def test_establish_nonposix_trust(self): self.configure_dns_and_time(self.ad) tasks.establish_trust_with_ad( self.master, self.ad_domain, extra_args=['--range-type', 'ipa-ad-trust'])
def install(cls, mh): super(TestCertsInIDOverrides, cls).install(mh) cls.ad = config.ad_domains[0].ads[0] cls.ad_domain = cls.ad.domain.name cls.aduser = "******" % cls.ad_domain master = cls.master # A setup for test_dbus_user_lookup master.run_command(['dnf', 'install', '-y', 'sssd-dbus'], raiseonerr=False) # The tasks.modify_sssd_conf way did not work because # sssd_domain.set_option knows nothing about 'services' parameter of # the sssd config file. Therefore I am using sed approach master.run_command( "sed -i '/^services/ s/$/, ifp/' %s" % paths.SSSD_CONF) master.run_command( "sed -i 's/= 7/= 0xFFF0/' %s" % paths.SSSD_CONF, raiseonerr=False) master.run_command(['systemctl', 'restart', 'sssd.service']) # End of setup for test_dbus_user_lookup # AD-related stuff tasks.install_adtrust(master) tasks.sync_time(master, cls.ad) tasks.establish_trust_with_ad(cls.master, cls.ad_domain, extra_args=['--range-type', 'ipa-ad-trust']) cls.reqdir = os.path.join(master.config.test_dir, "certs") cls.reqfile1 = os.path.join(cls.reqdir, "test1.csr") cls.reqfile2 = os.path.join(cls.reqdir, "test2.csr") cls.pwname = os.path.join(cls.reqdir, "pwd") # Create a NSS database folder master.run_command(['mkdir', cls.reqdir], raiseonerr=False) # Create an empty password file master.run_command(["touch", cls.pwname], raiseonerr=False) # Initialize NSS database tasks.run_certutil(master, ["-N", "-f", cls.pwname], cls.reqdir) # Now generate self-signed certs for a windows user stdin_text = string.digits+string.ascii_letters[2:] + '\n' tasks.run_certutil(master, ['-S', '-s', "cn=%s,dc=ad,dc=test" % cls.adcert1, '-n', cls.adcert1, '-x', '-t', 'CT,C,C', '-v', '120', '-m', '1234'], cls.reqdir, stdin=stdin_text) tasks.run_certutil(master, ['-S', '-s', "cn=%s,dc=ad,dc=test" % cls.adcert2, '-n', cls.adcert2, '-x', '-t', 'CT,C,C', '-v', '120', '-m', '1234'], cls.reqdir, stdin=stdin_text) # Export the previously generated cert tasks.run_certutil(master, ['-L', '-n', cls.adcert1, '-a', '>', cls.adcert1_file], cls.reqdir) tasks.run_certutil(master, ['-L', '-n', cls.adcert2, '-a', '>', cls.adcert2_file], cls.reqdir) cls.cert1_base64 = cls.master.run_command( "openssl x509 -outform der -in %s | base64 -w 0" % cls.adcert1_file ).stdout_text cls.cert2_base64 = cls.master.run_command( "openssl x509 -outform der -in %s | base64 -w 0" % cls.adcert2_file ).stdout_text cls.cert1_pem = cls.master.run_command( "openssl x509 -in %s -outform pem" % cls.adcert1_file ).stdout_text cls.cert2_pem = cls.master.run_command( "openssl x509 -in %s -outform pem" % cls.adcert2_file ).stdout_text
def test_establish_external_subdomain_trust(self): tasks.configure_dns_for_trust(self.master, self.ad) tasks.establish_trust_with_ad( self.master, self.ad_subdomain, extra_args=['--range-type', 'ipa-ad-trust', '--external=True'])
def test_establish_external_rootdomain_trust(self): self.configure_dns_and_time(self.ad) tasks.establish_trust_with_ad( self.master, self.ad_domain, extra_args=['--range-type', 'ipa-ad-trust', '--external=True'])
def test_establish_posix_trust(self): tasks.configure_dns_for_trust(self.master, self.ad) tasks.establish_trust_with_ad( self.master, self.ad_domain, extra_args=['--range-type', 'ipa-ad-trust-posix'])
def test_server_option_with_unreachable_ad(self): """ Check trust can be established with partially unreachable AD topology The SRV records for AD services can point to hosts unreachable for ipa master. In this case we must be able to establish trust and fetch domains list by using "--server" option. This is the regression test for https://pagure.io/freeipa/issue/7895. """ # To simulate Windows Server advertising unreachable hosts in SRV # records we create specially crafted zone file for BIND DNS server tasks.backup_file(self.master, paths.NAMED_CONF) ad_zone = textwrap.dedent(''' $ORIGIN {ad_dom}. $TTL 86400 @ IN A {ad_ip} IN NS {ad_host}. IN SOA {ad_host}. hostmaster.{ad_dom}. 39 900 600 86400 3600 _msdcs IN NS {ad_host}. _gc._tcp.Default-First-Site-Name._sites IN SRV 0 100 3268 unreachable.{ad_dom}. _kerberos._tcp.Default-First-Site-Name._sites IN SRV 0 100 88 unreachable.{ad_dom}. _ldap._tcp.Default-First-Site-Name._sites IN SRV 0 100 389 unreachable.{ad_dom}. _gc._tcp IN SRV 0 100 3268 unreachable.{ad_dom}. _kerberos._tcp IN SRV 0 100 88 unreachable.{ad_dom}. _kpasswd._tcp IN SRV 0 100 464 unreachable.{ad_dom}. _ldap._tcp IN SRV 0 100 389 unreachable.{ad_dom}. _kerberos._udp IN SRV 0 100 88 unreachable.{ad_dom}. _kpasswd._udp IN SRV 0 100 464 unreachable.{ad_dom}. {ad_short} IN A {ad_ip} unreachable IN A {unreachable} DomainDnsZones IN A {ad_ip} _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones IN SRV 0 100 389 unreachable.{ad_dom}. _ldap._tcp.DomainDnsZones IN SRV 0 100 389 unreachable.{ad_dom}. ForestDnsZones IN A {ad_ip} _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones IN SRV 0 100 389 unreachable.{ad_dom}. _ldap._tcp.ForestDnsZones IN SRV 0 100 389 unreachable.{ad_dom}. '''.format( # noqa: E501 ad_ip=self.ad.ip, unreachable='192.168.254.254', ad_host=self.ad.hostname, ad_dom=self.ad.domain.name, ad_short=self.ad.shortname)) ad_zone_file = tasks.create_temp_file(self.master, directory='/etc') self.master.put_file_contents(ad_zone_file, ad_zone) self.master.run_command( ['chmod', '--reference', paths.NAMED_CONF, ad_zone_file]) self.master.run_command( ['chown', '--reference', paths.NAMED_CONF, ad_zone_file]) named_conf = self.master.get_file_contents(paths.NAMED_CONF, encoding='utf-8') named_conf += textwrap.dedent(''' zone "ad.test" {{ type master; file "{}"; }}; '''.format(ad_zone_file)) self.master.put_file_contents(paths.NAMED_CONF, named_conf) tasks.restart_named(self.master) try: # Check that trust can not be established without --server option # This checks that our setup is correct result = self.master.run_command( [ 'ipa', 'trust-add', self.ad_domain, '--admin', 'Administrator@' + self.ad_domain, '--password' ], raiseonerr=False, stdin_text=self.master.config.ad_admin_password) assert result.returncode == 1 assert 'CIFS server communication error: code "3221225653", ' \ 'message "{Device Timeout}' in result.stderr_text # Check that trust is successfully established with --server option tasks.establish_trust_with_ad( self.master, self.ad_domain, extra_args=['--server', self.ad.hostname]) # Check domains can not be fetched without --server option # This checks that our setup is correct result = self.master.run_command( ['ipa', 'trust-fetch-domains', self.ad.domain.name], raiseonerr=False) assert result.returncode == 1 assert ('Fetching domains from trusted forest failed' in result.stderr_text) # Check that domains can be fetched with --server option result = self.master.run_command([ 'ipa', 'trust-fetch-domains', self.ad.domain.name, '--server', self.ad.hostname ], raiseonerr=False) assert result.returncode == 1 assert ('List of trust domains successfully refreshed' in result.stdout_text) finally: tasks.restore_files(self.master) tasks.restart_named(self.master) tasks.clear_sssd_cache(self.master) self.master.run_command(['rm', '-f', ad_zone_file]) tasks.configure_dns_for_trust(self.master, self.ad) self.remove_trust(self.ad)
def install(cls, mh): super(TestCertsInIDOverrides, cls).install(mh) cls.ad = config.ad_domains[0].ads[0] cls.ad_domain = cls.ad.domain.name cls.aduser = "******" % cls.ad_domain master = cls.master # A setup for test_dbus_user_lookup master.run_command(['dnf', 'install', '-y', 'sssd-dbus'], raiseonerr=False) # The tasks.modify_sssd_conf way did not work because # sssd_domain.set_option knows nothing about 'services' parameter of # the sssd config file. Therefore I am using sed approach master.run_command("sed -i '/^services/ s/$/, ifp/' %s" % paths.SSSD_CONF) master.run_command("sed -i 's/= 7/= 0xFFF0/' %s" % paths.SSSD_CONF, raiseonerr=False) master.run_command(['systemctl', 'restart', 'sssd.service']) # End of setup for test_dbus_user_lookup # AD-related stuff tasks.install_adtrust(master) tasks.sync_time(master, cls.ad) tasks.establish_trust_with_ad( cls.master, cls.ad_domain, extra_args=['--range-type', 'ipa-ad-trust']) cls.reqdir = os.path.join(master.config.test_dir, "certs") cls.reqfile1 = os.path.join(cls.reqdir, "test1.csr") cls.reqfile2 = os.path.join(cls.reqdir, "test2.csr") cls.pwname = os.path.join(cls.reqdir, "pwd") # Create a NSS database folder master.run_command(['mkdir', cls.reqdir], raiseonerr=False) # Create an empty password file master.run_command(["touch", cls.pwname], raiseonerr=False) # Initialize NSS database tasks.run_certutil(master, ["-N", "-f", cls.pwname], cls.reqdir) # Now generate self-signed certs for a windows user stdin_text = string.digits + string.ascii_letters[2:] + '\n' tasks.run_certutil(master, [ '-S', '-s', "cn=%s,dc=ad,dc=test" % cls.adcert1, '-n', cls.adcert1, '-x', '-t', 'CT,C,C', '-v', '120', '-m', '1234' ], cls.reqdir, stdin=stdin_text) tasks.run_certutil(master, [ '-S', '-s', "cn=%s,dc=ad,dc=test" % cls.adcert2, '-n', cls.adcert2, '-x', '-t', 'CT,C,C', '-v', '120', '-m', '1234' ], cls.reqdir, stdin=stdin_text) # Export the previously generated cert tasks.run_certutil( master, ['-L', '-n', cls.adcert1, '-a', '>', cls.adcert1_file], cls.reqdir) tasks.run_certutil( master, ['-L', '-n', cls.adcert2, '-a', '>', cls.adcert2_file], cls.reqdir) cls.cert1_base64 = cls.master.run_command( "openssl x509 -outform der -in %s | base64 -w 0" % cls.adcert1_file).stdout_text cls.cert2_base64 = cls.master.run_command( "openssl x509 -outform der -in %s | base64 -w 0" % cls.adcert2_file).stdout_text cls.cert1_pem = cls.master.run_command( "openssl x509 -in %s -outform pem" % cls.adcert1_file).stdout_text cls.cert2_pem = cls.master.run_command( "openssl x509 -in %s -outform pem" % cls.adcert2_file).stdout_text