test_smb: test S4U2Self operation by IPA service

Kerberos service might request a ticket to itself on behalf of a user to perform protocol transition, so-called S4U2Self extension defined in [MS-SFU] specification. Processing of this request by KDC differs for in-realm and cross-realm configurations. Use SMB service to test S4U2Self performed against AD and IPA users. Fixes: https://pagure.io/freeipa/issue/8319 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Isaac Boukris <iboukris@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2025-01-25 15:46:30 -06:00 · 2020-05-01 13:01:29 +03:00 · 2020-05-01 13:01:29 +03:00 · 52da0d6a28
commit 52da0d6a28
parent b5876f30d4
1 changed files with 54 additions and 16 deletions
--- a/ipatests/test_integration/test_smb.py
+++ b/ipatests/test_integration/test_smb.py
@ -11,8 +11,10 @@ from __future__ import absolute_import
 from functools import partial
 import textwrap
 import re
 import os
 import pytest
 from contextlib import contextmanager
 from ipatests.test_integration.base import IntegrationTest
 from ipatests.pytest_ipa.integration import tasks
@ -77,14 +79,16 @@ class TestSMB(IntegrationTest):
    @pytest.fixture
    def enable_smb_client_dns_lookup_kdc(self):
-        smbclient = self.smbclient
+        @contextmanager
-        with tasks.FileBackup(smbclient, paths.KRB5_CONF):
+        def _enable_for(smbclient):
-            krb5_conf = smbclient.get_file_contents(
+            with tasks.FileBackup(smbclient, paths.KRB5_CONF):
-                paths.KRB5_CONF, encoding='utf-8')
+                krb5_conf = smbclient.get_file_contents(
-            krb5_conf = krb5_conf.replace(
+                    paths.KRB5_CONF, encoding='utf-8')
-                'dns_lookup_kdc = false', 'dns_lookup_kdc = true')
+                krb5_conf = krb5_conf.replace(
-            smbclient.put_file_contents(paths.KRB5_CONF, krb5_conf)
+                    'dns_lookup_kdc = false', 'dns_lookup_kdc = true')
-            yield
+                smbclient.put_file_contents(paths.KRB5_CONF, krb5_conf)
                yield
        return _enable_for
    @pytest.fixture
    def samba_share_public(self):
@ -313,14 +317,15 @@ class TestSMB(IntegrationTest):
    def test_smb_access_for_ad_user_at_ipa_client(
            self, enable_smb_client_dns_lookup_kdc):
-        samba_share = {
+        with enable_smb_client_dns_lookup_kdc(self.smbclient):
-            'name': 'homes',
+            samba_share = {
-            'server_path': '/home/{}/{}'.format(self.ad.domain.name,
+                'name': 'homes',
-                                                self.ad_user_login),
+                'server_path': '/home/{}/{}'.format(self.ad.domain.name,
-            'unc': '//{}/homes'.format(self.smbserver.hostname)
+                                                    self.ad_user_login),
-        }
+                'unc': '//{}/homes'.format(self.smbserver.hostname)
-        self.check_smb_access_at_ipa_client(
+            }
-            self.ad_user, self.ad_user_password, samba_share)
+            self.check_smb_access_at_ipa_client(
                self.ad_user, self.ad_user_password, samba_share)
    def test_smb_mount_and_access_by_different_users(self, samba_share_public):
        user1 = self.ipa_user1
@ -340,6 +345,39 @@ class TestSMB(IntegrationTest):
        finally:
            self.cleanup_mount(mount_point)
    def test_smb_service_s4u2self(
            self, enable_smb_client_dns_lookup_kdc):
        """Test S4U2Self operation by IPA service
           against both AD and IPA users
        """
        script = textwrap.dedent("""export KRB5_TRACE=/dev/stderr
        kdestroy -A
        kinit -kt /etc/samba/samba.keytab {principal}
        klist -f
        {print_pac} -k /etc/samba/samba.keytab -E impersonate {user_princ}
        klist -f
        """)
        with enable_smb_client_dns_lookup_kdc(self.smbserver):
            principal = 'cifs/{hostname}'.format(
                hostname=self.smbserver.hostname)
            # Copy ipa-print-pac to SMB server
            # We can do so because Samba and GSSAPI libraries
            # are present there
            print_pac = self.master.get_file_contents(
                os.path.join(paths.LIBEXEC_IPA_DIR, "ipa-print-pac"))
            result = self.smbserver.run_command(['mktemp'])
            tmpname = result.stdout_text.strip()
            self.smbserver.put_file_contents(tmpname, print_pac)
            self.smbserver.run_command(['chmod', 'a+x', tmpname])
            for user in (self.ad_user, self.ipa_user1,):
                shell_script = script.format(principal=principal,
                                             user_princ=user,
                                             print_pac=tmpname)
                self.smbserver.run_command(['/bin/bash', '-s', '-e'],
                                           stdin_text=shell_script)
            self.smbserver.run_command(['rm', '-f', tmpname])
        tasks.kdestroy_all(self.smbserver)
    def test_smb_mount_fails_without_kerberos_ticket(self, samba_share_public):
        mountpoint = '/mnt/smb'
        try: