On Mon, 14 Oct 2013, Tomas Babej wrote:
+def estabilish_trust_with_ad(master, ad, extra_args=[]):
+    """
+    Estabilishes trust with Active Directory. Trust type is detected depending
+    on the presence of SfU (Services for Unix) support on the AD.
+    Use extra arguments to pass extra arguments to the trust-add command, such
+    as --range-type="ipa-ad-trust" to enfroce a particular range type.
+    """
+    # Force KDC to reload MS-PAC info by trying to get TGT for HTTP
+    master.run_command(['kinit', '-kt', '/etc/httpd/conf/ipa.keytab',
+                        'HTTP/%s' % master.hostname])
It would be good to actually run 'kdestroy -A' before 'kinit' so that we
don't have any left overs.

+    master.run_command(['systemctl', 'restart', 'krb5kdc.service'])
+    kinit_admin(master)
Same here.

+    master.run_command(['klist'])
+    master.run_command(['smbcontrol', 'all', 'debug', '100'])
+    assert util.run_repeatedly(master,
+                               ['ipa', 'trust-add',
+                               '--type', 'ad', ad.domain.name,
+                               '--admin', 'Administrator',
+                               '--password'] + extra_args,
+                               stdin_text=master.config.ad_admin_password)
+    master.run_command(['smbcontrol', 'all', 'debug', '1'])
+    clear_sssd_cache(master)

The rest looks fine although it could be nice to have generic
description of what is expected from AD setup -- there is assumption of
POSIX attributes being enabled in one of tests which is definitely not a
default configuration. I'm here after reproducible configurations using
different test lab (like running an Azure or EC2 cloud).

I'm still not able to reproduce the issue with missing MS-PAC in admin's
ticket when running 'ipa trust-add' in the test, though...

/ Alexander Bokovoy

Freeipa-devel mailing list

Reply via email to