ipatests: when talking to AD DCs, use FQDN credentials

Samba 4.13+ in Fedora 33+ and RHEL 8.4+ defaults to Kerberos
authentication. This means user name used for authentication must be
mapped to a target realm.

We have to remove trust on AD side first before removing it locally or
otherwise MIT Kerberos might not be able to locate DCs from AD as
removal of the trust information would cause SSSD to clear the details
for a KDC locator plugin as well.

For the test that modifies AD DNS zone on IPA side to inject unreachable
DCs addresses, the configuration has to be reverted first, to allow
plain 'kinit' during removal of trust to reach AD DCs directly.

Fixes: https://pagure.io/freeipa/issue/8678
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

ipatests/ipa-test-task

@@ -422,7 +422,7 @@ class TaskRunner(object):
         self.require_ad_domain(args)
         host = self.get_host(args.host, default=args.domain.master)
         ad = self.get_host(args.ad, default=args.ad_domain.ads[0])
-        tasks.remove_trust_with_ad(host, ad)
+        tasks.remove_trust_with_ad(host, ad.domain.name, ad.name)
 
     def configure_auth_to_local_rule(self, args):
         self.require_ad_domain(args)

ipatests/pytest_ipa/integration/tasks.py

@@ -702,11 +702,13 @@ def establish_trust_with_ad(master, ad_domain, ad_admin=None, extra_args=(),
     time.sleep(60)
 
 
-def remove_trust_with_ad(master, ad_domain):
+def remove_trust_with_ad(master, ad_domain, ad_hostname):
     """
     Removes trust with Active Directory. Also removes the associated ID range.
     """
 
+    remove_trust_info_from_ad(master, ad_domain, ad_hostname)
+
     kinit_admin(master)
 
     # Remove the trust
@@ -716,14 +718,13 @@ def remove_trust_with_ad(master, ad_domain):
     range_name = ad_domain.upper() + '_id_range'
     master.run_command(['ipa', 'idrange-del', range_name])
 
-    remove_trust_info_from_ad(master, ad_domain)
 
-
-def remove_trust_info_from_ad(master, ad_domain):
+def remove_trust_info_from_ad(master, ad_domain, ad_hostname):
     # Remove record about trust from AD
-    master.run_command(['rpcclient', ad_domain,
-                        '-U\\Administrator%{}'.format(
-                            master.config.ad_admin_password),
+    kinit_as_user(master,
+                  'Administrator@{}'.format(ad_domain.upper()),
+                  master.config.ad_admin_password)
+    master.run_command(['rpcclient', '-k', ad_hostname,
                         '-c', 'deletetrustdom {}'.format(master.domain.name)],
                        raiseonerr=False)
 

ipatests/test_integration/test_legacy_clients.py

@@ -468,7 +468,8 @@ class BaseTestLegacyClient:
 
         # Remove information about trust from AD, if domain was defined
         if hasattr(cls, 'ad_domain'):
-            tasks.remove_trust_info_from_ad(cls.master, cls.ad_domain)
+            tasks.remove_trust_info_from_ad(cls.master, cls.ad_domain,
+                                            cls.ad_domain.hostname)
 
         # Also unapply fixes on the legacy client, if defined
         if hasattr(cls, 'legacy_client'):

ipatests/test_integration/test_trust.py

@@ -93,7 +93,8 @@ class BaseTestTrust(IntegrationTest):
         assert expected_text in result.stdout_text
 
     def remove_trust(self, ad):
-        tasks.remove_trust_with_ad(self.master, ad.domain.name)
+        tasks.remove_trust_with_ad(self.master,
+                                   ad.domain.name, ad.hostname)
         tasks.clear_sssd_cache(self.master)
 
 
@@ -955,7 +956,9 @@ class TestTrust(BaseTestTrust):
             assert ('List of trust domains successfully refreshed'
                     in result.stdout_text)
         finally:
-            self.remove_trust(self.ad)
             tasks.restore_files(self.master)
-            self.master.run_command(['rm', '-f', ad_zone_file])
             tasks.restart_named(self.master)
+            tasks.clear_sssd_cache(self.master)
+            self.master.run_command(['rm', '-f', ad_zone_file])
+            tasks.configure_dns_for_trust(self.master, self.ad)
+            self.remove_trust(self.ad)