def test_refresh_expired_rule(self, multihost, enable_sss_sudo_nsswitch, generic_sudorule, set_entry_cache_sudo_timeout): """ @Title: sudo: Verify refreshing expired sudo rules do not crash sssd_sudo """ # pylint: disable=unused-argument _pytest_fixtures = [enable_sss_sudo_nsswitch, generic_sudorule, set_entry_cache_sudo_timeout] try: ssh = SSHClient(multihost.master[0].sys_hostname, username='******', password='******') except paramiko.ssh_exception.AuthenticationException: pytest.fail("%s failed to login" % 'foo1') else: print("Executing %s command as %s user" % ('sudo -l', 'foo1')) (_, _, exit_status) = ssh.execute_cmd('sudo -l') assert exit_status == 0 time.sleep(30) if exit_status != 0: journalctl_cmd = 'journalctl -x -n 100 --no-pager' multihost.master[0].run_command(journalctl_cmd) pytest.fail("%s cmd failed for user %s" % ('sudo -l', 'foo1')) ssh.close()
def test_case_senitivity(self, multihost, case_sensitive_sudorule, enable_sss_sudo_nsswitch, set_case_sensitive_false): """ @Title: sudo: Verify case sensitivity in sudo responder """ # pylint: disable=unused-argument _pytest_fixtures = [case_sensitive_sudorule, enable_sss_sudo_nsswitch, set_case_sensitive_false] try: ssh = SSHClient(multihost.master[0].sys_hostname, username='******', password='******') except paramiko.ssh_exception.AuthenticationException: pytest.fail("%s failed to login" % 'capsuser-1') else: (stdout, _, exit_status) = ssh.execute_cmd('sudo -l') result = [] assert exit_status == 0 for line in stdout.readlines(): if 'NOPASSWD' in line: line.strip() result.append(line.strip('(root) NOPASSWD: ')) assert '/usr/bin/less\n' in result assert '/usr/bin/more\n' in result ssh.close()
def test_ssh_forward_creds(self, multihost, enable_kcm): """ @Title: kcm: Test that SSH can forward credentials with KCM A regression test for https://pagure.io/SSSD/sssd/issue/3873 """ ssh = SSHClient(multihost.master[0].sys_hostname, username='******', password='******') (_, _, exit_status) = ssh.execute_cmd('kdestroy') assert exit_status == 0 (_, _, exit_status) = ssh.execute_cmd('kinit foo9', stdin='Secret123') assert exit_status == 0 ssh_k_cmd = 'ssh -oStrictHostKeyChecking=no -K -l foo9 ' + \ multihost.master[0].sys_hostname + \ ' klist' (stdout, _, exit_status) = ssh.execute_cmd(ssh_k_cmd) assert exit_status == 0 has_cache = False for line in stdout.readlines(): if 'KCM:14583109' in line: has_cache = True assert has_cache is True
def test_ssh_user_login(self, multihost): """Check ssh login as LDAP user with Kerberos credentials """ try: ssh = SSHClient(multihost.master[0].sys_hostname, username='******', password='******') except paramiko.ssh_exception.AuthenticationException: pytest.fail("Authentication Failed as user %s" % ('foo1')) else: assert True ssh.close()
def test_ssh_login_kcm(self, multihost, enable_kcm): """ Verify ssh logins are successuful with kcm as default """ # pylint: disable=unused-argument _pytest_fixture = [enable_kcm] try: ssh = SSHClient(multihost.master[0].sys_hostname, username='******', password='******') except paramiko.ssh_exception.AuthenticationException: journalctl_cmd = 'journalctl -u sssd -n 50 --no-pager' multihost.master[0].run_command(journalctl_cmd) pytest.fail("Authentication Failed as user %s" % ('foo4')) else: assert True ssh.close()
def test_kcm_debug_level_set(self, multihost, enable_kcm): """ @Title: kcm: After kcm section with debug level set restaring sssd-kcm service enables kcm debugging @Description: Test that just adding a [kcm] section and restarting the kcm service enables debugging without having to restart the whole sssd """ # Start from a known-good state where the configuration is refreshed # by the monitor and logging is completely disabled multihost.master[0].service_sssd('stop') self._stop_kcm(multihost) self._remove_kcm_log_file(multihost) set_param(multihost, 'kcm', 'debug_level', '0') multihost.master[0].service_sssd('start') self._start_kcm(multihost) log_lines_pre = self._kcm_log_length(multihost) # Debugging is disabled, kinit and make sure that no debug messages # were produced try: ssh = SSHClient(multihost.master[0].sys_hostname, username='******', password='******') except paramiko.ssh_exception.AuthenticationException: pytest.fail("Authentication Failed as user %s" % ('foo3')) else: ssh.execute_cmd('kdestroy') ssh.close() log_lines_nodebug = self._kcm_log_length(multihost) assert log_lines_nodebug == log_lines_pre # Enable debugging, restart only the kcm service, make sure some # debug messages were produced set_param(multihost, 'kcm', 'debug_level', '9') self._restart_kcm(multihost) try: ssh = SSHClient(multihost.master[0].sys_hostname, username='******', password='******') except paramiko.ssh_exception.AuthenticationException: pytest.fail("Authentication Failed as user %s" % ('foo3')) else: ssh.execute_cmd('kdestroy') ssh.close() log_lines_debug = self._kcm_log_length(multihost) assert log_lines_debug > log_lines_pre + 100
def test_kinit(self, multihost): """ Run kinit after user login """ try: ssh = SSHClient(multihost.master[0].sys_hostname, username='******', password='******') except paramiko.ssh_exception.AuthenticationException: pytest.fail("Authentication Failed as user %s" % ('foo2')) else: (_, _, exit_status) = ssh.execute_cmd(args='kinit', stdin='Secret123') assert exit_status == 0 (stdout, _, _) = ssh.execute_cmd('klist') for line in stdout.readlines(): print(line) assert exit_status == 0 ssh.close()
def test_kdestroy_retval(self, multihost, enable_kcm): """ @Title: kcm: Test that destroying an empty cache does not return a non-zero return code """ ssh = SSHClient(multihost.master[0].sys_hostname, username='******', password='******') (_, _, exit_status) = ssh.execute_cmd('kdestroy') assert exit_status == 0 # Run the command again in case there was something in the ccache # previously (_, _, exit_status) = ssh.execute_cmd('kdestroy') assert exit_status == 0 ssh.close()
def test_kinit_kcm(self, multihost, enable_kcm): """ Run kinit with KRB5CCNAME=KCM: """ self._start_kcm(multihost) try: ssh = SSHClient(multihost.master[0].sys_hostname, username='******', password='******') except paramiko.ssh_exception.AuthenticationException: pytest.fail("Authentication Failed as user %s" % ('foo3')) else: (_, _, exit_status) = ssh.execute_cmd('KRB5CCNAME=KCM:; kinit', stdin='Secret123') assert exit_status == 0 (stdout, _, _) = ssh.execute_cmd('KRB5CCNAME=KCM:;klist') for line in stdout.readlines(): if 'Ticket cache: KCM:14583103' in str(line.strip()): assert True break else: assert False assert exit_status == 0 ssh.close()
def test_offline_ssh_login(self, multihost): """@Title: Login: Verify offline ssh login""" multihost.master[0].transport.get_file('/etc/sssd/sssd.conf', '/tmp/sssd.conf') sssdconfig = ConfigParser.RawConfigParser() sssdconfig.read('/tmp/sssd.conf') domain_section = "%s/%s" % ('domain', 'EXAMPLE.TEST') if domain_section in sssdconfig.sections(): sssdconfig.set(domain_section, 'cache_credentials', 'True') sssdconfig.set(domain_section, 'krb5_store_password_if_offline', 'True') sssdconfig.set('pam', 'offline_credentials_expiration', '0') with open('/tmp/sssd.conf', "w") as fd: sssdconfig.write(fd) else: print("Could not fetch sssd.conf") assert False multihost.master[0].transport.put_file('/tmp/sssd.conf', '/etc/sssd/sssd.conf') multihost.master[0].service_sssd('restart') time.sleep(5) try: ssh = SSHClient(multihost.master[0].sys_hostname, username='******', password='******') except paramiko.ssh_exception.AuthenticationException: pytest.fail("Unable to authenticate as %s" % ('foo4')) else: ssh.close() stop_dirsrv = 'systemctl stop dirsrv@example1' stop_krb5kdc = 'systemctl stop krb5kdc' multihost.master[0].run_command(stop_dirsrv) multihost.master[0].run_command(stop_krb5kdc) try: ssh = SSHClient(multihost.master[0].sys_hostname, username='******', password='******') except paramiko.ssh_exception.AuthenticationException: pytest.fail("Unable to authenticate as %s" % ('foo4')) else: ssh.close() start_dirsrv = 'systemctl start dirsrv@example1' start_krb5kdc = 'systemctl start krb5kdc' multihost.master[0].run_command(start_dirsrv) multihost.master[0].run_command(start_krb5kdc)
def test_kinit_kcm(self, multihost): """ Run kinit with KRB5CCNAME=KCM: """ try: ssh = SSHClient(multihost.master[0].sys_hostname, username='******', password='******') except paramiko.ssh_exception.AuthenticationException: pytest.fail("Authentication Failed as user %s" % ('foo3')) else: (_, _, exit_status) = ssh.execute_cmd('KRB5CCNAME=KCM:; kinit', stdin='Secret123') assert exit_status == 0 (stdout, _, _) = ssh.execute_cmd('KRB5CCNAME=KCM:;klist') for line in stdout.readlines(): if 'Ticket cache: KCM:14583103' in str(line.strip()): assert True break else: assert False assert exit_status == 0 ssh.close()
def test_kinit(self, multihost): """ :title: Login: Verify kinit is successfull after user login :id: 5e15e9e9-c559-49b8-a164-abe13d82d0fd """ try: ssh = SSHClient(multihost.master[0].sys_hostname, username='******', password='******') except paramiko.ssh_exception.AuthenticationException: pytest.fail("Authentication Failed as user %s" % ('foo2')) else: (_, _, exit_status) = ssh.execute_cmd(args='kinit', stdin='Secret123') assert exit_status == 0 (stdout, _, _) = ssh.execute_cmd('klist') for line in stdout.readlines(): print(line) assert exit_status == 0 ssh.close()
def test_timed_sudoers_entry(self, multihost, backupsssdconf, timed_sudoers): """ @Title: sudo: sssd accepts timed entries without minutes and or seconds to attribute """ # pylint: disable=unused-argument tools = sssdTools(multihost.client[0]) multihost.client[0].service_sssd('stop') tools.remove_sss_cache('/var/lib/sss/db') sudo_base = 'ou=sudoers,dc=example,dc=test' sudo_uri = "ldap://%s" % multihost.master[0].sys_hostname params = {'ldap_sudo_search_base': sudo_base, 'ldap_uri': sudo_uri, 'sudo_provider': "ldap"} domain_section = 'domain/%s' % ds_instance_name tools.sssd_conf(domain_section, params, action='update') section = "sssd" sssd_params = {'services': 'nss, pam, sudo'} tools.sssd_conf(section, sssd_params, action='update') start = multihost.client[0].service_sssd('start') try: ssh = SSHClient(multihost.client[0].sys_hostname, username='******', password='******') except paramiko.ssh_exception.AuthenticationException: pytest.fail("%s failed to login" % 'foo1') else: print("Executing %s command as %s user" % ('sudo -l', '*****@*****.**')) (std_out, _, exit_status) = ssh.execute_cmd('id') for line in std_out.readlines(): print(line) (std_out, _, exit_status) = ssh.execute_cmd('sudo -l') for line in std_out.readlines(): if 'NOPASSWD' in line: evar = list(line.strip().split()[1].split('=')[1])[10:14] assert evar == list('0000') if exit_status != 0: journalctl_cmd = 'journalctl -x -n 100 --no-pager' multihost.master[0].run_command(journalctl_cmd) pytest.fail("%s cmd failed for user %s" % ('sudo -l', 'foo1')) ssh.close()
def test_0002_1736796(self, multihost, localusers): """ :title: config: "default_domain_suffix" should not cause files domain entries to be qualified, this can break sudo access :id: 4b7bdeff-51ba-46ed-b8e1-0685515b87a0 """ users = localusers for user in users.keys(): allow_sudo = '%s ALL=(ALL) NOPASSWD:ALL' % user sudoers_file = '/etc/sudoers.d/%s' % user multihost.client[0].put_file_contents(sudoers_file, allow_sudo) tools = sssdTools(multihost.client[0]) sssd_params = {'default_domain_suffix': 'foo'} tools.sssd_conf('sssd', sssd_params) multihost.client[0].service_sssd('restart') for user in users.keys(): try: ssh = SSHClient(multihost.client[0].external_hostname, username=user, password='******') except paramiko.ssh_exception.AuthenticationException: pytest.fail("%s failed to login" % user) else: (stdout, _, exit_status) = ssh.execute_cmd('id') for line in stdout.readlines(): if '%s@implicit_files' % (user) in line: pytest.fail("id command contains implicit_files") (_, _, exit_status) = ssh.execute_cmd('sudo su - -c id') assert exit_status == 0 if exit_status != 0: journalctl_cmd = 'journalctl -x -n 100 --no-pager' multihost.client[0].run_command(journalctl_cmd) pytest.fail("%s cmd failed for user %s" % ('sudo su - -c id', user)) ssh.close() for user in users.keys(): sudoers_file = '/etc/sudoers.d/%s' % user delete_file = 'rm -f %s' % sudoers_file multihost.client[0].run_command(delete_file)
def test_authentication_indicators(self, multihost): """ :title: Add support to verify authentication indicators in pam_sss_gss :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1926622 :id: 4891ed62-7fc8-11eb-98be-002b677efe14 :steps: 1. Add pam_sss_gss configuration to /etc/sssd/sssd.conf 2. Add pam_sss_gss.so to /etc/pam.d/sudo 3. Restart SSSD 4. Enable SSSD debug logs 5. Switch to 'admin' user 6. obtain Kerberos ticket and check that it was obtained using SPAKE pre-authentication. 7. Create sudo configuration that allows an admin to run SUDO rules 8. Try 'sudo -l' as admin 9. As root, check content of sssd_pam.log 10. Check if acquired service ticket has req. indicators: 0 11. Add pam_sss_gss configuration to /etc/sssd/sssd.conf 12. Check if acquired service ticket has req. indicators: 2 :expectedresults: 1. Should succeed 2. Should succeed 3. Should succeed 4. Should succeed 5. Should succeed 6. Should succeed 7. Should succeed 8. Should succeed 9. Should succeed 10. Should succeed 11. Should succeed 12. Should succeed """ client = sssdTools(multihost.client[0]) domain_params = { 'pam_gssapi_services': 'sudo, sudo-i', 'pam_gssapi_indicators_map': 'hardened, ' 'sudo:pkinit, ' 'sudo-i:otp' } client.sssd_conf('pam', domain_params) multihost.client[0].run_command('cp -vf ' '/etc/pam.d/sudo ' '/etc/pam.d/sudo_indicators') multihost.client[0].run_command("sed -i " "'2s/^/auth sufficient " "pam_sss_gss.so debug\\n/' " "/etc/pam.d/sudo") multihost.client[0].run_command('cp -vf ' '/etc/pam.d/sudo-i ' '/etc/pam.d/sudo-i_indicators') multihost.client[0].run_command("sed -i " "'2s/^/auth sufficient " "pam_sss_gss.so debug\\n/' " "/etc/pam.d/sudo-i") multihost.client[0].run_command('systemctl stop sssd ; ' 'rm -rf /var/log/sssd/* ; ' 'rm -rf /var/lib/sss/db/* ; ' 'systemctl start sssd') multihost.client[0].run_command("sssctl debug-level 9") ssh = SSHClient(multihost.client[0].ip, username='******', password='******') (_, _, exit_status) = ssh.execute_cmd('kinit admin', stdin='Secret123') (result, errors, exit_status) = ssh.exec_command('klist') (result, errors, exit_status) = ssh.execute_cmd('ipa ' 'sudocmd-add ALL2') (result, errors, exit_status) = ssh.execute_cmd('ipa ' 'sudorule-add ' 'testrule2') (result, errors, exit_status) = ssh.execute_cmd("ipa sudorule-add" "-allow-command " "testrule2 " "--sudocmds 'ALL2'") (result, errors, exit_status) = ssh.execute_cmd('ipa ' 'sudorule-mod ' 'testrule2 ' '--hostcat=all') (result, errors, exit_status) = ssh.execute_cmd('ipa ' 'sudorule-add-user ' 'testrule2 ' '--users admin') (result, errors, exit_status) = ssh.execute_cmd('sudo -l') ssh.close() search = multihost.client[0].run_command('fgrep ' 'gssapi_ ' '/var/log/sssd/sssd_pam.log ' '|tail -10') assert 'indicators: 0' in search.stdout_text client = sssdTools(multihost.client[0]) domain_params = { 'pam_gssapi_services': 'sudo, sudo-i', 'pam_gssapi_indicators_map': 'sudo-i:hardened' } client.sssd_conf('pam', domain_params) multihost.client[0].run_command('systemctl stop sssd ; ' 'rm -rf /var/log/sssd/* ; ' 'rm -rf /var/lib/sss/db/* ; ' 'systemctl start sssd') ssh = SSHClient(multihost.client[0].ip, username='******', password='******') (_, _, exit_status) = ssh.execute_cmd('kinit admin', stdin='Secret123') multihost.client[0].run_command("sssctl debug-level 9") (result, errors, exit_status) = ssh.execute_cmd('sudo -l') (result, errors, exit_status) = ssh.exec_command('klist') (result, errors, exit_status) = ssh.execute_cmd('ipa ' 'sudocmd-del ALL2') (result, errors, exit_status) = ssh.execute_cmd('ipa ' 'sudorule-del ' 'testrule2') multihost.client[0].run_command('cp -vf /etc/pam.d/sudo_indicators ' '/etc/pam.d/sudo') multihost.client[0].run_command('cp -vf /etc/pam.d/sudo-i_indicators ' '/etc/pam.d/sudo-i') search = multihost.client[0].run_command('fgrep gssapi_ ' '/var/log/sssd/sssd_pam.log' ' |tail -10') ssh.close() assert 'indicators: 2' in search.stdout_text
def test_kcm_debug_level_set(self, multihost, enable_kcm): """ Test that just adding a [kcm] section and restarting the kcm service enables debugging without having to restart the whole sssd """ # Start from a known-good state where the configuration is refreshed # by the monitor and logging is completely disabled multihost.master[0].service_sssd('stop') self._stop_kcm(multihost) self._remove_kcm_log_file(multihost) set_param(multihost, 'kcm', 'debug_level', '0') multihost.master[0].service_sssd('start') self._start_kcm(multihost) log_lines_pre = self._kcm_log_length(multihost) # Debugging is disabled, kinit and make sure that no debug messages # were produced try: ssh = SSHClient(multihost.master[0].sys_hostname, username='******', password='******') except paramiko.ssh_exception.AuthenticationException: pytest.fail("Authentication Failed as user %s" % ('foo3')) else: ssh.execute_cmd('kdestroy') ssh.close() log_lines_nodebug = self._kcm_log_length(multihost) assert log_lines_nodebug == log_lines_pre # Enable debugging, restart only the kcm service, make sure some # debug messages were produced set_param(multihost, 'kcm', 'debug_level', '9') self._restart_kcm(multihost) try: ssh = SSHClient(multihost.master[0].sys_hostname, username='******', password='******') except paramiko.ssh_exception.AuthenticationException: pytest.fail("Authentication Failed as user %s" % ('foo3')) else: ssh.execute_cmd('kdestroy') ssh.close() log_lines_debug = self._kcm_log_length(multihost) assert log_lines_debug > log_lines_pre + 100
def test_pam_sss_gss_handle_large_krb_ticket(self, multihost, create_aduser_group): """ :title: Verify pam_sss_gss.so can handle large kerberos ticket for sudo :id: 456ea53b-6702-4b8e-beb1-eee841b85fed :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1948657 :steps: 1. Add sudo rule in IPA-server for AD-users 2. Modify /etc/krb5.conf.d/kcm_default_ccache to specify location of storing a TGT 3. Enable pam_sss_gss.so for auth in /etc/pam.d/{sudo,sudo-i} files 4. Add a sudo rule for AD-user 5. Log in on ipa-client as AD-user 6. Run kinit and fetch tgt 7. Run sudo command 8. Remove sudo cache 9. Run sudo command again :expectedresults: 1. Should succeed 2. Should succeed 3. Should succeed 4. Should succeed 5. Should succeed 6. Should succeed 7. Should not ask password, and should succeed 8. Should succeed 9. Should not ask password, and should succeed """ (aduser, adgroup) = create_aduser_group ad_dmn_name = multihost.ad[0].domainname fq_aduser = f'{aduser}@{ad_dmn_name}' client = sssdTools(multihost.client[0], multihost.ad[0]) ipaserver = sssdTools(multihost.master[0]) cmd = 'dnf install -y sssd sssd-kcm' multihost.client[0].run_command(cmd, raiseonerr=False) domain_name = ipaserver.get_domain_section_name() domain_section = 'domain/{}'.format(domain_name) params = {'pam_gssapi_services': 'sudo, sudo-i'} client.sssd_conf(domain_section, params) krbkcm = '/etc/krb5.conf.d/kcm_default_ccache' bk_krbkcm = '/tmp/kcm_default_ccache' multihost.client[0].run_command(f'cp {krbkcm} {bk_krbkcm}') cmd = "echo -e '[libdefaults]\n' \ ' default_ccache_name = FILE:/tmp/krb5cc_%{uid}:'" multihost.client[0].run_command(cmd, raiseonerr=False) multihost.client[0].service_sssd('restart') pam_sss_gss = "auth sufficient pam_sss_gss.so debug" for pam_file in "/etc/pam.d/sudo-i", "/etc/pam.d/sudo": cmd = f'sed -i "1 i {pam_sss_gss}" {pam_file}' multihost.client[0].run_command(cmd, raiseonerr=False) cmd = f'echo "{fq_aduser} ALL=(ALL) ALL" >> /etc/sudoers' multihost.client[0].run_command(cmd, raiseonerr=False) log = re.compile('.*System.*error.*Broken.*pipe.*') try: ssh = SSHClient(multihost.client[0].ip, username=f'{fq_aduser}', password='******') except paramiko.ssh_exception.AuthenticationException: pytest.fail(f'{aduser} failed to login') else: (_, _, exit_status) = ssh.execute_cmd(f'kinit {fq_aduser}', stdin='Secret123') assert exit_status == 0 (stdout, _, exit_status) = ssh.execute_cmd('sudo -l') assert exit_status == 0 otpt = stdout.readlines() for line in otpt: res = log.search(line) assert res is None (stdout, _, exit_status) = ssh.execute_cmd('sudo id') assert exit_status == 0 (stdout, _, exit_status) = ssh.execute_cmd('sudo -k') assert exit_status == 0 client.sssd_conf(domain_section, params, action='delete') for pam_file in "/etc/pam.d/sudo-i", "/etc/pam.d/sudo": cmd = f'sed -i "1d" {pam_file}' multihost.client[0].run_command(cmd, raiseonerr=False) cmd = 'sed -i "$ d" /etc/sudoers' multihost.client[0].run_command(cmd, raiseonerr=False) cmd = f'mv {bk_krbkcm} {krbkcm}' multihost.client[0].run_command(cmd, raiseonerr=False)
def test_inactivated_filtered_roles(self, multihost): """ title: Inactivated filtered roles :id: 4286dac6-3045-11ec-8fd0-845cf3eff344 :steps: 1. Make filter role inactive 2. User added to the above inactive filtered role 3. User removed from the above inactive filtered role 4. Activate filtered role :expectedresults: 1. Should succeed 2. Should succeed 3. Should succeed 4. Should succeed """ clean_sys(multihost) client_e = multihost.client[0].ip master_e = multihost.master[0].ip ldap_uri = f'ldap://{master_e}' ds_rootdn = 'cn=Directory Manager' ds_rootpw = 'Secret123' ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) user_dn = 'uid=foo3,ou=People,dc=example,dc=test' role_dn = "filtered" add_member = [(ldap.MOD_ADD, 'o', role_dn.encode('utf-8'))] (ret, _) = ldap_inst.modify_ldap(user_dn, add_member) assert ret == 'Success' manage_user_roles(multihost, "cn=filtered", "lock", "role") with pytest.raises(paramiko.ssh_exception.AuthenticationException): SSHClient(client_e, username="******", password="******") time.sleep(3) lock_check(multihost, "foo3") # User added to the above inactive filtered role clean_sys(multihost) with pytest.raises(paramiko.ssh_exception.AuthenticationException): SSHClient(client_e, username="******", password="******") time.sleep(3) lock_check(multihost, "foo4") # User removed from the above inactive filtered role clean_sys(multihost) ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) user_dn = 'uid=foo3,ou=People,dc=example,dc=test' role_dn = "filtered" add_member = [(ldap.MOD_DELETE, 'o', role_dn.encode('utf-8'))] (ret, _) = ldap_inst.modify_ldap(user_dn, add_member) assert ret == 'Success' ssh1 = SSHClient(client_e, username="******", password="******") ssh1.close() time.sleep(3) unlock_check(multihost, "foo3") # Activate filtered role clean_sys(multihost) manage_user_roles(multihost, "cn=filtered", "unlock", "role") ssh1 = SSHClient(client_e, username="******", password="******") ssh1.close() time.sleep(3) unlock_check(multihost, "foo4")
def test_kcm_peruid_quota(self, multihost, enable_kcm, create_many_user_principals): """ :title: kcm: Make sure the quota limits a client, but only that client :id: 3ac8f62e-05e4-4ca7-b588-145fd6258c2a """ # It is easier to keep these tests stable and independent from others # if they start from a clean slate self._remove_secret_db(multihost) ssh_foo2 = SSHClient(multihost.master[0].sys_hostname, username='******', password='******') ssh_foo3 = SSHClient(multihost.master[0].sys_hostname, username='******', password='******') # The loop would request 63 users, plus there is foo3 we authenticated # earlier, so this should exactly deplete the quota, but should succeed for i in range(1, 64): username = "******" % i (_, _, exit_status) = ssh_foo3.execute_cmd('kinit %s' % username, stdin='Secret123') assert exit_status == 0 # this kinit should be exactly one over the peruid limit (_, _, exit_status) = ssh_foo3.execute_cmd('kinit user0064', stdin='Secret123') assert exit_status != 0 # Since this is a per-uid limit, another user should be able to kinit # just fine (_, _, exit_status) = ssh_foo2.execute_cmd('kinit user0064', stdin='Secret123') assert exit_status == 0 # kdestroy as the original user, the quota should allow a subsequent # kinit ssh_foo3.execute_cmd('kdestroy -A') (_, _, exit_status) = ssh_foo3.execute_cmd('kinit user0064', stdin='Secret123') assert exit_status == 0 ssh_foo2.execute_cmd('kdestroy -A') ssh_foo2.close() ssh_foo3.execute_cmd('kdestroy -A') ssh_foo3.close()
def test_pass_krb5cname_to_pam(self, multihost, backupsssdconf, backup_config_pam_gssapi_services): """ :title: pass KRB5CCNAME to pam_authenticate environment if available :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1917379 :id: e3a6accc-781d-11ec-a83c-845cf3eff344 :steps: 1. Take backup of files 2. Configure domain_params 3. Configure /etc/pam.d/sudo 4. Configur /etc/pam.d/sudo-i 5. Create IPA sudo rule of /usr/sbin/sssctl for user admin 6. Check user admin can use sudo command 7. Restore of files :expectedresults: 1. Should succeed 2. Should succeed 3. Should succeed 4. Should succeed 5. Should succeed 6. Should succeed 7. Should succeed """ tools = sssdTools(multihost.client[0]) tools.service_ctrl('restart', 'sssd') domain_name = tools.get_domain_section_name() user = "******" test_password = "******" sys_hostname = multihost.client[0].sys_hostname ssh1 = SSHClient(multihost.client[0].ip, username=user, password=test_password) (_, _, exit_status) = ssh1.execute_cmd('kinit', stdin=test_password) assert exit_status == 0 (_, _, _) = ssh1.execute_cmd("ipa sudocmd-add /usr/sbin/sssctl") (_, _, _) = ssh1.execute_cmd("ipa sudorule-add idm_user_sssctl") (_, _, _) = ssh1.execute_cmd("ipa sudorule-add-allow-command " "idm_user_sssctl --sudocmds " "'/usr/sbin/sssctl'") (_, _, _) = ssh1.execute_cmd(f"ipa sudorule-add-host " f"idm_user_sssctl " f"--hosts {sys_hostname}") (_, _, _) = ssh1.execute_cmd("ipa sudorule-add-user " "idm_user_sssctl " "--users admin") tools.clear_sssd_cache() ssh2 = SSHClient(multihost.client[0].ip, username=user, password=test_password) (_, _, _) = ssh2.execute_cmd('kinit', stdin=test_password) (_, _, _) = ssh2.execute_cmd('sudo -S -l', stdin=test_password) file_name = 'domain_list_' + str(time.time()) (_, _, _) = ssh2.execute_cmd( f"sudo -S /usr/sbin/sssctl domain-list > " f"/tmp/{file_name}", stdin=test_password) result = multihost.client[0].run_command( f"cat /tmp/{file_name}").stdout_text assert domain_name in result