def test_0003_sssd_crashes_after_update(self, multihost,
backupsssdconf):
"""
:title: misc: sssd crashes after last update to
sssd-common-1.16.4-37.el7_8.1
:id: 55cbdb9c-c62e-4604-8c77-9d70dd333a50
:customerscenario: True
:bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1854317
"""
tools = sssdTools(multihost.client[0])
domain_name = tools.get_domain_section_name()
client = sssdTools(multihost.client[0])
domain_params = {'cache_credentials': 'true',
'entry_cache_timeout': '5400',
'refresh_expired_interval': '4000'}
client.sssd_conf(f'domain/{domain_name}', domain_params)
multihost.client[0].service_sssd('restart')
user = '******' % domain_name
client = pexpect_ssh(multihost.client[0].sys_hostname, user,
'Secret1234', debug=False)
with pytest.raises(SSHLoginException):
client.login(login_timeout=10,
sync_multiplier=1, auto_prompt_reset=False)
time.sleep(2)
client = pexpect_ssh(multihost.client[0].sys_hostname, user,
'Secret123', debug=False)
try:
client.login(login_timeout=30,
sync_multiplier=5, auto_prompt_reset=False)
except SSHLoginException:
pytest.fail("%s failed to login" % user)
else:
client.logout()
for _ in range(3):
client = pexpect_ssh(multihost.client[0].sys_hostname, user,
'Secret1234', debug=False)
with pytest.raises(SSHLoginException):
client.login(login_timeout=10,
sync_multiplier=1, auto_prompt_reset=False)
time.sleep(2)
client = pexpect_ssh(multihost.client[0].sys_hostname, user,
'Secret123', debug=False)
try:
client.login(login_timeout=30,
sync_multiplier=5, auto_prompt_reset=False)
except SSHLoginException:
pytest.fail("%s failed to login" % user)
else:
client.logout()
time.sleep(2)
cmd_id = 'id %s' % user
cmd = multihost.client[0].run_command(cmd_id)
if "no such user" in cmd.stdout_text:
status = "FAIL"
else:
status = "PASS"
assert status == "PASS"
def test_analyze_parse_child_logs(self, multihost, backupsssdconf):
"""
:title: sssctl analyze to parse child logs from logs
:id: 0f009b2e-420f-40f4-ab37-e224a6607812
:description: sssctl analyze should able to parse child logs
from logs
:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2013260
:steps:
1. Configure sssd to authenticate against directory server
2. Enable debug_level to 9 in the 'nss', 'pam' and domain section
3. Restart SSSD with cleared cache
4. Log in as a user using ssh
5. Confirm child krb logs parsed
6. Fail log in with wrong credentials
7. Confirm parsed child logs show error message
:expectedresults:
1. Should succeed
2. Should succeed
3. Should succeed
4. Should succeed
5. Should succeed
6. Should succeed
7. Should succeed
"""
tools = sssdTools(multihost.client[0])
dm_sec = ['nss', 'pam']
sssd_params = {'debug_level': '9'}
for sec_op in dm_sec:
tools.sssd_conf(sec_op, sssd_params, action='update')
tools.clear_sssd_cache()
user = f'foo1@{ds_instance_name}'
client_hostname = multihost.client[0].sys_hostname
client = pexpect_ssh(client_hostname, user, 'Secret123', debug=False)
try:
client.login(login_timeout=30,
sync_multiplier=5,
auto_prompt_reset=False)
except SSHLoginException:
_, stdout = analyze(multihost, 'show --pam --child 1')
assert 'Preauthentication failed' in stdout
pytest.fail(f"{user} failed to login")
else:
client.logout()
_, stdout = analyze(multihost, 'show --pam --child 1')
err = 'sss_child_krb5_trace_cb'
assert all(ptn in stdout for ptn in [err, user])
tools.clear_sssd_cache()
client = pexpect_ssh(client_hostname, user, 'NOSecret123', debug=False)
try:
client.login(login_timeout=30,
sync_multiplier=5,
auto_prompt_reset=False)
except SSHLoginException:
_, stdout = analyze(multihost, 'show --pam --child 1')
assert re.findall(r"RID#[0-9]*] Received error code", stdout)
else:
pytest.fail(f"{user} sucessful to login")
def test_0001_krb5_not_working_based_on_k5login(self, multihost,
localusers,
backupsssdconf):
"""
:title: krb5: access_provider = krb5 is not
working in RHEL8 while restricting logins
based on .k5login file
:id: dfc177ff-58a7-4697-8d23-e444928c7092
:casecomponent: authselect
:customerscenario: True
:requirement: IDM-SSSD-REQ :: Authselect replaced authconfig
:bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1734094
"""
multihost.client[0].run_command(f'authselect '
f'select sssd '
f'with-files-access-provider')
multihost.client[0].service_sssd('stop')
client_tool = sssdTools(multihost.client[0])
domain_params = {'id_provider': 'files', 'access_provider': 'krb5'}
client_tool.sssd_conf('domain/example1', domain_params)
dmain_delete = {
"ldap_user_home_directory": "/home/%u",
"ldap_uri": multihost.master[0].sys_hostname,
"ldap_search_base": "dc=example,dc=test",
"ldap_tls_cacert": "/etc/openldap/cacerts/cacert.pem",
"use_fully_qualified_names": "True"
}
client_tool.sssd_conf('domain/example1', dmain_delete, action='delete')
multihost.client[0].service_sssd('start')
user = '******'
client_hostname = multihost.client[0].sys_hostname
multihost.client[0].run_command(f'touch /home/{user}/.k5login')
multihost.client[0].run_command(f'chown {user} /home/{user}/.k5login')
multihost.client[0].run_command(f'chgrp {user} /home/{user}/.k5login')
multihost.client[0].run_command(f'chmod 664 /home/{user}/.k5login')
multihost.client[0].service_sssd('restart')
client = pexpect_ssh(client_hostname, user, 'Secret123', debug=False)
with pytest.raises(Exception):
client.login(login_timeout=10,
sync_multiplier=1,
auto_prompt_reset=False)
multihost.client[0].run_command(f'rm -vf /home/{user}/.k5login')
multihost.client[0].service_sssd('restart')
client = pexpect_ssh(client_hostname, user, 'Secret123', debug=False)
try:
client.login(login_timeout=30,
sync_multiplier=5,
auto_prompt_reset=False)
except SSHLoginException:
pytest.fail("%s failed to login" % user)
else:
client.logout()
multihost.client[0].run_command('authselect select sssd')
def test_child_logs_after_receiving_hup(self, multihost):
"""
:title: sssd fails to release file descriptor on child
logs after receiving hup
:id: 3e28f453-fae8-4f52-82d0-757a5bdd0b06
:customerscenario: True
:bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1544457
"""
tools = sssdTools(multihost.client[0])
domain_name = tools.get_domain_section_name()
user = '******' % domain_name
client = pexpect_ssh(multihost.client[0].sys_hostname,
user,
'Secret123',
debug=False)
try:
client.login()
except SSHLoginException:
pytest.fail("%s failed to login" % user)
else:
client.logout()
time.sleep(2)
ps_cmd = "mv /var/log/sssd/krb5_child.log " \
"/var/log/sssd/krb5_child.log.old"
cmd = multihost.client[0].run_command(ps_cmd)
ps_cmd = "pgrep sssd"
cmd = multihost.client[0].run_command(ps_cmd)
sssd_pid = cmd.stdout_text.split('\n')[0]
ps_cmd = f"/bin/kill -HUP {sssd_pid}"
cmd = multihost.client[0].run_command(ps_cmd)
client = pexpect_ssh(multihost.client[0].sys_hostname,
user,
'Secret123',
debug=False)
try:
client.login()
except SSHLoginException:
pytest.fail("%s failed to login" % user)
else:
client.logout()
time.sleep(2)
cmd = multihost.client[0].run_command(ps_cmd)
for file in ['krb5_child.log', 'krb5_child.log.old']:
ps_cmd = f"ls -l /var/log/sssd/{file}"
cmd = multihost.client[0].run_command(ps_cmd)
if f'/var/log/sssd/{file}' in cmd.stdout_text:
status = 'PASS'
else:
status = 'FAIL'
assert status == 'PASS'
def test_client_timeout(self, multihost, backupsssdconf):
"""
:title: kcm: Increase client idle
timeout to 5 minutes
:id: 6933cb85-1616-4b7f-a049-e81ab4c05347
:bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1884205
"""
client = sssdTools(multihost.client[0])
domain_params = {'debug_level': '9'}
client.sssd_conf('kcm', domain_params)
multihost.client[0].service_sssd('restart')
user = '******'
client = pexpect_ssh(multihost.client[0].sys_hostname,
user,
'Secret123',
debug=False)
client.login(login_timeout=30,
sync_multiplier=5,
auto_prompt_reset=False)
sssdTools(multihost.client[0]).clear_sssd_cache()
multihost.client[0].run_command("systemctl restart sssd-kcm")
multihost.client[0].run_command("> /var/log/sssd/sssd_kcm.log")
start_time = time.time()
multihost.client[0].run_command("kinit foo1 <&- & ")
end_time = time.time()
client.logout()
assert end_time - start_time >= 300
grep_cmd = multihost.client[0].run_command("grep"
" 'Terminated"
" client'"
" /var/log/sssd/"
"sssd_kcm.log")
assert 'Terminated client' in grep_cmd.stdout_text
def test_sssd_not_check_gss_spengo(self, multihost, backupsssdconf):
"""
:Title: krb5/fips: sssd does not properly check GSS-SPNEGO
@bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1868054
"""
client = sssdTools(multihost.client[0])
domain_name = client.get_domain_section_name()
del_params = {'ldap_sasl_mech': 'GSSAPI'}
client.sssd_conf('domain/%s' % domain_name,
del_params,
action='delete')
domain_params = {'ldap_sasl_mech': 'GSS-SPNEGO'}
client.sssd_conf('domain/example1', domain_params)
client.clear_sssd_cache()
user = '******' % domain_name
client = pexpect_ssh(multihost.client[0].sys_hostname,
user,
'Secret123',
debug=False)
try:
client.login()
except SSHLoginException:
pytest.fail("%s failed to login" % user)
else:
client.logout()
ps_grep = "grep GSS /var/log/sssd/*.log"
cmd = multihost.client[0].run_command(ps_grep)
err_msg = "SPNEGO cannot find mechanisms to negotiate"
if err_msg in cmd.stdout_text:
status = "FAIL"
else:
status = "PASS"
assert status == "PASS"
def test_ldap_gssapi(self, multihost):
"""
@Title: krb5/fips: verify sssd is able to create gssapi connection
with fips approved etype.
"""
cmd = 'cat /etc/sssd/sssd.conf'
multihost.client[0].run_command(cmd)
tools = sssdTools(multihost.client[0])
domain_name = tools.get_domain_section_name()
user = '******' % domain_name
ldap_host = multihost.master[0].sys_hostname
pcapfile = '/tmp/ldapgssapi.pcap'
tcpdump_cmd = 'tcpdump -s0 host %s -w %s' % (ldap_host, pcapfile)
multihost.client[0].run_command(tcpdump_cmd, bg=True)
pkill = 'pkill tcpdump'
client = pexpect_ssh(multihost.client[0].sys_hostname,
user,
'Secret123',
debug=False)
try:
client.login()
except SSHLoginException:
multihost.client[0].run_command(pkill)
pytest.fail("%s failed to login" % user)
else:
ldapsearch = 'ldapsearch -Y GSSAPI -H ldap://%s' % ldap_host
(_, ret) = client.command(ldapsearch)
client.logout()
multihost.client[0].run_command(pkill)
tshark_cmd = "tshark -r %s -V -2 -R"\
" 'kerberos.msg_type == 13'" % pcapfile
cmd = multihost.client[0].run_command(tshark_cmd, raiseonerr=False)
rm_pcap_file = 'rm -f %s' % pcapfile
multihost.client[0].run_command(rm_pcap_file)
def test_0001_1724717(self, multihost):
"""
:title: proxy: sssd-proxy crashes resolving groups with no members
:id: 28b64673-8f1b-46c1-b0dd-6eaba9f80b2c
"""
# backup sssd.conf
backup = 'cp -f /etc/sssd/sssd.conf /etc/sssd/sssd.conf.backup'
restore = 'cp -f /etc/sssd/sssd.conf.backup /etc/sssd/sssd.conf'
multihost.client[0].run_command(backup)
tools = sssdTools(multihost.client[0])
domain_name = tools.get_domain_section_name()
multihost.client[0].service_sssd('stop')
tools.remove_sss_cache('/var/lib/sss/db')
user = '******' % domain_name
# user add
add_user = '******'
# delete user
del_user = '******'
multihost.client[0].run_command(add_user)
domain_params = {
'id_provider': 'proxy',
'proxy_lib_name': 'files',
'ignore_group_members': 'False',
'cache_credentials': 'True',
'krb5_validate': 'True'
}
tools.sssd_conf('domain/%s' % domain_name, domain_params)
del_domain_params = {
'ldap_uri': 'ldaps:%s' % (multihost.master[0].run_command),
'ldap_tls_cacert': '/etc/openldap/cacerts/cacert.pem',
'ldap_search_base': ds_suffix,
'use_fully_qualified_names': 'True'
}
tools.sssd_conf('domain/%s' % domain_name,
del_domain_params,
action='delete')
cat = 'cat /etc/sssd/sssd.conf'
multihost.client[0].run_command(cat)
multihost.client[0].service_sssd('start')
client = pexpect_ssh(multihost.client[0].sys_hostname,
user,
'Secret123',
debug=False)
try:
client.login()
except SSHLoginException:
multihost.client[0].run_command(del_user)
multihost.client[0].run_command(restore)
pytest.fail("%s failed to login" % user)
else:
id_cmd = 'id %s' % user
(_, ret) = client.command(id_cmd)
assert ret == '0'
client.logout()
# On fedora after user logs out it takes time
# for systemd process running as user to get stopped, hence
# adding sleep
time.sleep(20)
multihost.client[0].run_command(del_user)
multihost.client[0].run_command(restore)
def test_0001_bz1362023(self, multihost, backupsssdconf):
"""
:title: IDM-SSSD-TC: rfc2307: user with spaces at beginning
:id: 6923436c-d4e4-4a0d-a8f3-1e94ecb1dee3
:description: user with a white space at the beginning in it's name
should be able to log in
:bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=2015090
https://bugzilla.redhat.com/show_bug.cgi?id=1065534
:steps:
1. Create user with a white space at beginning in their name
2. Restart SSSD with cleared cache
3. Fetch user information using 'id'
4. Confirm user is able to log in via ssh
5. A normal user information is fetched
6. Confirm a user information is not fetched if a space is added
as it's first character
:expectedresults:
1. Should succeed
2. Should succeed
3. Should succeed
4. Should succeed
5. Should succeed
6. Should succeed
"""
usr = '******'
usr_info = {
'cn': usr,
'uid': usr,
'uidNumber': '34583100',
'gidNumber': '34564100'
}
usr_grp(multihost, usr_info, 'user')
tools = sssdTools(multihost.client[0])
domain_name = tools.get_domain_section_name()
tools.clear_sssd_cache()
user = f'\\ tuser@{domain_name}'
client = pexpect_ssh(multihost.client[0].sys_hostname,
user,
'Secret123',
debug=False)
try:
client.login()
except SSHLoginException:
pytest.fail(f'{user} failed to login')
else:
id_cmd = f'id {user}'
(_, ret) = client.command(id_cmd)
assert ret == '0'
client.logout()
user = f'tuser@{domain_name}'
cmd = multihost.client[0].run_command(f'id {user}', raiseonerr=False)
assert cmd.returncode != 0
user = f'foo1@{domain_name}'
cmd = multihost.client[0].run_command(f'id {user}', raiseonerr=False)
assert cmd.returncode == 0
user = f'\\ foo1@{domain_name}'
cmd = multihost.client[0].run_command(f'id {user}', raiseonerr=False)
assert cmd.returncode != 0
def test_0002_bz1928648(self, multihost, backupsssdconf):
"""
:title: clarify which config option applies to each timeout in the logs
:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1928648
:customerscenario: true
:id: b6c3a1e4-f0ee-11eb-9718-845cf3eff344
:steps:
1. Login into server running sssd service.
2. Configure SSSD with only 1 id_provider.
3. Block "id_provider" using "iptables" command.
4. Step 6 should fail and similar messages
should be observed in log file
(/var/log/sssd/sssd_<domainname>.log).
5. The log snip should contain following
timeout parameters.
- ldap_opt_timeout
- ldap_search_timeout
- ldap_network_timeout
- dns_resolver_timeout
:expectedresults:
1. Should succeed
2. Should succeed
3. Should succeed
4. Should succeed
5. Should succeed
"""
multihost.client[0].run_command("> /var/log/sssd/sssd_example1.log")
multihost.client[0].service_sssd('restart')
time.sleep(30)
it_cat = "cat /var/log/sssd/sssd_example1.log"
cat_read = multihost.client[0].run_command(it_cat)
for i in ['Setting 6 seconds timeout', "ldap_network_timeout"]:
assert i in cat_read.stdout_text
find_id = multihost.client[0].run_command("id foo1@example1")
assert find_id.returncode == 0
hostname = multihost.master[0].external_hostname
block_ip = multihost.client[0].run_command(f'iptables'
f' -I OUTPUT '
f'-d {hostname}'
f' -j DROP')
assert block_ip.returncode == 0
user = '******'
client_hostname = multihost.client[0].sys_hostname
client = pexpect_ssh(client_hostname, user, 'Secret123',
debug=False)
with pytest.raises(Exception):
client.login(login_timeout=5,
sync_multiplier=1,
auto_prompt_reset=False)
multihost.client[0].run_command(f"iptables "
f"-D OUTPUT -d "
f"{hostname} -j DROP")
it_cat = "cat /var/log/sssd/sssd_example1.log"
cat_read = multihost.client[0].run_command(it_cat)
for i in ['ldap_opt_timeout',
'ldap_search_timeout',
'ldap_network_timeout',
'dns_resolver_timeout']:
assert i in cat_read.stdout_text
def test_login_fips_weak_crypto(self, multihost):
"""
:title: krb5/fips: verify login fails when weak crypto is presented
:id: cdd2ef0d-4921-40b3-b61e-0b271b2d5e00
"""
ldap_uri = 'ldap://%s' % (multihost.master[0].sys_hostname)
ds_rootdn = 'cn=Directory Manager'
ds_rootpw = 'Secret123'
tools = sssdTools(multihost.client[0])
domain_name = tools.get_domain_section_name()
tools.clear_sssd_cache()
user = '******' % domain_name
ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw)
krb = krb5srv(multihost.master[0], 'EXAMPLE.TEST')
user_info = {
'cn': 'cracker',
'uid': 'cracker',
'uidNumber': '19583100',
'gidNumber': '14564100'
}
if ldap_inst.posix_user("ou=People", "dc=example,dc=test", user_info):
krb.add_principal('cracker',
'user',
'Secret123',
etype='arcfour-hmac')
else:
pytest.fail("Failed to add user cracker")
user_dn = 'uid=cracker,ou=People,%s' % ds_suffix
group_dn = 'cn=ldapusers,ou=Groups,%s' % ds_suffix
add_member = [(ldap.MOD_ADD, 'uniqueMember', user_dn.encode('utf-8'))]
(ret, _) = ldap_inst.modify_ldap(group_dn, add_member)
assert ret == 'Success'
tools.clear_sssd_cache()
ldap_host = multihost.master[0].sys_hostname
pcapfile = '/tmp/krb1.pcap'
tcpdump_cmd = 'tcpdump -s0 host %s -w %s' % (ldap_host, pcapfile)
multihost.client[0].run_command(tcpdump_cmd, bg=True)
pkill = 'pkill tcpdump'
client = pexpect_ssh(multihost.client[0].sys_hostname,
user,
'Secret123',
debug=False)
try:
client.login()
except SSHLoginException:
multihost.client[0].run_command(pkill)
tshark_cmd = "tshark -r %s -V -2 -R"\
" 'kerberos.msg_type == 30'" % pcapfile
cmd = multihost.client[0].run_command(tshark_cmd, raiseonerr=False)
journalctl_cmd = 'journalctl --no-pager -n 150'
cmd = multihost.client[0].run_command(journalctl_cmd)
check = re.compile(r'KDC has no support for encryption type')
assert check.search(cmd.stdout_text)
else:
pytest.fail("%s Login successfull")
ldap_inst.del_dn(user_dn)
krb.delete_principal('cracker')
rm_pcap_file = 'rm -f %s' % pcapfile
multihost.client[0].run_command(rm_pcap_file)
def test_hbac_refresh_time(self, multihost):
"""
:title: hbac: Verify cached hbac rule is applied
for the refresh time period
:id: c839fd33-65da-4252-82cf-5ba88ad02f55
"""
ipa_server = ipaTools(multihost.master[0])
ipa_client = ipaTools(multihost.client[0])
sssd_client = sssdTools(multihost.client[0])
domain_name = '%s/%s' % ('domain',
sssd_client.get_domain_section_name())
client_host = multihost.client[0].sys_hostname
pexpect_ssh(client_host, 'foobar1', 'Secret123', debug=False)
ipa_server.add_hbac_rule('test1', 'foobar1', client_host, 'sshd')
multihost.client[0].service_sssd('stop')
sssd_client.remove_sss_cache('/var/lib/sss/db')
hbac_params = {'ipa_hbac_refresh': '60'}
sssd_client.sssd_conf(domain_name, hbac_params)
multihost.client[0].service_sssd('start')
login_status = ipa_client.ssh_login('foobar1',
'Secret123',
client_host,
command='id')
if login_status:
status = 'PASS'
# update the rule
update_rule = "ipa hbacrule-remove-user --users='foobar1' test1"
# sleep for 20 seconds
time.sleep(20)
multihost.master[0].run_command(update_rule)
login_status = ipa_client.ssh_login('foobar1',
'Secret123',
client_host,
command='id')
if login_status:
status = 'PASS'
time.sleep(45)
# now it should not allow login
login_status = ipa_client.ssh_login('foobar1', 'Secret123',
client_host)
if not login_status:
status = 'PASS'
sssd_client.sssd_conf(domain_name, hbac_params, action='delete')
multihost.client[0].service_sssd('restart')
ipa_server.del_hbac_rule('test1')
assert status == 'PASS'
def test_analyze_diff_log_location(self, multihost, backupsssdconf):
"""
:title: sssctl analyze able to parse sssd logs from non-default
location
:description: sssctl analyze should be able to parse the sssd logs
from different location or logs from other host
:id: d297b394-3502-4ade-a5a5-5fb4c4333645
:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1294670
:steps:
1. Configure sssd to authenticate against directory server
2. Enable debug_level to 9 in the 'nss', 'pam' and domain section
3. Restart SSSD with cleared cache
4. Fetch user as well as information using 'id' and 'groups' tools
5. Log in as user via ssh
6. Copy sssd logs to a different location
7. Confirm --logdir allows analyze to parse logs from that location
:expectedresults:
1. Should succeed
2. Should succeed
3. Should succeed
4. Should succeed
5. Should succeed
6. Should succeed
7. Should succeed
"""
tools = sssdTools(multihost.client[0])
dm_sec = ['nss', 'pam']
sssd_params = {'debug_level': '9'}
for sec_op in dm_sec:
tools.sssd_conf(sec_op, sssd_params, action='update')
tools.clear_sssd_cache()
user = f'foo1@{ds_instance_name}'
i_cmd = f'id {user}'
multihost.client[0].run_command(i_cmd, raiseonerr=False)
client_hostname = multihost.client[0].sys_hostname
client = pexpect_ssh(client_hostname, user, 'Secret123', debug=False)
try:
client.login(login_timeout=30,
sync_multiplier=5,
auto_prompt_reset=False)
except SSHLoginException:
pytest.fail(f'{user} failed to login')
else:
client.logout()
cp_cmd = 'cp -r /var/log/sssd/ /tmp/'
multihost.client[0].run_command(cp_cmd, raiseonerr=False)
ss_op = 'show 1 --pam'
log_dir = '--logdir /tmp/sssd/'
_, stdout = analyze(multihost, ss_op, log_dir)
pam_cmds = [
'SSS_PAM_AUTHENTICATE', 'SSS_PAM_AUTHENTICATE',
'SSS_PAM_ACCT_MGMT', 'SSS_PAM_SETCRED'
]
for pam_auth in pam_cmds:
assert pam_auth in stdout
for act_op in ['list', 'list -v']:
_, stdout = analyze(multihost, act_op, log_dir)
assert all(ptn in stdout for ptn in ['id', 'ssh'])
def test_auto_private_group(self, multihost):
"""
:title: hbac: Verify hbac rule associated with
User private Groups
:id: 99904ccd-bf2f-4c09-9636-92e036e19a0e
"""
ipa_server = ipaTools(multihost.master[0])
sssd_client = sssdTools(multihost.client[0])
domain_name = '%s/%s' % ('domain',
sssd_client.get_domain_section_name())
client_host = multihost.client[0].sys_hostname
pexpect_ssh(client_host, 'foobar1', 'Secret123', debug=False)
multihost.client[0].service_sssd('stop')
sssd_client.remove_sss_cache('/var/lib/sss/db')
enable_pvtgroups = {'auto_private_groups': 'True'}
sssd_client.sssd_conf(domain_name, enable_pvtgroups)
multihost.client[0].service_sssd('start')
cmd = 'ipa group-add std_group'
multihost.master[0].run_command(cmd)
# Add members
cmd1 = 'ipa group-add-member --users=foobar1 std_group'
multihost.master[0].run_command(cmd1, raiseonerr=False)
# add rule
ipa_server.add_hbac_rule('allow_ssh_access',
'std_group',
client_host,
'sshd',
group=True)
sssctl_cmd = 'sssctl user-checks -s sshd foobar1'
cmd1 = multihost.client[0].run_command(sssctl_cmd)
test_pam = re.compile(r'%s' % 'pam_acct_mgmt: Success')
result = test_pam.search(cmd1.stderr_text)
if not result:
STATUS = 'FAIL'
else:
STATUS = 'PASS'
ipa_server.del_hbac_rule('allow_ssh_access')
cmd = 'ipa group-del std_group'
multihost.master[0].run_command(cmd)
sssd_client.sssd_conf(domain_name, enable_pvtgroups, action='delete')
multihost.client[0].service_sssd('restart')
assert STATUS == 'PASS'
def no_fallback_dir(multihost):
tools = sssdTools(multihost.client[0])
section = f"domain/{ds_instance_name}"
domain_params = {'fallback_homedir': ''}
tools.sssd_conf(section, domain_params, action='delete')
tools.clear_sssd_cache()
user = f'foo1@{ds_instance_name}'
# Authenticate user
client = pexpect_ssh(multihost.client[0].sys_hostname,
user,
'Secret123',
debug=False)
client.login(login_timeout=30, sync_multiplier=5, auto_prompt_reset=False)
def test_fips_as_rep(self, multihost):
"""
:title: krb5/fips: verify sssd accepts only elisted fips approved types
:id: f8452ecd-e13c-4485-83d3-83e25d7d544a
"""
tools = sssdTools(multihost.client[0])
domain_name = tools.get_domain_section_name()
user = '******' % domain_name
ldap_host = multihost.master[0].sys_hostname
pcapfile = '/tmp/krb1.pcap'
tcpdump_cmd = 'tcpdump -s0 host %s -w %s' % (ldap_host, pcapfile)
multihost.client[0].run_command(tcpdump_cmd, bg=True)
pkill = 'pkill tcpdump'
client = pexpect_ssh(multihost.client[0].sys_hostname,
user,
'Secret123',
debug=False)
try:
client.login()
except SSHLoginException:
multihost.client[0].run_command(pkill)
print("SSH Login failed")
tshark_cmd = "tshark -r %s -V -2 -R"\
" 'kerberos.msg_type == 11'" % pcapfile
cmd = multihost.client[0].run_command(tshark_cmd, raiseonerr=False)
pytest.fail("%s failed to login" % user)
else:
time.sleep(5)
client.logout()
multihost.client[0].run_command(pkill)
# check as_rep
tshark_cmd = "tshark -r %s -V -2 -R"\
" 'kerberos.msg_type == 11'" % pcapfile
cmd = multihost.client[0].run_command(tshark_cmd, raiseonerr=False)
valid_etypes = [
'AES256-CTS-HMAC-SHA1-96', 'AES128-CTS-HMAC-SHA1-96',
'AES256-CTS-HMAC-SHA384-192', 'AES128-CTS-HMAC-SHA256-128'
]
invalid_etypes = [
'DES3-CBC-SHA1', 'ARCFOUR-HMAC-MD5', 'CAMELLIA128-CTS-CMAC',
'CAMELLIA256-CTS-CMAC'
]
count = 0
for etype in valid_etypes:
check_str = 'eTYPE-%s' % etype
check = re.compile(r'%s' % etype)
if check.search(cmd.stdout_text):
count += 1
assert count == 1
rm_pcap_file = 'rm -f %s' % pcapfile
multihost.client[0].run_command(rm_pcap_file)
def test_0002_check_default_level_with_auth(self, multihost,
backupsssdconf):
"""
:title: default debug logs: Check successful login with default
log level doesn't generate any logs
:id: f40a7c66-6b5f-4f3c-8fcb-6aa12f415473
:steps:
1. Remove debug_level from sssd.conf file
2. Add fallback_homedir (generates extra logs on
user auth if not specified)
3. Stop sssd, clear cache and logs, start sssd
4. Check total log size before user auth
5. Execute valid user authentication
6. Check total log size after auth
7. Log sizes before and after auth are the same
:expectedresults:
1. sssd should use default debug level with no level defined
2. Succeeds
3. sssd services start successfully
4. Succeeds
5. Succeeds
6. Succeeds
7. Succeeds
"""
section = f"domain/{ds_instance_name}"
domain_params = {'debug_level': ''}
tools = sssdTools(multihost.client[0])
tools.sssd_conf(section, domain_params, action='delete')
domain_params = {'fallback_homedir': '/home/%u'}
tools.sssd_conf(section, domain_params)
# stop sssd, delete logs and cache, start sssd
tools.clear_sssd_cache()
conf = multihost.client[0].run_command('cat /etc/sssd/sssd.conf')
check_log_size = "du -c /var/log/sssd/ | awk '/total/ {print $1}'"
blog_size = multihost.client[0].run_command(check_log_size,
raiseonerr=False)
print("before auth:", blog_size.stdout_text)
user = f'foo1@{ds_instance_name}'
# Authenticate user
client = pexpect_ssh(multihost.client[0].sys_hostname,
user,
'Secret123',
debug=False)
client.login(login_timeout=30,
sync_multiplier=5,
auto_prompt_reset=False)
alog_size = multihost.client[0].run_command(check_log_size,
raiseonerr=False)
print("after auth:", alog_size.stdout_text)
assert alog_size.stdout_text == blog_size.stdout_text
def test_analyze_pam_logs(self, multihost, backupsssdconf):
"""
:title: sssctl analyze to parse pam requests from logs
:id: 7fcd03b6-7f6f-4f39-96f8-45e0cb2d8c20
:description: sssctl analyze request should able to parse and return
authentication logs
:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1294670
:steps:
1. Configure sssd to authenticate against directory server
2. Enable debug_level to 9 in the 'nss', 'pam' and domain section
3. Restart SSSD with cleared cache
4. Log in as a user using ssh
5. Confirm --pam option is showing login related logs
:expectedresults:
1. Should succeed
2. Should succeed
3. Should succeed
4. Should succeed
5. Should succeed
"""
tools = sssdTools(multihost.client[0])
multihost.client[0].service_sssd('stop')
tools.remove_sss_cache('/var/lib/sss/db/')
tools.remove_sss_cache('/var/log/sssd/')
dm_sec = ['nss', 'pam']
sssd_params = {'debug_level': '9'}
for sec_op in dm_sec:
tools.sssd_conf(sec_op, sssd_params, action='update')
multihost.client[0].service_sssd('start')
user = f'foo1@{ds_instance_name}'
client_hostname = multihost.client[0].sys_hostname
client = pexpect_ssh(client_hostname, user, 'Secret123', debug=False)
try:
client.login(login_timeout=30,
sync_multiplier=5,
auto_prompt_reset=False)
except SSHLoginException:
pytest.fail(f"{user} failed to login")
else:
client.logout()
_, stdout = analyze(multihost, 'show 1 --pam')
assert 'CID #1' in stdout
pam_cmds = [
'SSS_PAM_AUTHENTICATE', 'SSS_PAM_AUTHENTICATE',
'SSS_PAM_ACCT_MGMT', 'SSS_PAM_SETCRED'
]
for pam_auth in pam_cmds:
assert pam_auth in stdout
def test_fips_login(self, multihost):
"""
@Title: Verify kerberos user can login successfully in fips mode.
"""
tools = sssdTools(multihost.client[0])
domain_name = tools.get_domain_section_name()
user = '******' % domain_name
client = pexpect_ssh(multihost.client[0].sys_hostname,
user,
'Secret123',
debug=False)
try:
client.login()
except SSHLoginException:
pytest.fail("%s failed to login" % user)
else:
client.logout()
def ssh_login(self, username, password, host, command=None):
""" SSH login to host """
pxssh = pexpect_ssh(host, username, password, debug=False)
try:
pxssh.login()
except SSHLoginException:
return False
except pexpect.exceptions.EOF:
return False
else:
if command:
(output, ret) = pxssh.command('id')
print(output)
print("Return status: ", ret)
pxssh.logout()
del pxssh
return True
def test_analyze_tevent_id(self, multihost, backupsssdconf):
"""
:title: sssctl analyze to parse tevent chain IDs from logs
:id: f748766c-0177-4306-9e7f-816586734e14
:description: sssctl analyze should able to parse tevent chain
IDs from responder logs
:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2013259
:steps:
1. Configure sssd to authenticate against directory server
2. Enable debug_level to 9 in the 'nss', 'pam' and domain section
3. Restart SSSD with cleared cache
4. Log in as a user using ssh
5. Confirm tevent chain IDs(RID) is showing in logs
:expectedresults:
1. Should succeed
2. Should succeed
3. Should succeed
4. Should succeed
5. Should succeed
"""
tools = sssdTools(multihost.client[0])
dm_sec = ['nss', 'pam']
sssd_params = {'debug_level': '9'}
for sec_op in dm_sec:
tools.sssd_conf(sec_op, sssd_params, action='update')
tools.clear_sssd_cache()
i_cmd = f'id foo1@{ds_instance_name}'
multihost.client[0].run_command(i_cmd, raiseonerr=False)
user = f'foo1@{ds_instance_name}'
client_hostname = multihost.client[0].sys_hostname
client = pexpect_ssh(client_hostname, user, 'Secret123', debug=False)
try:
client.login(login_timeout=30,
sync_multiplier=5,
auto_prompt_reset=False)
except SSHLoginException:
pytest.fail(f"{user} failed to login")
else:
client.logout()
_, stdout = analyze(multihost, 'show 1 --pam')
assert all(ptn in stdout for ptn in ['RID#', user])
def test_fips_as_req(self, multihost):
"""
:title: krb5/fips: verify sssd accepts only elisted fips approved types
:id: c5ab16d5-8636-4f50-992b-aa0f05e1a9e5
"""
tools = sssdTools(multihost.client[0])
domain_name = tools.get_domain_section_name()
user = '******' % domain_name
ldap_host = multihost.master[0].sys_hostname
pcapfile = '/tmp/krb1.pcap'
tcpdump_cmd = 'tcpdump -s0 host %s -w %s' % (ldap_host, pcapfile)
multihost.client[0].run_command(tcpdump_cmd, bg=True)
sudo_pcapfile = '/tmp/pcap1.pcap'
pkill = 'pkill tcpdump'
client = pexpect_ssh(multihost.client[0].sys_hostname,
user,
'Secret123',
debug=False)
try:
client.login()
except SSHLoginException:
multihost.client[0].run_command(pkill)
tshark_cmd = "tshark -r %s -V -2 -R 'kerberos.ENCTYPE'" % pcapfile
cmd = multihost.client[0].run_command(tshark_cmd, raiseonerr=False)
pytest.fail("%s failed to login" % user)
else:
time.sleep(5)
client.logout()
multihost.client[0].run_command(pkill)
# check as_req
tshark_cmd = "tshark -r %s -V -2 -R 'kerberos.ENCTYPE'" % pcapfile
cmd = multihost.client[0].run_command(tshark_cmd, raiseonerr=False)
valid_etypes = [
'AES128-CTS-HMAC-SHA256-128', 'AES256-CTS-HMAC-SHA1-96',
'AES128-CTS-HMAC-SHA1-96', 'AES256-CTS-HMAC-SHA384-192'
]
for etype in valid_etypes:
check = re.compile(r'%s' % etype)
assert check.search(cmd.stdout_text)
rm_pcap_file = 'rm -f %s' % pcapfile
multihost.client[0].run_command(rm_pcap_file)
def test_0001_bz1137013(self, multihost, create_ssh_keys):
""" @Title: ssh_authorizedkeys: OpenSSH LPK support
by default bz1137013 """
tools = sssdTools(multihost.client[0])
domain_name = tools.get_domain_section_name()
user = '******' % domain_name
client = pexpect_ssh(multihost.client[0].sys_hostname,
user,
'Secret123',
debug=False)
try:
client.login()
except SSHLoginException:
pytest.fail("%s failed to login" % user)
else:
client.logout()
domain_log = '/var/log/sssd/sssd_%s.log' % domain_name
log = multihost.client[0].get_file_contents(domain_log).decode('utf-8')
msg = 'Adding sshPublicKey'
find = re.compile(r'%s' % msg)
assert find.search(log)
def test_0008_1636002(multihost, backupsssdconf):
"""
:title: IDM-SSSD-TC: ldap_provider: socket-activated services start as
the sssd user and then are unable to read the confdb
:id: 7a33729a-ab74-4d9e-9d75-e952deaa7bd2
:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1636002
:customerscenario: true
:steps:
1. Switch to socket activated services, restart sssd
2. Check 'getent passwd <user> output.
3. Run ssh for the user to trigger PAM.
4. Check log for error messages related to opening
/var/lib/sss/db/config.ldb
:expectedresults:
1. No issue switching and sssd has started.
2. It should succeed.
3. /var/log/sssd/sssd_pam.log is present
4. The error messages are not present.
:teardown:
1. Undo socket activation.
2. Restore sssd.conf
"""
# pylint: disable=unused-argument
client = sssdTools(multihost.client[0])
client.clear_sssd_cache()
domain_name = client.get_domain_section_name()
user = f'foo1@{domain_name}'
# Configure socket activation
sssd_params = {'services': ''}
client.sssd_conf('sssd', sssd_params)
client.clear_sssd_cache()
enable_cmd = "systemctl enable sssd-nss.socket sssd-pam.socket" \
" sssd-pam-priv.socket"
multihost.client[0].run_command(enable_cmd)
multihost.client[0].service_sssd('restart')
# Show the sssd config
multihost.client[0].run_command('cat /etc/sssd/sssd.conf',
raiseonerr=False)
# Run getent passwd
usr_cmd = multihost.client[0].run_command(f'getent passwd {user}',
raiseonerr=False)
# Try ssh after socket activation is configured
# Result does not matter we just need to trigger the PAM stack
ssh_client = pexpect_ssh(multihost.client[0].sys_hostname,
user,
'Secret123',
debug=False)
try:
ssh_client.login(login_timeout=30,
sync_multiplier=5,
auto_prompt_reset=False)
except SSHLoginException:
pass
else:
ssh_client.logout()
# Print pam log for debug purposes
multihost.client[0].run_command('cat /var/log/sssd/sssd_pam.log',
raiseonerr=False)
# Download sssd pam log
log_str = multihost.client[0].get_file_contents(
"/var/log/sssd/sssd_pam.log"). \
decode('utf-8')
# Disable socket activation
multihost.client[0].run_command(
"systemctl disable sssd-nss.socket sssd-pam.socket"
" sssd-pam-priv.socket",
raiseonerr=False)
# Evaluate test results
assert usr_cmd.returncode == 0, f"User {user} was not found."
assert "CONFDB: /var/lib/sss/db/config.ldb" in log_str
assert "Unable to open tdb '/var/lib/sss/db/config.ldb': " \
"Permission denied" not in log_str
assert "Failed to connect to '/var/lib/sss/db/config.ldb'" \
not in log_str
assert "The confdb initialization failed" not in log_str
