def test_0003_sssd_crashes_after_update(self, multihost, backupsssdconf): """ :title: misc: sssd crashes after last update to sssd-common-1.16.4-37.el7_8.1 :id: 55cbdb9c-c62e-4604-8c77-9d70dd333a50 :customerscenario: True :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1854317 """ tools = sssdTools(multihost.client[0]) domain_name = tools.get_domain_section_name() client = sssdTools(multihost.client[0]) domain_params = {'cache_credentials': 'true', 'entry_cache_timeout': '5400', 'refresh_expired_interval': '4000'} client.sssd_conf(f'domain/{domain_name}', domain_params) multihost.client[0].service_sssd('restart') user = '******' % domain_name client = pexpect_ssh(multihost.client[0].sys_hostname, user, 'Secret1234', debug=False) with pytest.raises(SSHLoginException): client.login(login_timeout=10, sync_multiplier=1, auto_prompt_reset=False) time.sleep(2) client = pexpect_ssh(multihost.client[0].sys_hostname, user, 'Secret123', debug=False) try: client.login(login_timeout=30, sync_multiplier=5, auto_prompt_reset=False) except SSHLoginException: pytest.fail("%s failed to login" % user) else: client.logout() for _ in range(3): client = pexpect_ssh(multihost.client[0].sys_hostname, user, 'Secret1234', debug=False) with pytest.raises(SSHLoginException): client.login(login_timeout=10, sync_multiplier=1, auto_prompt_reset=False) time.sleep(2) client = pexpect_ssh(multihost.client[0].sys_hostname, user, 'Secret123', debug=False) try: client.login(login_timeout=30, sync_multiplier=5, auto_prompt_reset=False) except SSHLoginException: pytest.fail("%s failed to login" % user) else: client.logout() time.sleep(2) cmd_id = 'id %s' % user cmd = multihost.client[0].run_command(cmd_id) if "no such user" in cmd.stdout_text: status = "FAIL" else: status = "PASS" assert status == "PASS"
def test_analyze_parse_child_logs(self, multihost, backupsssdconf): """ :title: sssctl analyze to parse child logs from logs :id: 0f009b2e-420f-40f4-ab37-e224a6607812 :description: sssctl analyze should able to parse child logs from logs :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2013260 :steps: 1. Configure sssd to authenticate against directory server 2. Enable debug_level to 9 in the 'nss', 'pam' and domain section 3. Restart SSSD with cleared cache 4. Log in as a user using ssh 5. Confirm child krb logs parsed 6. Fail log in with wrong credentials 7. Confirm parsed child logs show error message :expectedresults: 1. Should succeed 2. Should succeed 3. Should succeed 4. Should succeed 5. Should succeed 6. Should succeed 7. Should succeed """ tools = sssdTools(multihost.client[0]) dm_sec = ['nss', 'pam'] sssd_params = {'debug_level': '9'} for sec_op in dm_sec: tools.sssd_conf(sec_op, sssd_params, action='update') tools.clear_sssd_cache() user = f'foo1@{ds_instance_name}' client_hostname = multihost.client[0].sys_hostname client = pexpect_ssh(client_hostname, user, 'Secret123', debug=False) try: client.login(login_timeout=30, sync_multiplier=5, auto_prompt_reset=False) except SSHLoginException: _, stdout = analyze(multihost, 'show --pam --child 1') assert 'Preauthentication failed' in stdout pytest.fail(f"{user} failed to login") else: client.logout() _, stdout = analyze(multihost, 'show --pam --child 1') err = 'sss_child_krb5_trace_cb' assert all(ptn in stdout for ptn in [err, user]) tools.clear_sssd_cache() client = pexpect_ssh(client_hostname, user, 'NOSecret123', debug=False) try: client.login(login_timeout=30, sync_multiplier=5, auto_prompt_reset=False) except SSHLoginException: _, stdout = analyze(multihost, 'show --pam --child 1') assert re.findall(r"RID#[0-9]*] Received error code", stdout) else: pytest.fail(f"{user} sucessful to login")
def test_0001_krb5_not_working_based_on_k5login(self, multihost, localusers, backupsssdconf): """ :title: krb5: access_provider = krb5 is not working in RHEL8 while restricting logins based on .k5login file :id: dfc177ff-58a7-4697-8d23-e444928c7092 :casecomponent: authselect :customerscenario: True :requirement: IDM-SSSD-REQ :: Authselect replaced authconfig :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1734094 """ multihost.client[0].run_command(f'authselect ' f'select sssd ' f'with-files-access-provider') multihost.client[0].service_sssd('stop') client_tool = sssdTools(multihost.client[0]) domain_params = {'id_provider': 'files', 'access_provider': 'krb5'} client_tool.sssd_conf('domain/example1', domain_params) dmain_delete = { "ldap_user_home_directory": "/home/%u", "ldap_uri": multihost.master[0].sys_hostname, "ldap_search_base": "dc=example,dc=test", "ldap_tls_cacert": "/etc/openldap/cacerts/cacert.pem", "use_fully_qualified_names": "True" } client_tool.sssd_conf('domain/example1', dmain_delete, action='delete') multihost.client[0].service_sssd('start') user = '******' client_hostname = multihost.client[0].sys_hostname multihost.client[0].run_command(f'touch /home/{user}/.k5login') multihost.client[0].run_command(f'chown {user} /home/{user}/.k5login') multihost.client[0].run_command(f'chgrp {user} /home/{user}/.k5login') multihost.client[0].run_command(f'chmod 664 /home/{user}/.k5login') multihost.client[0].service_sssd('restart') client = pexpect_ssh(client_hostname, user, 'Secret123', debug=False) with pytest.raises(Exception): client.login(login_timeout=10, sync_multiplier=1, auto_prompt_reset=False) multihost.client[0].run_command(f'rm -vf /home/{user}/.k5login') multihost.client[0].service_sssd('restart') client = pexpect_ssh(client_hostname, user, 'Secret123', debug=False) try: client.login(login_timeout=30, sync_multiplier=5, auto_prompt_reset=False) except SSHLoginException: pytest.fail("%s failed to login" % user) else: client.logout() multihost.client[0].run_command('authselect select sssd')
def test_child_logs_after_receiving_hup(self, multihost): """ :title: sssd fails to release file descriptor on child logs after receiving hup :id: 3e28f453-fae8-4f52-82d0-757a5bdd0b06 :customerscenario: True :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1544457 """ tools = sssdTools(multihost.client[0]) domain_name = tools.get_domain_section_name() user = '******' % domain_name client = pexpect_ssh(multihost.client[0].sys_hostname, user, 'Secret123', debug=False) try: client.login() except SSHLoginException: pytest.fail("%s failed to login" % user) else: client.logout() time.sleep(2) ps_cmd = "mv /var/log/sssd/krb5_child.log " \ "/var/log/sssd/krb5_child.log.old" cmd = multihost.client[0].run_command(ps_cmd) ps_cmd = "pgrep sssd" cmd = multihost.client[0].run_command(ps_cmd) sssd_pid = cmd.stdout_text.split('\n')[0] ps_cmd = f"/bin/kill -HUP {sssd_pid}" cmd = multihost.client[0].run_command(ps_cmd) client = pexpect_ssh(multihost.client[0].sys_hostname, user, 'Secret123', debug=False) try: client.login() except SSHLoginException: pytest.fail("%s failed to login" % user) else: client.logout() time.sleep(2) cmd = multihost.client[0].run_command(ps_cmd) for file in ['krb5_child.log', 'krb5_child.log.old']: ps_cmd = f"ls -l /var/log/sssd/{file}" cmd = multihost.client[0].run_command(ps_cmd) if f'/var/log/sssd/{file}' in cmd.stdout_text: status = 'PASS' else: status = 'FAIL' assert status == 'PASS'
def test_client_timeout(self, multihost, backupsssdconf): """ :title: kcm: Increase client idle timeout to 5 minutes :id: 6933cb85-1616-4b7f-a049-e81ab4c05347 :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1884205 """ client = sssdTools(multihost.client[0]) domain_params = {'debug_level': '9'} client.sssd_conf('kcm', domain_params) multihost.client[0].service_sssd('restart') user = '******' client = pexpect_ssh(multihost.client[0].sys_hostname, user, 'Secret123', debug=False) client.login(login_timeout=30, sync_multiplier=5, auto_prompt_reset=False) sssdTools(multihost.client[0]).clear_sssd_cache() multihost.client[0].run_command("systemctl restart sssd-kcm") multihost.client[0].run_command("> /var/log/sssd/sssd_kcm.log") start_time = time.time() multihost.client[0].run_command("kinit foo1 <&- & ") end_time = time.time() client.logout() assert end_time - start_time >= 300 grep_cmd = multihost.client[0].run_command("grep" " 'Terminated" " client'" " /var/log/sssd/" "sssd_kcm.log") assert 'Terminated client' in grep_cmd.stdout_text
def test_sssd_not_check_gss_spengo(self, multihost, backupsssdconf): """ :Title: krb5/fips: sssd does not properly check GSS-SPNEGO @bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1868054 """ client = sssdTools(multihost.client[0]) domain_name = client.get_domain_section_name() del_params = {'ldap_sasl_mech': 'GSSAPI'} client.sssd_conf('domain/%s' % domain_name, del_params, action='delete') domain_params = {'ldap_sasl_mech': 'GSS-SPNEGO'} client.sssd_conf('domain/example1', domain_params) client.clear_sssd_cache() user = '******' % domain_name client = pexpect_ssh(multihost.client[0].sys_hostname, user, 'Secret123', debug=False) try: client.login() except SSHLoginException: pytest.fail("%s failed to login" % user) else: client.logout() ps_grep = "grep GSS /var/log/sssd/*.log" cmd = multihost.client[0].run_command(ps_grep) err_msg = "SPNEGO cannot find mechanisms to negotiate" if err_msg in cmd.stdout_text: status = "FAIL" else: status = "PASS" assert status == "PASS"
def test_ldap_gssapi(self, multihost): """ @Title: krb5/fips: verify sssd is able to create gssapi connection with fips approved etype. """ cmd = 'cat /etc/sssd/sssd.conf' multihost.client[0].run_command(cmd) tools = sssdTools(multihost.client[0]) domain_name = tools.get_domain_section_name() user = '******' % domain_name ldap_host = multihost.master[0].sys_hostname pcapfile = '/tmp/ldapgssapi.pcap' tcpdump_cmd = 'tcpdump -s0 host %s -w %s' % (ldap_host, pcapfile) multihost.client[0].run_command(tcpdump_cmd, bg=True) pkill = 'pkill tcpdump' client = pexpect_ssh(multihost.client[0].sys_hostname, user, 'Secret123', debug=False) try: client.login() except SSHLoginException: multihost.client[0].run_command(pkill) pytest.fail("%s failed to login" % user) else: ldapsearch = 'ldapsearch -Y GSSAPI -H ldap://%s' % ldap_host (_, ret) = client.command(ldapsearch) client.logout() multihost.client[0].run_command(pkill) tshark_cmd = "tshark -r %s -V -2 -R"\ " 'kerberos.msg_type == 13'" % pcapfile cmd = multihost.client[0].run_command(tshark_cmd, raiseonerr=False) rm_pcap_file = 'rm -f %s' % pcapfile multihost.client[0].run_command(rm_pcap_file)
def test_0001_1724717(self, multihost): """ :title: proxy: sssd-proxy crashes resolving groups with no members :id: 28b64673-8f1b-46c1-b0dd-6eaba9f80b2c """ # backup sssd.conf backup = 'cp -f /etc/sssd/sssd.conf /etc/sssd/sssd.conf.backup' restore = 'cp -f /etc/sssd/sssd.conf.backup /etc/sssd/sssd.conf' multihost.client[0].run_command(backup) tools = sssdTools(multihost.client[0]) domain_name = tools.get_domain_section_name() multihost.client[0].service_sssd('stop') tools.remove_sss_cache('/var/lib/sss/db') user = '******' % domain_name # user add add_user = '******' # delete user del_user = '******' multihost.client[0].run_command(add_user) domain_params = { 'id_provider': 'proxy', 'proxy_lib_name': 'files', 'ignore_group_members': 'False', 'cache_credentials': 'True', 'krb5_validate': 'True' } tools.sssd_conf('domain/%s' % domain_name, domain_params) del_domain_params = { 'ldap_uri': 'ldaps:%s' % (multihost.master[0].run_command), 'ldap_tls_cacert': '/etc/openldap/cacerts/cacert.pem', 'ldap_search_base': ds_suffix, 'use_fully_qualified_names': 'True' } tools.sssd_conf('domain/%s' % domain_name, del_domain_params, action='delete') cat = 'cat /etc/sssd/sssd.conf' multihost.client[0].run_command(cat) multihost.client[0].service_sssd('start') client = pexpect_ssh(multihost.client[0].sys_hostname, user, 'Secret123', debug=False) try: client.login() except SSHLoginException: multihost.client[0].run_command(del_user) multihost.client[0].run_command(restore) pytest.fail("%s failed to login" % user) else: id_cmd = 'id %s' % user (_, ret) = client.command(id_cmd) assert ret == '0' client.logout() # On fedora after user logs out it takes time # for systemd process running as user to get stopped, hence # adding sleep time.sleep(20) multihost.client[0].run_command(del_user) multihost.client[0].run_command(restore)
def test_0001_bz1362023(self, multihost, backupsssdconf): """ :title: IDM-SSSD-TC: rfc2307: user with spaces at beginning :id: 6923436c-d4e4-4a0d-a8f3-1e94ecb1dee3 :description: user with a white space at the beginning in it's name should be able to log in :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2015090 https://bugzilla.redhat.com/show_bug.cgi?id=1065534 :steps: 1. Create user with a white space at beginning in their name 2. Restart SSSD with cleared cache 3. Fetch user information using 'id' 4. Confirm user is able to log in via ssh 5. A normal user information is fetched 6. Confirm a user information is not fetched if a space is added as it's first character :expectedresults: 1. Should succeed 2. Should succeed 3. Should succeed 4. Should succeed 5. Should succeed 6. Should succeed """ usr = '******' usr_info = { 'cn': usr, 'uid': usr, 'uidNumber': '34583100', 'gidNumber': '34564100' } usr_grp(multihost, usr_info, 'user') tools = sssdTools(multihost.client[0]) domain_name = tools.get_domain_section_name() tools.clear_sssd_cache() user = f'\\ tuser@{domain_name}' client = pexpect_ssh(multihost.client[0].sys_hostname, user, 'Secret123', debug=False) try: client.login() except SSHLoginException: pytest.fail(f'{user} failed to login') else: id_cmd = f'id {user}' (_, ret) = client.command(id_cmd) assert ret == '0' client.logout() user = f'tuser@{domain_name}' cmd = multihost.client[0].run_command(f'id {user}', raiseonerr=False) assert cmd.returncode != 0 user = f'foo1@{domain_name}' cmd = multihost.client[0].run_command(f'id {user}', raiseonerr=False) assert cmd.returncode == 0 user = f'\\ foo1@{domain_name}' cmd = multihost.client[0].run_command(f'id {user}', raiseonerr=False) assert cmd.returncode != 0
def test_0002_bz1928648(self, multihost, backupsssdconf): """ :title: clarify which config option applies to each timeout in the logs :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1928648 :customerscenario: true :id: b6c3a1e4-f0ee-11eb-9718-845cf3eff344 :steps: 1. Login into server running sssd service. 2. Configure SSSD with only 1 id_provider. 3. Block "id_provider" using "iptables" command. 4. Step 6 should fail and similar messages should be observed in log file (/var/log/sssd/sssd_<domainname>.log). 5. The log snip should contain following timeout parameters. - ldap_opt_timeout - ldap_search_timeout - ldap_network_timeout - dns_resolver_timeout :expectedresults: 1. Should succeed 2. Should succeed 3. Should succeed 4. Should succeed 5. Should succeed """ multihost.client[0].run_command("> /var/log/sssd/sssd_example1.log") multihost.client[0].service_sssd('restart') time.sleep(30) it_cat = "cat /var/log/sssd/sssd_example1.log" cat_read = multihost.client[0].run_command(it_cat) for i in ['Setting 6 seconds timeout', "ldap_network_timeout"]: assert i in cat_read.stdout_text find_id = multihost.client[0].run_command("id foo1@example1") assert find_id.returncode == 0 hostname = multihost.master[0].external_hostname block_ip = multihost.client[0].run_command(f'iptables' f' -I OUTPUT ' f'-d {hostname}' f' -j DROP') assert block_ip.returncode == 0 user = '******' client_hostname = multihost.client[0].sys_hostname client = pexpect_ssh(client_hostname, user, 'Secret123', debug=False) with pytest.raises(Exception): client.login(login_timeout=5, sync_multiplier=1, auto_prompt_reset=False) multihost.client[0].run_command(f"iptables " f"-D OUTPUT -d " f"{hostname} -j DROP") it_cat = "cat /var/log/sssd/sssd_example1.log" cat_read = multihost.client[0].run_command(it_cat) for i in ['ldap_opt_timeout', 'ldap_search_timeout', 'ldap_network_timeout', 'dns_resolver_timeout']: assert i in cat_read.stdout_text
def test_login_fips_weak_crypto(self, multihost): """ :title: krb5/fips: verify login fails when weak crypto is presented :id: cdd2ef0d-4921-40b3-b61e-0b271b2d5e00 """ ldap_uri = 'ldap://%s' % (multihost.master[0].sys_hostname) ds_rootdn = 'cn=Directory Manager' ds_rootpw = 'Secret123' tools = sssdTools(multihost.client[0]) domain_name = tools.get_domain_section_name() tools.clear_sssd_cache() user = '******' % domain_name ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) krb = krb5srv(multihost.master[0], 'EXAMPLE.TEST') user_info = { 'cn': 'cracker', 'uid': 'cracker', 'uidNumber': '19583100', 'gidNumber': '14564100' } if ldap_inst.posix_user("ou=People", "dc=example,dc=test", user_info): krb.add_principal('cracker', 'user', 'Secret123', etype='arcfour-hmac') else: pytest.fail("Failed to add user cracker") user_dn = 'uid=cracker,ou=People,%s' % ds_suffix group_dn = 'cn=ldapusers,ou=Groups,%s' % ds_suffix add_member = [(ldap.MOD_ADD, 'uniqueMember', user_dn.encode('utf-8'))] (ret, _) = ldap_inst.modify_ldap(group_dn, add_member) assert ret == 'Success' tools.clear_sssd_cache() ldap_host = multihost.master[0].sys_hostname pcapfile = '/tmp/krb1.pcap' tcpdump_cmd = 'tcpdump -s0 host %s -w %s' % (ldap_host, pcapfile) multihost.client[0].run_command(tcpdump_cmd, bg=True) pkill = 'pkill tcpdump' client = pexpect_ssh(multihost.client[0].sys_hostname, user, 'Secret123', debug=False) try: client.login() except SSHLoginException: multihost.client[0].run_command(pkill) tshark_cmd = "tshark -r %s -V -2 -R"\ " 'kerberos.msg_type == 30'" % pcapfile cmd = multihost.client[0].run_command(tshark_cmd, raiseonerr=False) journalctl_cmd = 'journalctl --no-pager -n 150' cmd = multihost.client[0].run_command(journalctl_cmd) check = re.compile(r'KDC has no support for encryption type') assert check.search(cmd.stdout_text) else: pytest.fail("%s Login successfull") ldap_inst.del_dn(user_dn) krb.delete_principal('cracker') rm_pcap_file = 'rm -f %s' % pcapfile multihost.client[0].run_command(rm_pcap_file)
def test_hbac_refresh_time(self, multihost): """ :title: hbac: Verify cached hbac rule is applied for the refresh time period :id: c839fd33-65da-4252-82cf-5ba88ad02f55 """ ipa_server = ipaTools(multihost.master[0]) ipa_client = ipaTools(multihost.client[0]) sssd_client = sssdTools(multihost.client[0]) domain_name = '%s/%s' % ('domain', sssd_client.get_domain_section_name()) client_host = multihost.client[0].sys_hostname pexpect_ssh(client_host, 'foobar1', 'Secret123', debug=False) ipa_server.add_hbac_rule('test1', 'foobar1', client_host, 'sshd') multihost.client[0].service_sssd('stop') sssd_client.remove_sss_cache('/var/lib/sss/db') hbac_params = {'ipa_hbac_refresh': '60'} sssd_client.sssd_conf(domain_name, hbac_params) multihost.client[0].service_sssd('start') login_status = ipa_client.ssh_login('foobar1', 'Secret123', client_host, command='id') if login_status: status = 'PASS' # update the rule update_rule = "ipa hbacrule-remove-user --users='foobar1' test1" # sleep for 20 seconds time.sleep(20) multihost.master[0].run_command(update_rule) login_status = ipa_client.ssh_login('foobar1', 'Secret123', client_host, command='id') if login_status: status = 'PASS' time.sleep(45) # now it should not allow login login_status = ipa_client.ssh_login('foobar1', 'Secret123', client_host) if not login_status: status = 'PASS' sssd_client.sssd_conf(domain_name, hbac_params, action='delete') multihost.client[0].service_sssd('restart') ipa_server.del_hbac_rule('test1') assert status == 'PASS'
def test_analyze_diff_log_location(self, multihost, backupsssdconf): """ :title: sssctl analyze able to parse sssd logs from non-default location :description: sssctl analyze should be able to parse the sssd logs from different location or logs from other host :id: d297b394-3502-4ade-a5a5-5fb4c4333645 :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1294670 :steps: 1. Configure sssd to authenticate against directory server 2. Enable debug_level to 9 in the 'nss', 'pam' and domain section 3. Restart SSSD with cleared cache 4. Fetch user as well as information using 'id' and 'groups' tools 5. Log in as user via ssh 6. Copy sssd logs to a different location 7. Confirm --logdir allows analyze to parse logs from that location :expectedresults: 1. Should succeed 2. Should succeed 3. Should succeed 4. Should succeed 5. Should succeed 6. Should succeed 7. Should succeed """ tools = sssdTools(multihost.client[0]) dm_sec = ['nss', 'pam'] sssd_params = {'debug_level': '9'} for sec_op in dm_sec: tools.sssd_conf(sec_op, sssd_params, action='update') tools.clear_sssd_cache() user = f'foo1@{ds_instance_name}' i_cmd = f'id {user}' multihost.client[0].run_command(i_cmd, raiseonerr=False) client_hostname = multihost.client[0].sys_hostname client = pexpect_ssh(client_hostname, user, 'Secret123', debug=False) try: client.login(login_timeout=30, sync_multiplier=5, auto_prompt_reset=False) except SSHLoginException: pytest.fail(f'{user} failed to login') else: client.logout() cp_cmd = 'cp -r /var/log/sssd/ /tmp/' multihost.client[0].run_command(cp_cmd, raiseonerr=False) ss_op = 'show 1 --pam' log_dir = '--logdir /tmp/sssd/' _, stdout = analyze(multihost, ss_op, log_dir) pam_cmds = [ 'SSS_PAM_AUTHENTICATE', 'SSS_PAM_AUTHENTICATE', 'SSS_PAM_ACCT_MGMT', 'SSS_PAM_SETCRED' ] for pam_auth in pam_cmds: assert pam_auth in stdout for act_op in ['list', 'list -v']: _, stdout = analyze(multihost, act_op, log_dir) assert all(ptn in stdout for ptn in ['id', 'ssh'])
def test_auto_private_group(self, multihost): """ :title: hbac: Verify hbac rule associated with User private Groups :id: 99904ccd-bf2f-4c09-9636-92e036e19a0e """ ipa_server = ipaTools(multihost.master[0]) sssd_client = sssdTools(multihost.client[0]) domain_name = '%s/%s' % ('domain', sssd_client.get_domain_section_name()) client_host = multihost.client[0].sys_hostname pexpect_ssh(client_host, 'foobar1', 'Secret123', debug=False) multihost.client[0].service_sssd('stop') sssd_client.remove_sss_cache('/var/lib/sss/db') enable_pvtgroups = {'auto_private_groups': 'True'} sssd_client.sssd_conf(domain_name, enable_pvtgroups) multihost.client[0].service_sssd('start') cmd = 'ipa group-add std_group' multihost.master[0].run_command(cmd) # Add members cmd1 = 'ipa group-add-member --users=foobar1 std_group' multihost.master[0].run_command(cmd1, raiseonerr=False) # add rule ipa_server.add_hbac_rule('allow_ssh_access', 'std_group', client_host, 'sshd', group=True) sssctl_cmd = 'sssctl user-checks -s sshd foobar1' cmd1 = multihost.client[0].run_command(sssctl_cmd) test_pam = re.compile(r'%s' % 'pam_acct_mgmt: Success') result = test_pam.search(cmd1.stderr_text) if not result: STATUS = 'FAIL' else: STATUS = 'PASS' ipa_server.del_hbac_rule('allow_ssh_access') cmd = 'ipa group-del std_group' multihost.master[0].run_command(cmd) sssd_client.sssd_conf(domain_name, enable_pvtgroups, action='delete') multihost.client[0].service_sssd('restart') assert STATUS == 'PASS'
def no_fallback_dir(multihost): tools = sssdTools(multihost.client[0]) section = f"domain/{ds_instance_name}" domain_params = {'fallback_homedir': ''} tools.sssd_conf(section, domain_params, action='delete') tools.clear_sssd_cache() user = f'foo1@{ds_instance_name}' # Authenticate user client = pexpect_ssh(multihost.client[0].sys_hostname, user, 'Secret123', debug=False) client.login(login_timeout=30, sync_multiplier=5, auto_prompt_reset=False)
def test_fips_as_rep(self, multihost): """ :title: krb5/fips: verify sssd accepts only elisted fips approved types :id: f8452ecd-e13c-4485-83d3-83e25d7d544a """ tools = sssdTools(multihost.client[0]) domain_name = tools.get_domain_section_name() user = '******' % domain_name ldap_host = multihost.master[0].sys_hostname pcapfile = '/tmp/krb1.pcap' tcpdump_cmd = 'tcpdump -s0 host %s -w %s' % (ldap_host, pcapfile) multihost.client[0].run_command(tcpdump_cmd, bg=True) pkill = 'pkill tcpdump' client = pexpect_ssh(multihost.client[0].sys_hostname, user, 'Secret123', debug=False) try: client.login() except SSHLoginException: multihost.client[0].run_command(pkill) print("SSH Login failed") tshark_cmd = "tshark -r %s -V -2 -R"\ " 'kerberos.msg_type == 11'" % pcapfile cmd = multihost.client[0].run_command(tshark_cmd, raiseonerr=False) pytest.fail("%s failed to login" % user) else: time.sleep(5) client.logout() multihost.client[0].run_command(pkill) # check as_rep tshark_cmd = "tshark -r %s -V -2 -R"\ " 'kerberos.msg_type == 11'" % pcapfile cmd = multihost.client[0].run_command(tshark_cmd, raiseonerr=False) valid_etypes = [ 'AES256-CTS-HMAC-SHA1-96', 'AES128-CTS-HMAC-SHA1-96', 'AES256-CTS-HMAC-SHA384-192', 'AES128-CTS-HMAC-SHA256-128' ] invalid_etypes = [ 'DES3-CBC-SHA1', 'ARCFOUR-HMAC-MD5', 'CAMELLIA128-CTS-CMAC', 'CAMELLIA256-CTS-CMAC' ] count = 0 for etype in valid_etypes: check_str = 'eTYPE-%s' % etype check = re.compile(r'%s' % etype) if check.search(cmd.stdout_text): count += 1 assert count == 1 rm_pcap_file = 'rm -f %s' % pcapfile multihost.client[0].run_command(rm_pcap_file)
def test_0002_check_default_level_with_auth(self, multihost, backupsssdconf): """ :title: default debug logs: Check successful login with default log level doesn't generate any logs :id: f40a7c66-6b5f-4f3c-8fcb-6aa12f415473 :steps: 1. Remove debug_level from sssd.conf file 2. Add fallback_homedir (generates extra logs on user auth if not specified) 3. Stop sssd, clear cache and logs, start sssd 4. Check total log size before user auth 5. Execute valid user authentication 6. Check total log size after auth 7. Log sizes before and after auth are the same :expectedresults: 1. sssd should use default debug level with no level defined 2. Succeeds 3. sssd services start successfully 4. Succeeds 5. Succeeds 6. Succeeds 7. Succeeds """ section = f"domain/{ds_instance_name}" domain_params = {'debug_level': ''} tools = sssdTools(multihost.client[0]) tools.sssd_conf(section, domain_params, action='delete') domain_params = {'fallback_homedir': '/home/%u'} tools.sssd_conf(section, domain_params) # stop sssd, delete logs and cache, start sssd tools.clear_sssd_cache() conf = multihost.client[0].run_command('cat /etc/sssd/sssd.conf') check_log_size = "du -c /var/log/sssd/ | awk '/total/ {print $1}'" blog_size = multihost.client[0].run_command(check_log_size, raiseonerr=False) print("before auth:", blog_size.stdout_text) user = f'foo1@{ds_instance_name}' # Authenticate user client = pexpect_ssh(multihost.client[0].sys_hostname, user, 'Secret123', debug=False) client.login(login_timeout=30, sync_multiplier=5, auto_prompt_reset=False) alog_size = multihost.client[0].run_command(check_log_size, raiseonerr=False) print("after auth:", alog_size.stdout_text) assert alog_size.stdout_text == blog_size.stdout_text
def test_analyze_pam_logs(self, multihost, backupsssdconf): """ :title: sssctl analyze to parse pam requests from logs :id: 7fcd03b6-7f6f-4f39-96f8-45e0cb2d8c20 :description: sssctl analyze request should able to parse and return authentication logs :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1294670 :steps: 1. Configure sssd to authenticate against directory server 2. Enable debug_level to 9 in the 'nss', 'pam' and domain section 3. Restart SSSD with cleared cache 4. Log in as a user using ssh 5. Confirm --pam option is showing login related logs :expectedresults: 1. Should succeed 2. Should succeed 3. Should succeed 4. Should succeed 5. Should succeed """ tools = sssdTools(multihost.client[0]) multihost.client[0].service_sssd('stop') tools.remove_sss_cache('/var/lib/sss/db/') tools.remove_sss_cache('/var/log/sssd/') dm_sec = ['nss', 'pam'] sssd_params = {'debug_level': '9'} for sec_op in dm_sec: tools.sssd_conf(sec_op, sssd_params, action='update') multihost.client[0].service_sssd('start') user = f'foo1@{ds_instance_name}' client_hostname = multihost.client[0].sys_hostname client = pexpect_ssh(client_hostname, user, 'Secret123', debug=False) try: client.login(login_timeout=30, sync_multiplier=5, auto_prompt_reset=False) except SSHLoginException: pytest.fail(f"{user} failed to login") else: client.logout() _, stdout = analyze(multihost, 'show 1 --pam') assert 'CID #1' in stdout pam_cmds = [ 'SSS_PAM_AUTHENTICATE', 'SSS_PAM_AUTHENTICATE', 'SSS_PAM_ACCT_MGMT', 'SSS_PAM_SETCRED' ] for pam_auth in pam_cmds: assert pam_auth in stdout
def test_fips_login(self, multihost): """ @Title: Verify kerberos user can login successfully in fips mode. """ tools = sssdTools(multihost.client[0]) domain_name = tools.get_domain_section_name() user = '******' % domain_name client = pexpect_ssh(multihost.client[0].sys_hostname, user, 'Secret123', debug=False) try: client.login() except SSHLoginException: pytest.fail("%s failed to login" % user) else: client.logout()
def ssh_login(self, username, password, host, command=None): """ SSH login to host """ pxssh = pexpect_ssh(host, username, password, debug=False) try: pxssh.login() except SSHLoginException: return False except pexpect.exceptions.EOF: return False else: if command: (output, ret) = pxssh.command('id') print(output) print("Return status: ", ret) pxssh.logout() del pxssh return True
def test_analyze_tevent_id(self, multihost, backupsssdconf): """ :title: sssctl analyze to parse tevent chain IDs from logs :id: f748766c-0177-4306-9e7f-816586734e14 :description: sssctl analyze should able to parse tevent chain IDs from responder logs :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2013259 :steps: 1. Configure sssd to authenticate against directory server 2. Enable debug_level to 9 in the 'nss', 'pam' and domain section 3. Restart SSSD with cleared cache 4. Log in as a user using ssh 5. Confirm tevent chain IDs(RID) is showing in logs :expectedresults: 1. Should succeed 2. Should succeed 3. Should succeed 4. Should succeed 5. Should succeed """ tools = sssdTools(multihost.client[0]) dm_sec = ['nss', 'pam'] sssd_params = {'debug_level': '9'} for sec_op in dm_sec: tools.sssd_conf(sec_op, sssd_params, action='update') tools.clear_sssd_cache() i_cmd = f'id foo1@{ds_instance_name}' multihost.client[0].run_command(i_cmd, raiseonerr=False) user = f'foo1@{ds_instance_name}' client_hostname = multihost.client[0].sys_hostname client = pexpect_ssh(client_hostname, user, 'Secret123', debug=False) try: client.login(login_timeout=30, sync_multiplier=5, auto_prompt_reset=False) except SSHLoginException: pytest.fail(f"{user} failed to login") else: client.logout() _, stdout = analyze(multihost, 'show 1 --pam') assert all(ptn in stdout for ptn in ['RID#', user])
def test_fips_as_req(self, multihost): """ :title: krb5/fips: verify sssd accepts only elisted fips approved types :id: c5ab16d5-8636-4f50-992b-aa0f05e1a9e5 """ tools = sssdTools(multihost.client[0]) domain_name = tools.get_domain_section_name() user = '******' % domain_name ldap_host = multihost.master[0].sys_hostname pcapfile = '/tmp/krb1.pcap' tcpdump_cmd = 'tcpdump -s0 host %s -w %s' % (ldap_host, pcapfile) multihost.client[0].run_command(tcpdump_cmd, bg=True) sudo_pcapfile = '/tmp/pcap1.pcap' pkill = 'pkill tcpdump' client = pexpect_ssh(multihost.client[0].sys_hostname, user, 'Secret123', debug=False) try: client.login() except SSHLoginException: multihost.client[0].run_command(pkill) tshark_cmd = "tshark -r %s -V -2 -R 'kerberos.ENCTYPE'" % pcapfile cmd = multihost.client[0].run_command(tshark_cmd, raiseonerr=False) pytest.fail("%s failed to login" % user) else: time.sleep(5) client.logout() multihost.client[0].run_command(pkill) # check as_req tshark_cmd = "tshark -r %s -V -2 -R 'kerberos.ENCTYPE'" % pcapfile cmd = multihost.client[0].run_command(tshark_cmd, raiseonerr=False) valid_etypes = [ 'AES128-CTS-HMAC-SHA256-128', 'AES256-CTS-HMAC-SHA1-96', 'AES128-CTS-HMAC-SHA1-96', 'AES256-CTS-HMAC-SHA384-192' ] for etype in valid_etypes: check = re.compile(r'%s' % etype) assert check.search(cmd.stdout_text) rm_pcap_file = 'rm -f %s' % pcapfile multihost.client[0].run_command(rm_pcap_file)
def test_0001_bz1137013(self, multihost, create_ssh_keys): """ @Title: ssh_authorizedkeys: OpenSSH LPK support by default bz1137013 """ tools = sssdTools(multihost.client[0]) domain_name = tools.get_domain_section_name() user = '******' % domain_name client = pexpect_ssh(multihost.client[0].sys_hostname, user, 'Secret123', debug=False) try: client.login() except SSHLoginException: pytest.fail("%s failed to login" % user) else: client.logout() domain_log = '/var/log/sssd/sssd_%s.log' % domain_name log = multihost.client[0].get_file_contents(domain_log).decode('utf-8') msg = 'Adding sshPublicKey' find = re.compile(r'%s' % msg) assert find.search(log)
def test_0008_1636002(multihost, backupsssdconf): """ :title: IDM-SSSD-TC: ldap_provider: socket-activated services start as the sssd user and then are unable to read the confdb :id: 7a33729a-ab74-4d9e-9d75-e952deaa7bd2 :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1636002 :customerscenario: true :steps: 1. Switch to socket activated services, restart sssd 2. Check 'getent passwd <user> output. 3. Run ssh for the user to trigger PAM. 4. Check log for error messages related to opening /var/lib/sss/db/config.ldb :expectedresults: 1. No issue switching and sssd has started. 2. It should succeed. 3. /var/log/sssd/sssd_pam.log is present 4. The error messages are not present. :teardown: 1. Undo socket activation. 2. Restore sssd.conf """ # pylint: disable=unused-argument client = sssdTools(multihost.client[0]) client.clear_sssd_cache() domain_name = client.get_domain_section_name() user = f'foo1@{domain_name}' # Configure socket activation sssd_params = {'services': ''} client.sssd_conf('sssd', sssd_params) client.clear_sssd_cache() enable_cmd = "systemctl enable sssd-nss.socket sssd-pam.socket" \ " sssd-pam-priv.socket" multihost.client[0].run_command(enable_cmd) multihost.client[0].service_sssd('restart') # Show the sssd config multihost.client[0].run_command('cat /etc/sssd/sssd.conf', raiseonerr=False) # Run getent passwd usr_cmd = multihost.client[0].run_command(f'getent passwd {user}', raiseonerr=False) # Try ssh after socket activation is configured # Result does not matter we just need to trigger the PAM stack ssh_client = pexpect_ssh(multihost.client[0].sys_hostname, user, 'Secret123', debug=False) try: ssh_client.login(login_timeout=30, sync_multiplier=5, auto_prompt_reset=False) except SSHLoginException: pass else: ssh_client.logout() # Print pam log for debug purposes multihost.client[0].run_command('cat /var/log/sssd/sssd_pam.log', raiseonerr=False) # Download sssd pam log log_str = multihost.client[0].get_file_contents( "/var/log/sssd/sssd_pam.log"). \ decode('utf-8') # Disable socket activation multihost.client[0].run_command( "systemctl disable sssd-nss.socket sssd-pam.socket" " sssd-pam-priv.socket", raiseonerr=False) # Evaluate test results assert usr_cmd.returncode == 0, f"User {user} was not found." assert "CONFDB: /var/lib/sss/db/config.ldb" in log_str assert "Unable to open tdb '/var/lib/sss/db/config.ldb': " \ "Permission denied" not in log_str assert "Failed to connect to '/var/lib/sss/db/config.ldb'" \ not in log_str assert "The confdb initialization failed" not in log_str