def test_master_install_ca1(self): install_server_external_ca_step1(self.master) # Sign CA, transport it to the host and get ipa a root ca paths. root_ca_fname1 = tasks.create_temp_file(self.master, directory=paths.TMP, suffix="root_ca.crt") ipa_ca_fname1 = tasks.create_temp_file(self.master, directory=paths.TMP, suffix="ipa_ca.crt") ipa_csr = self.master.get_file_contents(paths.ROOT_IPA_CSR) external_ca = ExternalCA() root_ca = external_ca.create_ca(cn='RootCA1') ipa_ca = external_ca.sign_csr(ipa_csr) self.master.put_file_contents(root_ca_fname1, root_ca) self.master.put_file_contents(ipa_ca_fname1, ipa_ca) # Step 2 of ipa-server-install. install_server_external_ca_step2(self.master, ipa_ca_fname1, root_ca_fname1) cert_nick = "caSigningCert cert-pki-ca" result = self.master.run_command([ 'certutil', '-L', '-d', paths.PKI_TOMCAT_ALIAS_DIR, '-n', cert_nick ]) assert "CN=RootCA1" in result.stdout_text
def test_master_install_ca2(self): root_ca_fname2 = tasks.create_temp_file(self.master, directory=paths.TMP, suffix="root_ca.crt") ipa_ca_fname2 = tasks.create_temp_file(self.master, directory=paths.TMP, suffix="ipa_ca.crt") self.master.run_command( [paths.IPA_CACERT_MANAGE, 'renew', '--external-ca']) ipa_csr = self.master.get_file_contents(paths.IPA_CA_CSR) external_ca = ExternalCA() root_ca = external_ca.create_ca(cn='RootCA2') ipa_ca = external_ca.sign_csr(ipa_csr) self.master.put_file_contents(root_ca_fname2, root_ca) self.master.put_file_contents(ipa_ca_fname2, ipa_ca) # Step 2 of ipa-server-install. self.master.run_command([ paths.IPA_CACERT_MANAGE, 'renew', '--external-cert-file', ipa_ca_fname2, '--external-cert-file', root_ca_fname2 ]) cert_nick = "caSigningCert cert-pki-ca" result = self.master.run_command([ 'certutil', '-L', '-d', paths.PKI_TOMCAT_ALIAS_DIR, '-n', cert_nick ]) assert "CN=RootCA2" in result.stdout_text
def test_sss_ssh_authorizedkeys(self): """Login via Ssh using private-key for ipa-user should work. Test for : https://pagure.io/SSSD/sssd/issue/3937 Steps: 1) setup user with ssh-key and certificate stored in ipaserver 2) simulate p11_child timeout 3) try to login via ssh using private key. """ user = '******' passwd = 'Secret123' user_key = tasks.create_temp_file(self.master, create_file=False) pem_file = tasks.create_temp_file(self.master) # Create a user with a password tasks.create_active_user( self.master, user, passwd, extra_args=['--homedir', '/home/{}'.format(user)]) tasks.kinit_admin(self.master) tasks.run_command_as_user(self.master, user, ['ssh-keygen', '-N', '', '-f', user_key]) ssh_pub_key = self.master.get_file_contents('{}.pub'.format(user_key), encoding='utf-8') openssl_cmd = [ 'openssl', 'req', '-x509', '-newkey', 'rsa:2048', '-days', '365', '-nodes', '-out', pem_file, '-subj', '/CN=' + user ] self.master.run_command(openssl_cmd) cert_b64 = self.get_cert_base64(self.master, pem_file) sssd_p11_child = '/usr/libexec/sssd/p11_child' backup = tasks.FileBackup(self.master, sssd_p11_child) try: content = '#!/bin/bash\nsleep 999999' # added sleep to simulate the timeout for p11_child self.master.put_file_contents(sssd_p11_child, content) self.master.run_command( ['ipa', 'user-mod', user, '--ssh', ssh_pub_key]) self.master.run_command( ['ipa', 'user-add-cert', user, '--certificate', cert_b64]) # clear cache to avoid SSSD to check the user in old lookup tasks.clear_sssd_cache(self.master) result = self.master.run_command( [paths.SSS_SSH_AUTHORIZEDKEYS, user]) assert ssh_pub_key in result.stdout_text # login to the system self.master.run_command([ 'ssh', '-o', 'PasswordAuthentication=no', '-o', 'IdentitiesOnly=yes', '-o', 'StrictHostKeyChecking=no', '-o', 'ConnectTimeout=10', '-l', user, '-i', user_key, self.master.hostname, 'true' ]) finally: # cleanup self.master.run_command(['ipa', 'user-del', user]) backup.restore() self.master.run_command( ['rm', '-f', pem_file, user_key, '{}.pub'.format(user_key)])
def test_authentication_with_smb_cifs_principal_alias(self): """Test that we can auth as NetBIOS alias cifs/... principal on SMB server side has NetBIOS name of the SMB server as its alias. Test that we can actually initialize credentials using this alias. We don't need to use it anywhere in Samba, just verify that alias works. Test for https://pagure.io/freeipa/issue/8291""" netbiosname = self.smbserver.hostname.split('.')[0].upper() + '$' copier = tasks.KerberosKeyCopier(self.smbserver) principal = 'cifs/{hostname}@{realm}'.format( hostname=self.smbserver.hostname, realm=copier.realm) alias = '{netbiosname}@{realm}'.format(netbiosname=netbiosname, realm=copier.realm) replacement = {principal: alias} tmpname = tasks.create_temp_file(self.smbserver, create_file=False) try: copier.copy_keys(paths.SAMBA_KEYTAB, tmpname, principal=principal, replacement=replacement) self.smbserver.run_command(['kinit', '-kt', tmpname, netbiosname]) finally: self.smbserver.run_command(['rm', '-f', tmpname])
def samba_share_public(self): """Setup share outside /home on samba server.""" share_name = 'shared' share_path = '/srv/samba_shared' smbserver = self.smbserver smbserver.run_command(['mkdir', share_path]) smbserver.run_command(['chmod', '777', share_path]) # apply selinux context only if selinux is enabled if tasks.is_selinux_enabled(smbserver): smbserver.run_command(['chcon', '-t', 'samba_share_t', share_path]) smbconf_save_file = tasks.create_temp_file(smbserver) smbserver.run_command(['cp', paths.SMB_CONF, smbconf_save_file]) smb_conf = smbserver.get_file_contents( paths.SMB_CONF, encoding='utf-8') smb_conf += textwrap.dedent(''' [{name}] path = {path} writable = yes browsable=yes '''.format(name=share_name, path=share_path)) smbserver.put_file_contents(paths.SMB_CONF, smb_conf) smbserver.run_command(['systemctl', 'restart', 'smb']) wait_smbd_functional(smbserver) yield { 'name': share_name, 'server_path': share_path, 'unc': '//{}/{}'.format(smbserver.hostname, share_name) } smbserver.run_command(['mv', smbconf_save_file, paths.SMB_CONF]) smbserver.run_command(['systemctl', 'restart', 'smb']) wait_smbd_functional(smbserver) smbserver.run_command(['rmdir', share_path])
def enable_smb_client_dns_lookup_kdc(self): smbclient = self.smbclient save_file = tasks.create_temp_file(smbclient) smbclient.run_command(['cp', paths.KRB5_CONF, save_file]) krb5_conf = smbclient.get_file_contents( paths.KRB5_CONF, encoding='utf-8') krb5_conf = krb5_conf.replace( 'dns_lookup_kdc = false', 'dns_lookup_kdc = true') smbclient.put_file_contents(paths.KRB5_CONF, krb5_conf) yield smbclient.run_command(['mv', save_file, paths.KRB5_CONF])
def test_krbtpolicy_otp(self): """Test otp ticket policy""" master = self.master tasks.kinit_admin(self.master) master.run_command(['ipa', 'user-mod', USER1, '--user-auth-type', 'otp']) master.run_command(['ipa', 'config-mod', '--user-auth-type', 'otp']) master.run_command(['ipa', 'krbtpolicy-mod', USER1, '--otp-maxrenew=90', '--otp-maxlife=60']) armor = tasks.create_temp_file(self.master, create_file=False) otpuid, totp = add_otptoken(master, USER1, otptype="totp") otpvalue = totp.generate(int(time.time())).decode("ascii") try: tasks.kdestroy_all(master) # create armor for FAST master.run_command(['kinit', '-n', '-c', armor]) # expect ticket expire in otp-maxlife=60 seconds master.run_command( ['kinit', '-T', armor, USER1, '-r', '90'], stdin_text='{0}{1}\n'.format(PASSWORD, otpvalue)) master.run_command(['ipa', 'user-find', USER1]) time.sleep(30) # when user kerberos ticket expired but still within renew time, # kinit -R should give user new life master.run_command(['kinit', '-R', USER1]) master.run_command(['ipa', 'user-find', USER1]) time.sleep(60) # when renew time expires, kinit -R should fail result1 = master.run_command(['kinit', '-R', USER1], raiseonerr=False) tasks.assert_error( result1, "kinit: Ticket expired while renewing credentials", 1) master.run_command(['ipa', 'user-find', USER1], ok_returncode=1) finally: del_otptoken(master, otpuid) reset_to_default_policy(master, USER1) self.master.run_command(['rm', '-f', armor]) master.run_command(['ipa', 'config-mod', '--user-auth-type='])
def test_server_option_with_unreachable_ad(self): """ Check trust can be established with partially unreachable AD topology The SRV records for AD services can point to hosts unreachable for ipa master. In this case we must be able to establish trust and fetch domains list by using "--server" option. This is the regression test for https://pagure.io/freeipa/issue/7895. """ # To simulate Windows Server advertising unreachable hosts in SRV # records we create specially crafted zone file for BIND DNS server tasks.backup_file(self.master, paths.NAMED_CONF) ad_zone = textwrap.dedent(''' $ORIGIN {ad_dom}. $TTL 86400 @ IN A {ad_ip} IN NS {ad_host}. IN SOA {ad_host}. hostmaster.{ad_dom}. 39 900 600 86400 3600 _msdcs IN NS {ad_host}. _gc._tcp.Default-First-Site-Name._sites IN SRV 0 100 3268 unreachable.{ad_dom}. _kerberos._tcp.Default-First-Site-Name._sites IN SRV 0 100 88 unreachable.{ad_dom}. _ldap._tcp.Default-First-Site-Name._sites IN SRV 0 100 389 unreachable.{ad_dom}. _gc._tcp IN SRV 0 100 3268 unreachable.{ad_dom}. _kerberos._tcp IN SRV 0 100 88 unreachable.{ad_dom}. _kpasswd._tcp IN SRV 0 100 464 unreachable.{ad_dom}. _ldap._tcp IN SRV 0 100 389 unreachable.{ad_dom}. _kerberos._udp IN SRV 0 100 88 unreachable.{ad_dom}. _kpasswd._udp IN SRV 0 100 464 unreachable.{ad_dom}. {ad_short} IN A {ad_ip} unreachable IN A {unreachable} DomainDnsZones IN A {ad_ip} _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones IN SRV 0 100 389 unreachable.{ad_dom}. _ldap._tcp.DomainDnsZones IN SRV 0 100 389 unreachable.{ad_dom}. ForestDnsZones IN A {ad_ip} _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones IN SRV 0 100 389 unreachable.{ad_dom}. _ldap._tcp.ForestDnsZones IN SRV 0 100 389 unreachable.{ad_dom}. '''.format( # noqa: E501 ad_ip=self.ad.ip, unreachable='192.168.254.254', ad_host=self.ad.hostname, ad_dom=self.ad.domain.name, ad_short=self.ad.shortname)) ad_zone_file = tasks.create_temp_file(self.master, directory='/etc') self.master.put_file_contents(ad_zone_file, ad_zone) self.master.run_command( ['chmod', '--reference', paths.NAMED_CONF, ad_zone_file]) self.master.run_command( ['chown', '--reference', paths.NAMED_CONF, ad_zone_file]) named_conf = self.master.get_file_contents(paths.NAMED_CONF, encoding='utf-8') named_conf += textwrap.dedent(''' zone "ad.test" {{ type master; file "{}"; }}; '''.format(ad_zone_file)) self.master.put_file_contents(paths.NAMED_CONF, named_conf) tasks.restart_named(self.master) try: # Check that trust can not be established without --server option # This checks that our setup is correct result = self.master.run_command( [ 'ipa', 'trust-add', self.ad.domain.name, '--admin', 'Administrator', '--password' ], raiseonerr=False, stdin_text=self.master.config.ad_admin_password) assert result.returncode == 1 assert 'CIFS server communication error: code "3221225653", ' \ 'message "{Device Timeout}' in result.stderr_text # Check that trust is successfully established with --server option tasks.establish_trust_with_ad( self.master, self.ad_domain, extra_args=['--server', self.ad.hostname]) # Check domains can not be fetched without --server option # This checks that our setup is correct result = self.master.run_command( ['ipa', 'trust-fetch-domains', self.ad.domain.name], raiseonerr=False) assert result.returncode == 1 assert ('Fetching domains from trusted forest failed' in result.stderr_text) # Check that domains can be fetched with --server option result = self.master.run_command([ 'ipa', 'trust-fetch-domains', self.ad.domain.name, '--server', self.ad.hostname ], raiseonerr=False) assert result.returncode == 1 assert ('List of trust domains successfully refreshed' in result.stdout_text) finally: self.remove_trust(self.ad) tasks.restore_files(self.master) self.master.run_command(['rm', '-f', ad_zone_file]) tasks.restart_named(self.master)