def test_invalid_range_types(self): invalid_range_types = [ 'ipa-local', 'ipa-ad-winsync', 'ipa-ipa-trust', 'random-invalid', 're@ll%ybad12!' ] tasks.configure_dns_for_trust(self.master, self.ad) try: for range_type in invalid_range_types: tasks.kinit_admin(self.master) result = self.master.run_command( [ 'ipa', 'trust-add', '--type', 'ad', self.ad_domain, '--admin', 'Administrator', '--range-type', range_type, '--password' ], raiseonerr=False, stdin_text=self.master.config.ad_admin_password) # The trust-add command is supposed to fail assert result.returncode == 1 assert "ERROR: invalid 'range_type'" in result.stderr_text finally: tasks.unconfigure_dns_for_trust(self.master, self.ad)
def install(cls, mh): if cls.domain_level is not None: domain_level = cls.domain_level else: domain_level = cls.master.config.domain_level tasks.install_topo(cls.topology, cls.master, cls.replicas, cls.clients, domain_level, clients_extra_args=('--mkhomedir',)) cls.ad = cls.ads[0] cls.smbserver = cls.clients[0] cls.smbclient = cls.clients[1] cls.ad_user = '******'.format(cls.ad_user_login, cls.ad.domain.name) tasks.config_host_resolvconf_with_master_data(cls.master, cls.smbclient) tasks.install_adtrust(cls.master) tasks.configure_dns_for_trust(cls.master, cls.ad) tasks.configure_windows_dns_for_trust(cls.ad, cls.master) tasks.establish_trust_with_ad(cls.master, cls.ad.domain.name, extra_args=['--two-way=true']) tasks.create_active_user(cls.master, cls.ipa_user1, password=cls.ipa_user1_password) tasks.create_active_user(cls.master, cls.ipa_user2, password=cls.ipa_user2_password) # Trigger creation of home directories on the SMB server for user in [cls.ipa_user1, cls.ipa_user2, cls.ad_user]: tasks.run_command_as_user(cls.smbserver, user, ['stat', '.'])
def test_establish_external_trust_with_shared_secret(self): tasks.configure_dns_for_trust(self.master, self.ad) tasks.configure_windows_dns_for_trust(self.ad, self.master) # create windows side of trust using netdom.exe utility self.ad.run_command( ['netdom.exe', 'trust', self.master.domain.name, '/d:' + self.ad.domain.name, '/passwordt:' + self.shared_secret, '/add', '/oneside:TRUSTED']) # create ipa side of trust tasks.establish_trust_with_ad( self.master, self.ad_domain, shared_secret=self.shared_secret, extra_args=['--range-type', 'ipa-ad-trust', '--external=True'])
def install(cls, mh): super(TestSSSDAuthCache, cls).install(mh) cls.ad = cls.ads[0] # pylint: disable=no-member tasks.install_adtrust(cls.master) tasks.configure_dns_for_trust(cls.master, cls.ad) tasks.establish_trust_with_ad(cls.master, cls.ad.domain.name) cls.users['ad']['name'] = cls.users['ad']['name_tmpl'].format( domain=cls.ad.domain.name) tasks.user_add(cls.master, cls.intermed_user) tasks.create_active_user(cls.master, cls.ipa_user, cls.ipa_user_password)
def install(cls, mh): super(TestSSSDWithAdTrust, cls).install(mh) cls.ad = cls.ads[0] tasks.install_adtrust(cls.master) tasks.configure_dns_for_trust(cls.master, cls.ad) tasks.establish_trust_with_ad(cls.master, cls.ad.domain.name) cls.users['ad']['name'] = cls.users['ad']['name_tmpl'].format( domain=cls.ad.domain.name) cls.users['ad']['group'] = cls.users['ad']['group_tmpl'].format( domain=cls.ad.domain.name) tasks.user_add(cls.master, cls.intermed_user) tasks.create_active_user(cls.master, cls.ipa_user, cls.ipa_user_password)
def test_establish_nonexternal_treedomain_trust(self): tasks.configure_dns_for_trust(self.master, self.ad, self.tree_ad) try: tasks.kinit_admin(self.master) result = self.master.run_command([ 'ipa', 'trust-add', '--type', 'ad', self.ad_treedomain, '--admin', 'Administrator@' + self.ad_treedomain, '--password', '--range-type', 'ipa-ad-trust' ], stdin_text=self.master.config.ad_admin_password, raiseonerr=False) assert result != 0 assert ("Domain '{0}' is not a root domain".format( self.ad_treedomain) in result.stderr_text) finally: tasks.unconfigure_dns_for_trust(self.master, self.ad, self.tree_ad)
def install(cls, mh): super(TestSSSDWithAdTrust, cls).install(mh) cls.ad = cls.ads[0] tasks.install_adtrust(cls.master) tasks.configure_dns_for_trust(cls.master, cls.ad) tasks.establish_trust_with_ad(cls.master, cls.ad.domain.name) cls.users['ad']['name'] = cls.users['ad']['name_tmpl'].format( domain=cls.ad.domain.name) # Regression tests for cached_auth_timeout option # https://bugzilla.redhat.com/show_bug.cgi?id=1685581 tasks.user_add(cls.master, cls.intermed_user) tasks.create_active_user(cls.master, cls.ipa_user, cls.ipa_user_password)
def install(cls, mh): super(TestWinsyncMigrate, cls).install(mh) cls.ad = cls.ads[0] # pylint: disable=no-member cls.trust_test_user = '******' % (cls.ad_user, cls.ad.domain.name) tasks.configure_dns_for_trust(cls.master, cls.ad) tasks.install_adtrust(cls.master) cls.create_test_objects() establish_winsync_agreement(cls.master, cls.ad) tasks.kinit_admin(cls.master) cls.setup_user_memberships(cls.ad_user) # store user uid and gid result = cls.master.run_command(['getent', 'passwd', cls.ad_user]) testuser_regex = (r"^{0}:\*:(\d+):(\d+):{0}:/home/{0}:/bin/sh$".format( cls.ad_user)) m = re.match(testuser_regex, result.stdout_text) cls.test_user_uid, cls.test_user_gid = m.groups()
def test_subordinate_suffix(self): """Test subordinate UPN Suffixes""" tasks.configure_dns_for_trust(self.master, self.ad) tasks.establish_trust_with_ad( self.master, self.ad_domain, extra_args=['--range-type', 'ipa-ad-trust']) # Clear all UPN Suffixes ps_cmd = "Get-ADForest | Set-ADForest -UPNSuffixes $null" self.ad.run_command(["powershell", "-c", ps_cmd]) result = self.master.run_command(["ipa", "trust-show", self.ad_domain]) assert ( "ipantadditionalsuffixes: {}".format(self.upn_suffix) not in result.stdout_text ) # Run Get-ADForest ps_cmd1 = "Get-ADForest" self.ad.run_command(["powershell", "-c", ps_cmd1]) # Add new UPN for AD ps_cmd2 = ( 'Get-ADForest | Set-ADForest -UPNSuffixes ' '@{add="new.ad.test", "upn.dom"}' ) self.ad.run_command(["powershell", "-c", ps_cmd2]) self.ad.run_command(["powershell", "-c", ps_cmd1]) self.master.run_command( ["ipa", "trust-fetch-domains", self.ad_domain], raiseonerr=False) self.master.run_command(["ipa", "trust-show", self.ad_domain]) # Set UPN for the aduser ps_cmd3 = ( 'set-aduser -UserPrincipalName ' '[email protected] -Identity Administrator' ) self.ad.run_command(["powershell", "-c", ps_cmd3]) # kinit to IPA using AD user [email protected] result = self.master.run_command( ["getent", "passwd", "*****@*****.**"] ) assert result.returncode == 0 self.master.run_command( ["kinit", "-E", "*****@*****.**"], stdin_text="Secret123", ) tasks.kdestroy_all(self.master)
def test_establish_forest_trust_with_shared_secret(self): tasks.configure_dns_for_trust(self.master, self.ad) tasks.configure_windows_dns_for_trust(self.ad, self.master) # this is a workaround for # https://bugzilla.redhat.com/show_bug.cgi?id=1711958 self.master.run_command([ 'ipa', 'dnsrecord-add', self.master.domain.name, self.srv_gc_record_name, '--srv-rec', self.srv_gc_record_value ]) # create windows side of trust using powershell bindings # to .Net functions ps_cmd = ('[System.DirectoryServices.ActiveDirectory.Forest]' '::getCurrentForest()' '.CreateLocalSideOfTrustRelationship("{}", 1, "{}")'.format( self.master.domain.name, self.shared_secret)) self.ad.run_command(['powershell', '-c', ps_cmd]) # create ipa side of trust tasks.establish_trust_with_ad(self.master, self.ad_domain, shared_secret=self.shared_secret)
def configure_dns_and_time(cls): tasks.configure_dns_for_trust(cls.master, cls.ad_domain) tasks.sync_time(cls.master, cls.ad)
def install(cls, mh): tasks.install_master(cls.master, setup_dns=True) cls.ad = cls.ads[0] tasks.install_adtrust(cls.master) tasks.configure_dns_for_trust(cls.master, cls.ad) tasks.establish_trust_with_ad(cls.master, cls.ad.domain.name)
def install(cls, mh): super(TestCertsInIDOverrides, cls).install(mh) cls.ad = config.ad_domains[0].ads[0] cls.ad_domain = cls.ad.domain.name cls.aduser = "******" % cls.ad_domain master = cls.master # A setup for test_dbus_user_lookup master.run_command(['dnf', 'install', '-y', 'sssd-dbus'], raiseonerr=False) master.run_command("sed -i 's/= 7/= 0xFFF0/' %s" % paths.SSSD_CONF, raiseonerr=False) with tasks.remote_sssd_config(master) as sssd_config: try: sssd_config.new_service('ifp') except ServiceAlreadyExists: pass sssd_config.activate_service('ifp') master.run_command(['systemctl', 'restart', 'sssd.service']) # End of setup for test_dbus_user_lookup # AD-related stuff tasks.install_adtrust(master) tasks.sync_time(master, cls.ad) tasks.configure_dns_for_trust(master, cls.ad) tasks.establish_trust_with_ad( cls.master, cls.ad_domain, extra_args=['--range-type', 'ipa-ad-trust']) cls.reqdir = os.path.join(master.config.test_dir, "certs") cls.reqfile1 = os.path.join(cls.reqdir, "test1.csr") cls.reqfile2 = os.path.join(cls.reqdir, "test2.csr") cls.pwname = os.path.join(cls.reqdir, "pwd") # Create a NSS database folder master.run_command(['mkdir', cls.reqdir], raiseonerr=False) # Create an empty password file master.run_command(["touch", cls.pwname], raiseonerr=False) # Initialize NSS database tasks.run_certutil(master, ["-N", "-f", cls.pwname], cls.reqdir) # Now generate self-signed certs for a windows user stdin_text = string.digits + string.ascii_letters[2:] + '\n' tasks.run_certutil(master, [ '-S', '-s', "cn=%s,dc=ad,dc=test" % cls.adcert1, '-n', cls.adcert1, '-x', '-t', 'CT,C,C', '-v', '120', '-m', '1234' ], cls.reqdir, stdin=stdin_text) tasks.run_certutil(master, [ '-S', '-s', "cn=%s,dc=ad,dc=test" % cls.adcert2, '-n', cls.adcert2, '-x', '-t', 'CT,C,C', '-v', '120', '-m', '1234' ], cls.reqdir, stdin=stdin_text) # Export the previously generated cert res = tasks.run_certutil(master, ['-L', '-n', cls.adcert1, '-a'], cls.reqdir) master.put_file_contents( os.path.join(master.config.test_dir, cls.adcert1_file), res.stdout_text) res = tasks.run_certutil(master, ['-L', '-n', cls.adcert2, '-a'], cls.reqdir) master.put_file_contents( os.path.join(master.config.test_dir, cls.adcert2_file), res.stdout_text) cls.cert1_base64 = cls.master.run_command( "openssl x509 -outform der -in %s | base64 -w 0" % cls.adcert1_file).stdout_text cls.cert2_base64 = cls.master.run_command( "openssl x509 -outform der -in %s | base64 -w 0" % cls.adcert2_file).stdout_text cls.cert1_pem = cls.master.run_command( "openssl x509 -in %s -outform pem" % cls.adcert1_file).stdout_text cls.cert2_pem = cls.master.run_command( "openssl x509 -in %s -outform pem" % cls.adcert2_file).stdout_text
def test_establish_nonposix_trust(self): tasks.configure_dns_for_trust(self.master, self.ad) tasks.establish_trust_with_ad( self.master, self.ad_domain, extra_args=['--range-type', 'ipa-ad-trust'])
def test_establish_external_rootdomain_trust(self): tasks.configure_dns_for_trust(self.master, self.ad) tasks.establish_trust_with_ad( self.master, self.ad_domain, extra_args=['--range-type', 'ipa-ad-trust', '--external=True'])
def configure_dns_and_time(self, ad_host): tasks.configure_dns_for_trust(self.master, ad_host) tasks.sync_time(self.master, ad_host)
def configure_dns_and_time(self, ad_host): tasks.configure_dns_for_trust(self.master, ad_host) tasks.sync_time(self.master, ad_host)
def test_server_option_with_unreachable_ad(self): """ Check trust can be established with partially unreachable AD topology The SRV records for AD services can point to hosts unreachable for ipa master. In this case we must be able to establish trust and fetch domains list by using "--server" option. This is the regression test for https://pagure.io/freeipa/issue/7895. """ # To simulate Windows Server advertising unreachable hosts in SRV # records we create specially crafted zone file for BIND DNS server tasks.backup_file(self.master, paths.NAMED_CONF) ad_zone = textwrap.dedent(''' $ORIGIN {ad_dom}. $TTL 86400 @ IN A {ad_ip} IN NS {ad_host}. IN SOA {ad_host}. hostmaster.{ad_dom}. 39 900 600 86400 3600 _msdcs IN NS {ad_host}. _gc._tcp.Default-First-Site-Name._sites IN SRV 0 100 3268 unreachable.{ad_dom}. _kerberos._tcp.Default-First-Site-Name._sites IN SRV 0 100 88 unreachable.{ad_dom}. _ldap._tcp.Default-First-Site-Name._sites IN SRV 0 100 389 unreachable.{ad_dom}. _gc._tcp IN SRV 0 100 3268 unreachable.{ad_dom}. _kerberos._tcp IN SRV 0 100 88 unreachable.{ad_dom}. _kpasswd._tcp IN SRV 0 100 464 unreachable.{ad_dom}. _ldap._tcp IN SRV 0 100 389 unreachable.{ad_dom}. _kerberos._udp IN SRV 0 100 88 unreachable.{ad_dom}. _kpasswd._udp IN SRV 0 100 464 unreachable.{ad_dom}. {ad_short} IN A {ad_ip} unreachable IN A {unreachable} DomainDnsZones IN A {ad_ip} _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones IN SRV 0 100 389 unreachable.{ad_dom}. _ldap._tcp.DomainDnsZones IN SRV 0 100 389 unreachable.{ad_dom}. ForestDnsZones IN A {ad_ip} _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones IN SRV 0 100 389 unreachable.{ad_dom}. _ldap._tcp.ForestDnsZones IN SRV 0 100 389 unreachable.{ad_dom}. '''.format( # noqa: E501 ad_ip=self.ad.ip, unreachable='192.168.254.254', ad_host=self.ad.hostname, ad_dom=self.ad.domain.name, ad_short=self.ad.shortname)) ad_zone_file = tasks.create_temp_file(self.master, directory='/etc') self.master.put_file_contents(ad_zone_file, ad_zone) self.master.run_command( ['chmod', '--reference', paths.NAMED_CONF, ad_zone_file]) self.master.run_command( ['chown', '--reference', paths.NAMED_CONF, ad_zone_file]) named_conf = self.master.get_file_contents(paths.NAMED_CONF, encoding='utf-8') named_conf += textwrap.dedent(f''' zone "{self.ad.domain.name}" {{ type master; file "{ad_zone_file}"; }}; ''') self.master.put_file_contents(paths.NAMED_CONF, named_conf) tasks.restart_named(self.master) try: # Check that trust can not be established without --server option # This checks that our setup is correct result = self.master.run_command( ['ipa', 'trust-add', self.ad_domain, '--admin', 'Administrator@' + self.ad_domain, '--password'], raiseonerr=False, stdin_text=self.master.config.ad_admin_password) assert result.returncode == 1 assert 'CIFS server communication error: code "3221225653", ' \ 'message "{Device Timeout}' in result.stderr_text # Check that trust is successfully established with --server option tasks.establish_trust_with_ad( self.master, self.ad_domain, extra_args=['--server', self.ad.hostname]) # Check domains can not be fetched without --server option # This checks that our setup is correct result = self.master.run_command( ['ipa', 'trust-fetch-domains', self.ad.domain.name], raiseonerr=False) assert result.returncode == 1 assert ('Fetching domains from trusted forest failed' in result.stderr_text) # Check that domains can be fetched with --server option result = self.master.run_command( ['ipa', 'trust-fetch-domains', self.ad.domain.name, '--server', self.ad.hostname], raiseonerr=False) assert result.returncode == 1 assert ('List of trust domains successfully refreshed' in result.stdout_text) finally: tasks.restore_files(self.master) tasks.restart_named(self.master) tasks.clear_sssd_cache(self.master) self.master.run_command(['rm', '-f', ad_zone_file]) tasks.configure_dns_for_trust(self.master, self.ad) self.remove_trust(self.ad)