ipatests: support subordinate upn suffixes

This test adds new UPN Suffix on the AD side within the ad.test subtree i.e new.ad.test and this UPN is then assigned to aduser and then try to kinit using aduser along with the UPN set, to ensure that the kinit succeeds Signed-off-by: Sudhir Menon <sumenon@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-11-11 14:55:32 +05:30 · 2020-11-11 14:55:32 +05:30 · 442038c41a
commit 442038c41a
parent 9e0084ba98
1 changed files with 45 additions and 0 deletions
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@ -245,6 +245,51 @@ class TestTrust(BaseTestTrust):
        self.master.run_command(['kinit', '-C', '-E', self.upn_principal],
                                stdin_text=self.upn_password)

+    def test_subordinate_suffix(self):
+        """Test subordinate UPN Suffixes"""
+        tasks.configure_dns_for_trust(self.master, self.ad)
+        tasks.establish_trust_with_ad(
+            self.master, self.ad_domain,
+            extra_args=['--range-type', 'ipa-ad-trust'])
+        # Clear all UPN Suffixes
+        ps_cmd = "Get-ADForest | Set-ADForest -UPNSuffixes $null"
+        self.ad.run_command(["powershell", "-c", ps_cmd])
+        result = self.master.run_command(["ipa", "trust-show", self.ad_domain])
+        assert (
+            "ipantadditionalsuffixes: {}".format(self.upn_suffix)
+            not in result.stdout_text
+        )
+        # Run Get-ADForest
+        ps_cmd1 = "Get-ADForest"
+        self.ad.run_command(["powershell", "-c", ps_cmd1])
+        # Add new UPN for AD
+        ps_cmd2 = (
+            'Get-ADForest | Set-ADForest -UPNSuffixes '
+            '@{add="new.ad.test", "upn.dom"}'
+        )
+        self.ad.run_command(["powershell", "-c", ps_cmd2])
+        self.ad.run_command(["powershell", "-c", ps_cmd1])
+        self.master.run_command(
+            ["ipa", "trust-fetch-domains", self.ad_domain],
+            raiseonerr=False)
+        self.master.run_command(["ipa", "trust-show", self.ad_domain])
+        # Set UPN for the aduser
+        ps_cmd3 = (
+            'set-aduser -UserPrincipalName '
+            'Administrator@new.ad.test -Identity Administrator'
+        )
+        self.ad.run_command(["powershell", "-c", ps_cmd3])
+        # kinit to IPA using AD user Administrator@new.ad.test
+        result = self.master.run_command(
+            ["getent", "passwd", "Administrator@new.ad.test"]
+        )
+        assert result.returncode == 0
+        self.master.run_command(
+            ["kinit", "-E", "Administrator@new.ad.test"],
+            stdin_text="Secret123",
+        )
+        tasks.kdestroy_all(self.master)
+
    def test_remove_nonposix_trust(self):
        self.remove_trust(self.ad)
        tasks.unconfigure_dns_for_trust(self.master, self.ad)