ipatests: add test ensuring SIDs are generated for new installs

The standard installer now configures all the items needed for SID generation. Add a new test with the following scenario: - install IPA server - create an active user - ensure the user's entry has an attribute ipantsecurityidentifier - ensure that the kerberos ticket for the user contains PAC data by using the utility ipa-print-pac Related: https://pagure.io/freeipa/issue/8995 Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2021-10-08 17:43:15 +02:00 · 2021-10-08 17:43:15 +02:00 · 8dc064c2e3
commit 8dc064c2e3
parent ed001c97ee
1 changed files with 40 additions and 0 deletions
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@ -1602,6 +1602,46 @@ class TestIPACommandWithoutReplica(IntegrationTest):
        tasks.ldapsearch_dm(self.master, base, ldap_args=[], scope='sub')
        tasks.ldapsearch_dm(self.master, base, ldap_args=[], scope='base')

+    def test_sid_generation(self):
+        """
+        Test SID generation
+
+        Check that new users are created with a SID and PAC data is
+        added in their Kerberos tickets.
+        """
+        user = "pacuser"
+        passwd = "Secret123"
+
+        try:
+            # Create a nonadmin user
+            tasks.create_active_user(
+                self.master, user, passwd, first=user, last=user,
+                krb5_trace=True)
+
+            # Check SID is present in the new entry
+            base_dn = str(self.master.domain.basedn)
+            result = tasks.ldapsearch_dm(
+                self.master,
+                'uid={user},cn=users,cn=accounts,{base_dn}'.format(
+                    user=user, base_dn=base_dn),
+                ['ipantsecurityidentifier'],
+                scope='base'
+            )
+            assert 'ipantsecurityidentifier' in result.stdout_text
+
+            # Defaults: host/... principal for service
+            # keytab in /etc/krb5.keytab
+            self.master.run_command(["kinit", '-k'])
+            result = self.master.run_command(
+                [os.path.join(paths.LIBEXEC_IPA_DIR, "ipa-print-pac"),
+                 "ticket", user],
+                stdin_text=(passwd + '\n')
+            )
+            assert "PAC_DATA" in result.stdout_text
+        finally:
+            tasks.kinit_admin(self.master)
+            self.master.run_command(['ipa', 'user-del', user])
+

 class TestIPAautomount(IntegrationTest):
    @classmethod