[SSSD] [sssd PR#5815][opened] Tests: pam_sss_gss.so doesn't work with large kerberos tickets

shridhargadekar Wed, 06 Oct 2021 06:15:38 -0700

   URL: https://github.com/SSSD/sssd/pull/5815
Author: shridhargadekar
 Title: #5815: Tests: pam_sss_gss.so doesn't work with large kerberos tickets
Action: opened


PR body:
"""
Verifies: #5568
Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1948657
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5815/head:pr5815
git checkout pr5815

From 51cd0a66a207603d70e5d754d4c1e80a62894bb3 Mon Sep 17 00:00:00 2001
From: Shridhar Gadekar <sgade...@sgadekar.pnq.csb>
Date: Wed, 6 Oct 2021 18:42:03 +0530
Subject: [PATCH] Tests: pam_sss_gss.so doesn't work with large kerberos
 tickets

Verifies: #5568
Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1948657
---
 src/tests/multihost/ipa/test_adtrust.py | 78 +++++++++++++++++++++++++
 1 file changed, 78 insertions(+)

diff --git a/src/tests/multihost/ipa/test_adtrust.py b/src/tests/multihost/ipa/test_adtrust.py
index 061199b466..2ca5e0fae4 100644
--- a/src/tests/multihost/ipa/test_adtrust.py
+++ b/src/tests/multihost/ipa/test_adtrust.py
@@ -104,3 +104,81 @@ def test_honour_idoverride(self, multihost, create_aduser_group):
         multihost.master[0].run_command(delete_id_view)
         ipa_client.clear_sssd_cache()
         assert count == 0
+
+
+    def test_sudo_kerberos_ticket(self, multihost, create_aduser_group):
+        """
+        :title: Verify pam_sss_gss.so can handle large kerberos ticket
+                for sudo
+        :id: 456ea53b-6702-4b8e-beb1-eee841b85fed
+        :bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1948657
+        :steps:
+         1. Add sudo rule in IPA-server for AD-users
+         2. Modify /etc/krb5.conf.d/kcm_default_ccache to specify location
+            of storing a TGT
+         3. Enable pam_sss_gss.so for auth in /etc/pam.d/{sudo,sudo-i} files
+         4. Add a sudo rule for AD-user
+         5. Log in on ipa-client as AD-user
+         6. Run kinit and fetch tgt
+         7. Run sudo command
+         8. Remove sudo cache
+         9. Run sudo command again
+         :expectedresults:
+         1. Should succeed
+         2. Should succeed
+         3. Should succeed
+         4. Should succeed
+         5. Should succeed
+         6. Should succeed
+         7. Should not ask password, and should succeed
+         8. Should succeed
+         9. Should not ask password, and should succeed
+
+        """
+        (aduser, adgroup) = create_aduser_group
+        client = sssdTools(multihost.client[0], multihost.ad[0])
+        ipaserver = sssdTools(multihost.master[0])
+        cmd = 'dnf install -y sssd sssd-kcm'
+        multihost.client[0].run_command(cmd, raiseonerr=False)
+        domain_name = ipaserver.get_domain_section_name()
+        domain_section = 'domain/{}'.format(domain_name)
+        params = {'pam_gssapi_services': 'sudo, sudo-i'}
+        client.sssd_conf(domain_section, params)
+        krbkcm = '/etc/krb5.conf.d/kcm_default_ccache'
+        bk_krbkcm = '/tmp/kcm_default_ccache'
+        src = 'KCM:'
+        dest = 'FILE:/tmp/krb5cc_%{uid}'
+        multihost.client[0].run_command(f'cp {krbkcm} {bk_krbkcm}')
+        cmd = "echo -e  '[libdefaults]\n' \
+              '    default_ccache_name  = FILE:/tmp/krb5cc_%{uid}:'"
+        multihost.client[0].run_command(cmd, raiseonerr=False)
+        multihost.client[0].service_sssd('restart')
+        pam_sss_gss = "auth       sufficient   pam_sss_gss.so debug"
+        for pam_file in "/etc/pam.d/sudo-i", "/etc/pam.d/sudo":
+            cmd = f'sed -i "1 i\{pam_sss_gss}" {pam_file}'
+            multihost.client[0].run_command(cmd, raiseonerr=False)
+        cmd = f'echo "{aduser} ALL=(ALL) ALL" >> /etc/sudoers'
+        multihost.client[0].run_command(cmd, raiseonerr=False)
+        try:
+            ssh = SSHClient(multihost.client[0].sys_hostname,
+                            username=aduser, password='Secret123')
+
+        except paramiko.ssh_exception.AuthenticationException:
+            pytest.fail(f'{aduser} failed to login')
+        else:
+            (_, _, exit_status) = ssh.execute_cmd(f'kinit {aduser}',
+                                                  stdin='Secret123')
+            assert exit_status == 0
+            (stdout, _, exit_status) = ssh.execute_cmd('sudo id')
+            assert 'uid=0(root)' in stdout.readlines()
+            (stdout, _, exit_status) = ssh.execute_cmd('sudo -k')
+            (stdout, _, exit_status) = ssh.execute_cmd('sudo -l')
+            assert '(ALL) ALL' in stdout.readlines()
+        client.sssd_conf(domain_section, params, action='delete')
+        for pam_file in "/etc/pam.d/sudo-i", "/etc/pam.d/sudo":
+            cmd = f'sed -i "1d" {pam_file}'
+            multihost.client[0].run_command(cmd, raiseonerr=False)
+        cmd = f'sed -i "$ d" /etc/sudoers'
+        multihost.client[0].run_command(cmd, raiseonerr=False)
+        cmd = f'mv {bk_krbkcm} {krbkcm}'
+        multihost.client[0].run_command(cmd, raiseonerr=False)

_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5815][opened] Tests: pam_sss_gss.so doesn't work with large kerberos tickets

Reply via email to