From c91a1a078aea9996d30854ede1ce266f74a6176f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 24 Jan 2021 16:02:10 +0200
Subject: [PATCH] ipatests: when talking to AD DCs, use FQDN credentials

Samba 4.13+ in Fedora 33+ and RHEL 8.4+ defaults to Kerberos
authentication. This means user name used for authentication must be
mapped to a target realm.

We have to remove trust on AD side first before removing it locally or
otherwise MIT Kerberos might not be able to locate DCs from AD as
removal of the trust information would cause SSSD to clear the details
for a KDC locator plugin as well.

For the test that modifies AD DNS zone on IPA side to inject unreachable
DCs addresses, the configuration has to be reverted first, to allow
plain 'kinit' during removal of trust to reach AD DCs directly.

Fixes: https://pagure.io/freeipa/issue/8678
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
 ipatests/ipa-test-task                           |  2 +-
 ipatests/pytest_ipa/integration/tasks.py         | 15 ++++++++-------
 ipatests/test_integration/test_legacy_clients.py |  3 ++-
 ipatests/test_integration/test_trust.py          |  9 ++++++---
 4 files changed, 17 insertions(+), 12 deletions(-)

diff --git a/ipatests/ipa-test-task b/ipatests/ipa-test-task
index 1f0d3ea7e..6d1658837 100755
--- a/ipatests/ipa-test-task
+++ b/ipatests/ipa-test-task
@@ -422,7 +422,7 @@ class TaskRunner(object):
         self.require_ad_domain(args)
         host = self.get_host(args.host, default=args.domain.master)
         ad = self.get_host(args.ad, default=args.ad_domain.ads[0])
-        tasks.remove_trust_with_ad(host, ad)
+        tasks.remove_trust_with_ad(host, ad.domain.name, ad.name)
 
     def configure_auth_to_local_rule(self, args):
         self.require_ad_domain(args)
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index 92a4f7dcd..70ec1a3ec 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -702,11 +702,13 @@ def establish_trust_with_ad(master, ad_domain, ad_admin=None, extra_args=(),
     time.sleep(60)
 
 
-def remove_trust_with_ad(master, ad_domain):
+def remove_trust_with_ad(master, ad_domain, ad_hostname):
     """
     Removes trust with Active Directory. Also removes the associated ID range.
     """
 
+    remove_trust_info_from_ad(master, ad_domain, ad_hostname)
+
     kinit_admin(master)
 
     # Remove the trust
@@ -716,14 +718,13 @@ def remove_trust_with_ad(master, ad_domain):
     range_name = ad_domain.upper() + '_id_range'
     master.run_command(['ipa', 'idrange-del', range_name])
 
-    remove_trust_info_from_ad(master, ad_domain)
 
-
-def remove_trust_info_from_ad(master, ad_domain):
+def remove_trust_info_from_ad(master, ad_domain, ad_hostname):
     # Remove record about trust from AD
-    master.run_command(['rpcclient', ad_domain,
-                        '-U\\Administrator%{}'.format(
-                            master.config.ad_admin_password),
+    kinit_as_user(master,
+                  'Administrator@{}'.format(ad_domain.upper()),
+                  master.config.ad_admin_password)
+    master.run_command(['rpcclient', '-k', ad_hostname,
                         '-c', 'deletetrustdom {}'.format(master.domain.name)],
                        raiseonerr=False)
 
diff --git a/ipatests/test_integration/test_legacy_clients.py b/ipatests/test_integration/test_legacy_clients.py
index cc0068243..553256a16 100644
--- a/ipatests/test_integration/test_legacy_clients.py
+++ b/ipatests/test_integration/test_legacy_clients.py
@@ -468,7 +468,8 @@ class BaseTestLegacyClient:
 
         # Remove information about trust from AD, if domain was defined
         if hasattr(cls, 'ad_domain'):
-            tasks.remove_trust_info_from_ad(cls.master, cls.ad_domain)
+            tasks.remove_trust_info_from_ad(cls.master, cls.ad_domain,
+                                            cls.ad_domain.hostname)
 
         # Also unapply fixes on the legacy client, if defined
         if hasattr(cls, 'legacy_client'):
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index 992639132..9935c4a65 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -93,7 +93,8 @@ class BaseTestTrust(IntegrationTest):
         assert expected_text in result.stdout_text
 
     def remove_trust(self, ad):
-        tasks.remove_trust_with_ad(self.master, ad.domain.name)
+        tasks.remove_trust_with_ad(self.master,
+                                   ad.domain.name, ad.hostname)
         tasks.clear_sssd_cache(self.master)
 
 
@@ -955,7 +956,9 @@ class TestTrust(BaseTestTrust):
             assert ('List of trust domains successfully refreshed'
                     in result.stdout_text)
         finally:
-            self.remove_trust(self.ad)
             tasks.restore_files(self.master)
-            self.master.run_command(['rm', '-f', ad_zone_file])
             tasks.restart_named(self.master)
+            tasks.clear_sssd_cache(self.master)
+            self.master.run_command(['rm', '-f', ad_zone_file])
+            tasks.configure_dns_for_trust(self.master, self.ad)
+            self.remove_trust(self.ad)