def test_0005_getent_homedirectory(self, multihost,
backupsssdconf):
"""
:title: misc: fallback_homedir returns '/'
for empty home directories in passwd file
:id: 69a6b54e-a8eb-4145-8554-c5e666d82276
:customerscenario: True
:bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1660693
"""
multihost.client[0].service_sssd('restart')
ldap_uri = 'ldap://%s' % (multihost.master[0].sys_hostname)
ds_rootdn = 'cn=Directory Manager'
ds_rootpw = 'Secret123'
ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
user_info = {'cn': 'user_exp4'.encode('utf-8'),
'objectClass': [b'top', b'person',
b'inetOrgPerson',
b'organizationalPerson',
b'posixAccount'],
'sn': 'user_exp'.encode('utf-8'),
'uid': 'user_exp'.encode('utf-8'),
'userPassword': '******'.encode('utf-8'),
'homeDirectory': ' '.encode('utf-8'),
'uidNumber': '121012'.encode('utf-8'),
'gidNumber': '121012'.encode('utf-8'),
'loginShell': '/bin/bash'.encode('utf-8')}
user_dn = 'uid=user_exp4,ou=People,dc=example,dc=test'
(_, _) = ldap_inst.add_entry(user_info, user_dn)
cmd_getent = "getent passwd -s sss user_exp4@example1"
cmd = multihost.client[0].run_command(cmd_getent)
ldap_inst.del_dn(user_dn)
assert ":/:" not in cmd.stdout_text
def test_login_fips_weak_crypto(self, multihost):
"""
:title: krb5/fips: verify login fails when weak crypto is presented
:id: cdd2ef0d-4921-40b3-b61e-0b271b2d5e00
"""
ldap_uri = 'ldap://%s' % (multihost.master[0].sys_hostname)
ds_rootdn = 'cn=Directory Manager'
ds_rootpw = 'Secret123'
tools = sssdTools(multihost.client[0])
domain_name = tools.get_domain_section_name()
tools.clear_sssd_cache()
user = '******' % domain_name
ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
krb = krb5srv(multihost.master[0], 'EXAMPLE.TEST')
user_info = {
'cn': 'cracker',
'uid': 'cracker',
'uidNumber': '19583100',
'gidNumber': '14564100'
}
if ldap_inst.posix_user("ou=People", "dc=example,dc=test", user_info):
krb.add_principal('cracker',
'user',
'Secret123',
etype='arcfour-hmac')
else:
pytest.fail("Failed to add user cracker")
user_dn = 'uid=cracker,ou=People,%s' % ds_suffix
group_dn = 'cn=ldapusers,ou=Groups,%s' % ds_suffix
add_member = [(ldap.MOD_ADD, 'uniqueMember', user_dn.encode('utf-8'))]
(ret, _) = ldap_inst.modify_ldap(group_dn, add_member)
assert ret == 'Success'
tools.clear_sssd_cache()
ldap_host = multihost.master[0].sys_hostname
pcapfile = '/tmp/krb1.pcap'
tcpdump_cmd = 'tcpdump -s0 host %s -w %s' % (ldap_host, pcapfile)
multihost.client[0].run_command(tcpdump_cmd, bg=True)
pkill = 'pkill tcpdump'
client = pexpect_ssh(multihost.client[0].sys_hostname,
user,
'Secret123',
debug=False)
try:
client.login()
except SSHLoginException:
multihost.client[0].run_command(pkill)
tshark_cmd = "tshark -r %s -V -2 -R"\
" 'kerberos.msg_type == 30'" % pcapfile
cmd = multihost.client[0].run_command(tshark_cmd, raiseonerr=False)
journalctl_cmd = 'journalctl --no-pager -n 150'
cmd = multihost.client[0].run_command(journalctl_cmd)
check = re.compile(r'KDC has no support for encryption type')
assert check.search(cmd.stdout_text)
else:
pytest.fail("%s Login successfull")
ldap_inst.del_dn(user_dn)
krb.delete_principal('cracker')
rm_pcap_file = 'rm -f %s' % pcapfile
multihost.client[0].run_command(rm_pcap_file)