(self.master, user,
['ssh-keygen', '-N', '', '-f', user_key])
ssh_pub_key = self.master.get_file_contents('{}.pub'.format(user_key),
encoding='utf-8')
openssl_cmd = [
'openssl', 'req', '-x509', '-newkey', 'rsa:2048', '-days', '365',
'-nodes', '-out', pem_file, '-subj', '/CN=' + user
]
self.master.run_command(openssl_cmd)
cert_b64 = self.get_cert_base64(self.master, pem_file)
sssd_p11_child = '/usr/libexec/sssd/p11_child'
backup = tasks.FileBackup(self.master, sssd_p11_child)
try:
content = '#!/bin/bash\nsleep 999999'
# added sleep to simulate the timeout for p11_child
self.master.put_file_contents(sssd_p11_child, content)
self.master.run_command(
['ipa', 'user-mod', user, '--ssh', ssh_pub_key])
self.master.run_command(
['ipa', 'user-add-cert', user, '--certificate', cert_b64])
# clear cache to avoid SSSD to check the user in old lookup
tasks.clear_sssd_cache(self.master)
result = self.master.run_command(
[paths.SSS_SSH_AUTHORIZEDKEYS, user])
assert ssh_pub_key in result.stdout_text
# login to the system
self.master.run_command([
'ssh', '-o', 'PasswordAuthentication=no', '-o',
'IdentitiesOnly=yes', '-o', 'StrictHostKeyChecking=no', '-o',
'ConnectTimeout=10', '-l', user, '-i', user_key,
self.master.hostname, 'true'
])
finally:
# cleanup
self.master.run_command(['ipa', 'user-del', user])
backup.restore()
self.master.run_command(
['rm', '-f', pem_file, user_key, '{}.pub'.format(user_key)])
def test_authentication_with_smb_cifs_principal_alias(self):
"""Test that we can auth as NetBIOS alias
cifs/... principal on SMB server side has NetBIOS name of the SMB
server as its alias. Test that we can actually initialize credentials
using this alias. We don't need to use it anywhere in Samba, just
verify that alias works.
Test for https://pagure.io/freeipa/issue/8291"""
netbiosname = self.smbserver.hostname.split('.')[0].upper() + '$'
copier = tasks.KerberosKeyCopier(self.smbserver)
principal = 'cifs/{hostname}@{realm}'.format(
hostname=self.smbserver.hostname, realm=copier.realm)
alias = '{netbiosname}@{realm}'.format(netbiosname=netbiosname,
realm=copier.realm)
replacement = {principal: alias}
tmpname = tasks.create_temp_file(self.smbserver, create_file=False)
try:
copier.copy_keys(paths.SAMBA_KEYTAB,
tmpname,
principal=principal,
replacement=replacement)
self.smbserver.run_command(['kinit', '-kt', tmpname, netbiosname])
finally:
self.smbserver.run_command(['rm', '-f', tmpname])
def samba_share_public(self):
"""Setup share outside /home on samba server."""
share_name = 'shared'
share_path = '/srv/samba_shared'
smbserver = self.smbserver
smbserver.run_command(['mkdir', share_path])
smbserver.run_command(['chmod', '777', share_path])
# apply selinux context only if selinux is enabled
if tasks.is_selinux_enabled(smbserver):
smbserver.run_command(['chcon', '-t', 'samba_share_t', share_path])
smbconf_save_file = tasks.create_temp_file(smbserver)
smbserver.run_command(['cp', paths.SMB_CONF, smbconf_save_file])
smb_conf = smbserver.get_file_contents(
paths.SMB_CONF, encoding='utf-8')
smb_conf += textwrap.dedent('''
[{name}]
path = {path}
writable = yes
browsable=yes
'''.format(name=share_name, path=share_path))
smbserver.put_file_contents(paths.SMB_CONF, smb_conf)
smbserver.run_command(['systemctl', 'restart', 'smb'])
wait_smbd_functional(smbserver)
yield {
'name': share_name,
'server_path': share_path,
'unc': '//{}/{}'.format(smbserver.hostname, share_name)
}
smbserver.run_command(['mv', smbconf_save_file, paths.SMB_CONF])
smbserver.run_command(['systemctl', 'restart', 'smb'])
wait_smbd_functional(smbserver)
smbserver.run_command(['rmdir', share_path])
def enable_smb_client_dns_lookup_kdc(self):
smbclient = self.smbclient
save_file = tasks.create_temp_file(smbclient)
smbclient.run_command(['cp', paths.KRB5_CONF, save_file])
krb5_conf = smbclient.get_file_contents(
paths.KRB5_CONF, encoding='utf-8')
krb5_conf = krb5_conf.replace(
'dns_lookup_kdc = false', 'dns_lookup_kdc = true')
smbclient.put_file_contents(paths.KRB5_CONF, krb5_conf)
yield
smbclient.run_command(['mv', save_file, paths.KRB5_CONF])
def test_krbtpolicy_otp(self):
"""Test otp ticket policy"""
master = self.master
tasks.kinit_admin(self.master)
master.run_command(['ipa', 'user-mod', USER1,
'--user-auth-type', 'otp'])
master.run_command(['ipa', 'config-mod',
'--user-auth-type', 'otp'])
master.run_command(['ipa', 'krbtpolicy-mod', USER1,
'--otp-maxrenew=90', '--otp-maxlife=60'])
armor = tasks.create_temp_file(self.master, create_file=False)
otpuid, totp = add_otptoken(master, USER1, otptype="totp")
otpvalue = totp.generate(int(time.time())).decode("ascii")
try:
tasks.kdestroy_all(master)
# create armor for FAST
master.run_command(['kinit', '-n', '-c', armor])
# expect ticket expire in otp-maxlife=60 seconds
master.run_command(
['kinit', '-T', armor, USER1, '-r', '90'],
stdin_text='{0}{1}\n'.format(PASSWORD, otpvalue))
master.run_command(['ipa', 'user-find', USER1])
time.sleep(30)
# when user kerberos ticket expired but still within renew time,
# kinit -R should give user new life
master.run_command(['kinit', '-R', USER1])
master.run_command(['ipa', 'user-find', USER1])
time.sleep(60)
# when renew time expires, kinit -R should fail
result1 = master.run_command(['kinit', '-R', USER1],
raiseonerr=False)
tasks.assert_error(
result1,
"kinit: Ticket expired while renewing credentials", 1)
master.run_command(['ipa', 'user-find', USER1],
ok_returncode=1)
finally:
del_otptoken(master, otpuid)
reset_to_default_policy(master, USER1)
self.master.run_command(['rm', '-f', armor])
master.run_command(['ipa', 'config-mod', '--user-auth-type='])
def test_server_option_with_unreachable_ad(self):
"""
Check trust can be established with partially unreachable AD topology
The SRV records for AD services can point to hosts unreachable for
ipa master. In this case we must be able to establish trust and
fetch domains list by using "--server" option.
This is the regression test for https://pagure.io/freeipa/issue/7895.
"""
# To simulate Windows Server advertising unreachable hosts in SRV
# records we create specially crafted zone file for BIND DNS server
tasks.backup_file(self.master, paths.NAMED_CONF)
ad_zone = textwrap.dedent('''
$ORIGIN {ad_dom}.
$TTL 86400
@ IN A {ad_ip}
IN NS {ad_host}.
IN SOA {ad_host}. hostmaster.{ad_dom}. 39 900 600 86400 3600
_msdcs IN NS {ad_host}.
_gc._tcp.Default-First-Site-Name._sites IN SRV 0 100 3268 unreachable.{ad_dom}.
_kerberos._tcp.Default-First-Site-Name._sites IN SRV 0 100 88 unreachable.{ad_dom}.
_ldap._tcp.Default-First-Site-Name._sites IN SRV 0 100 389 unreachable.{ad_dom}.
_gc._tcp IN SRV 0 100 3268 unreachable.{ad_dom}.
_kerberos._tcp IN SRV 0 100 88 unreachable.{ad_dom}.
_kpasswd._tcp IN SRV 0 100 464 unreachable.{ad_dom}.
_ldap._tcp IN SRV 0 100 389 unreachable.{ad_dom}.
_kerberos._udp IN SRV 0 100 88 unreachable.{ad_dom}.
_kpasswd._udp IN SRV 0 100 464 unreachable.{ad_dom}.
{ad_short} IN A {ad_ip}
unreachable IN A {unreachable}
DomainDnsZones IN A {ad_ip}
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones IN SRV 0 100 389 unreachable.{ad_dom}.
_ldap._tcp.DomainDnsZones IN SRV 0 100 389 unreachable.{ad_dom}.
ForestDnsZones IN A {ad_ip}
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones IN SRV 0 100 389 unreachable.{ad_dom}.
_ldap._tcp.ForestDnsZones IN SRV 0 100 389 unreachable.{ad_dom}.
'''.format( # noqa: E501
ad_ip=self.ad.ip,
unreachable='192.168.254.254',
ad_host=self.ad.hostname,
ad_dom=self.ad.domain.name,
ad_short=self.ad.shortname))
ad_zone_file = tasks.create_temp_file(self.master, directory='/etc')
self.master.put_file_contents(ad_zone_file, ad_zone)
self.master.run_command(
['chmod', '--reference', paths.NAMED_CONF, ad_zone_file])
self.master.run_command(
['chown', '--reference', paths.NAMED_CONF, ad_zone_file])
named_conf = self.master.get_file_contents(paths.NAMED_CONF,
encoding='utf-8')
named_conf += textwrap.dedent('''
zone "ad.test" {{
type master;
file "{}";
}};
'''.format(ad_zone_file))
self.master.put_file_contents(paths.NAMED_CONF, named_conf)
tasks.restart_named(self.master)
try:
# Check that trust can not be established without --server option
# This checks that our setup is correct
result = self.master.run_command(
[
'ipa', 'trust-add', self.ad.domain.name, '--admin',
'Administrator', '--password'
],
raiseonerr=False,
stdin_text=self.master.config.ad_admin_password)
assert result.returncode == 1
assert 'CIFS server communication error: code "3221225653", ' \
'message "{Device Timeout}' in result.stderr_text
# Check that trust is successfully established with --server option
tasks.establish_trust_with_ad(
self.master,
self.ad_domain,
extra_args=['--server', self.ad.hostname])
# Check domains can not be fetched without --server option
# This checks that our setup is correct
result = self.master.run_command(
['ipa', 'trust-fetch-domains', self.ad.domain.name],
raiseonerr=False)
assert result.returncode == 1
assert ('Fetching domains from trusted forest failed'
in result.stderr_text)
# Check that domains can be fetched with --server option
result = self.master.run_command([
'ipa', 'trust-fetch-domains', self.ad.domain.name, '--server',
self.ad.hostname
],
raiseonerr=False)
assert result.returncode == 1
assert ('List of trust domains successfully refreshed'
in result.stdout_text)
finally:
self.remove_trust(self.ad)
tasks.restore_files(self.master)
self.master.run_command(['rm', '-f', ad_zone_file])
tasks.restart_named(self.master)
