mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-11 08:41:55 -06:00
test_smb: test S4U2Self operation by IPA service
Kerberos service might request a ticket to itself on behalf of a user to perform protocol transition, so-called S4U2Self extension defined in [MS-SFU] specification. Processing of this request by KDC differs for in-realm and cross-realm configurations. Use SMB service to test S4U2Self performed against AD and IPA users. Fixes: https://pagure.io/freeipa/issue/8319 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Isaac Boukris <iboukris@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
parent
b5876f30d4
commit
52da0d6a28
@ -11,8 +11,10 @@ from __future__ import absolute_import
|
||||
from functools import partial
|
||||
import textwrap
|
||||
import re
|
||||
import os
|
||||
|
||||
import pytest
|
||||
from contextlib import contextmanager
|
||||
|
||||
from ipatests.test_integration.base import IntegrationTest
|
||||
from ipatests.pytest_ipa.integration import tasks
|
||||
@ -77,14 +79,16 @@ class TestSMB(IntegrationTest):
|
||||
|
||||
@pytest.fixture
|
||||
def enable_smb_client_dns_lookup_kdc(self):
|
||||
smbclient = self.smbclient
|
||||
with tasks.FileBackup(smbclient, paths.KRB5_CONF):
|
||||
krb5_conf = smbclient.get_file_contents(
|
||||
paths.KRB5_CONF, encoding='utf-8')
|
||||
krb5_conf = krb5_conf.replace(
|
||||
'dns_lookup_kdc = false', 'dns_lookup_kdc = true')
|
||||
smbclient.put_file_contents(paths.KRB5_CONF, krb5_conf)
|
||||
yield
|
||||
@contextmanager
|
||||
def _enable_for(smbclient):
|
||||
with tasks.FileBackup(smbclient, paths.KRB5_CONF):
|
||||
krb5_conf = smbclient.get_file_contents(
|
||||
paths.KRB5_CONF, encoding='utf-8')
|
||||
krb5_conf = krb5_conf.replace(
|
||||
'dns_lookup_kdc = false', 'dns_lookup_kdc = true')
|
||||
smbclient.put_file_contents(paths.KRB5_CONF, krb5_conf)
|
||||
yield
|
||||
return _enable_for
|
||||
|
||||
@pytest.fixture
|
||||
def samba_share_public(self):
|
||||
@ -313,14 +317,15 @@ class TestSMB(IntegrationTest):
|
||||
|
||||
def test_smb_access_for_ad_user_at_ipa_client(
|
||||
self, enable_smb_client_dns_lookup_kdc):
|
||||
samba_share = {
|
||||
'name': 'homes',
|
||||
'server_path': '/home/{}/{}'.format(self.ad.domain.name,
|
||||
self.ad_user_login),
|
||||
'unc': '//{}/homes'.format(self.smbserver.hostname)
|
||||
}
|
||||
self.check_smb_access_at_ipa_client(
|
||||
self.ad_user, self.ad_user_password, samba_share)
|
||||
with enable_smb_client_dns_lookup_kdc(self.smbclient):
|
||||
samba_share = {
|
||||
'name': 'homes',
|
||||
'server_path': '/home/{}/{}'.format(self.ad.domain.name,
|
||||
self.ad_user_login),
|
||||
'unc': '//{}/homes'.format(self.smbserver.hostname)
|
||||
}
|
||||
self.check_smb_access_at_ipa_client(
|
||||
self.ad_user, self.ad_user_password, samba_share)
|
||||
|
||||
def test_smb_mount_and_access_by_different_users(self, samba_share_public):
|
||||
user1 = self.ipa_user1
|
||||
@ -340,6 +345,39 @@ class TestSMB(IntegrationTest):
|
||||
finally:
|
||||
self.cleanup_mount(mount_point)
|
||||
|
||||
def test_smb_service_s4u2self(
|
||||
self, enable_smb_client_dns_lookup_kdc):
|
||||
"""Test S4U2Self operation by IPA service
|
||||
against both AD and IPA users
|
||||
"""
|
||||
script = textwrap.dedent("""export KRB5_TRACE=/dev/stderr
|
||||
kdestroy -A
|
||||
kinit -kt /etc/samba/samba.keytab {principal}
|
||||
klist -f
|
||||
{print_pac} -k /etc/samba/samba.keytab -E impersonate {user_princ}
|
||||
klist -f
|
||||
""")
|
||||
with enable_smb_client_dns_lookup_kdc(self.smbserver):
|
||||
principal = 'cifs/{hostname}'.format(
|
||||
hostname=self.smbserver.hostname)
|
||||
# Copy ipa-print-pac to SMB server
|
||||
# We can do so because Samba and GSSAPI libraries
|
||||
# are present there
|
||||
print_pac = self.master.get_file_contents(
|
||||
os.path.join(paths.LIBEXEC_IPA_DIR, "ipa-print-pac"))
|
||||
result = self.smbserver.run_command(['mktemp'])
|
||||
tmpname = result.stdout_text.strip()
|
||||
self.smbserver.put_file_contents(tmpname, print_pac)
|
||||
self.smbserver.run_command(['chmod', 'a+x', tmpname])
|
||||
for user in (self.ad_user, self.ipa_user1,):
|
||||
shell_script = script.format(principal=principal,
|
||||
user_princ=user,
|
||||
print_pac=tmpname)
|
||||
self.smbserver.run_command(['/bin/bash', '-s', '-e'],
|
||||
stdin_text=shell_script)
|
||||
self.smbserver.run_command(['rm', '-f', tmpname])
|
||||
tasks.kdestroy_all(self.smbserver)
|
||||
|
||||
def test_smb_mount_fails_without_kerberos_ticket(self, samba_share_public):
|
||||
mountpoint = '/mnt/smb'
|
||||
try:
|
||||
|
Loading…
Reference in New Issue
Block a user