URL: https://github.com/SSSD/sssd/pull/5951
Author: sidecontrol
Title: #5951: Adding pytes multiforest tests
Action: opened
PR body:
"""
- admultidomain requires a minimum of four servers but will be extended
to five.
- test_multiforest will test authentication from two different forests
Signed-off-by: Dan Lavu <dl...@redhat.com>
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5951/head:pr5951
git checkout pr5951
From fe4b08dbc8ba9f662f15c83c53ab48c16518666c Mon Sep 17 00:00:00 2001
From: Dan Lavu <dl...@redhat.com>
Date: Sat, 15 Jan 2022 03:39:21 -0500
Subject: [PATCH] Adding pytes multiforest tests
- admultidomain requires a minimum of four servers but will be extended
to five.
- test_multiforest will test authentication from two different forests
Signed-off-by: Dan Lavu <dl...@redhat.com>
---
src/tests/multihost/admultidomain/conftest.py | 7 +-
src/tests/multihost/admultidomain/pytest.ini | 1 +
src/tests/multihost/admultidomain/readme.rst | 2 +-
.../admultidomain/test_multidomain.py | 77 +++++----
.../admultidomain/test_multiforest.py | 152 ++++++++++++++++++
5 files changed, 193 insertions(+), 46 deletions(-)
create mode 100644 src/tests/multihost/admultidomain/test_multiforest.py
diff --git a/src/tests/multihost/admultidomain/conftest.py b/src/tests/multihost/admultidomain/conftest.py
index 1078997f06..c969760508 100644
--- a/src/tests/multihost/admultidomain/conftest.py
+++ b/src/tests/multihost/admultidomain/conftest.py
@@ -1,14 +1,8 @@
""" Common AD Fixtures """
from __future__ import print_function
-import random
import subprocess
-import time
import pytest
-import ldap
-import os
-import posixpath
-import pathlib
# pylint: disable=unused-import
from sssd.testlib.common.paths import SSSD_DEFAULT_CONF, NSSWITCH_DEFAULT_CONF
from sssd.testlib.common.qe_class import session_multihost
@@ -17,6 +11,7 @@
from sssd.testlib.common.utils import ADOperations
from sssd.testlib.common.exceptions import LdapException
from sssd.testlib.common.samba import sambaTools
+from sssd.testlib.common.paths import SSSD_DEFAULT_CONF
from sssd.testlib.common.utils import sssdTools
diff --git a/src/tests/multihost/admultidomain/pytest.ini b/src/tests/multihost/admultidomain/pytest.ini
index 704a0b1400..6eb7571a85 100644
--- a/src/tests/multihost/admultidomain/pytest.ini
+++ b/src/tests/multihost/admultidomain/pytest.ini
@@ -1,6 +1,7 @@
[pytest]
markers =
admultidomain: Multidomain tests with multiple domains
+ admultiforest: Multiforest tests with two forests
tier1: All tier1 test cases
tier2: All tier2 test cases
tier3: All tier3 test cases
diff --git a/src/tests/multihost/admultidomain/readme.rst b/src/tests/multihost/admultidomain/readme.rst
index 819f52b13c..96f4099514 100644
--- a/src/tests/multihost/admultidomain/readme.rst
+++ b/src/tests/multihost/admultidomain/readme.rst
@@ -2,7 +2,7 @@ AD Multidomain Provider Test Suite
======================
This directory contains automation for SSSD AD Provider
-Multi-domain tests.
+Multi-domain and multi-forest tests.
Fixtures
========
diff --git a/src/tests/multihost/admultidomain/test_multidomain.py b/src/tests/multihost/admultidomain/test_multidomain.py
index 5abe576dc6..b267b05ca7 100644
--- a/src/tests/multihost/admultidomain/test_multidomain.py
+++ b/src/tests/multihost/admultidomain/test_multidomain.py
@@ -1,12 +1,5 @@
-""" AD-Provider AD Parameters tests ported from bash
-
-:requirement: ad_parameters
-:casecomponent: sssd
-:subsystemteam: sst_idm_sssd
-:upstream: yes
-"""
-import tempfile
import pytest
+import random
from sssd.testlib.common.utils import sssdTools
from sssd.testlib.common.utils import SSSDException
@@ -18,10 +11,11 @@ def change_client_hostname(session_multihost, request):
""" Change client hostname to a truncated version in the AD domain"""
cmd = session_multihost.client[0].run_command(
'hostname', raiseonerr=False)
- old_hostname = cmd.stdout_text.rstrip()
ad_domain = session_multihost.ad[0].domainname
+ old_hostname = cmd.stdout_text.rstrip()
+ hostname = f'client{random.randint(1,99)}.{ad_domain}'
session_multihost.client[0].run_command(
- f'hostname client.{ad_domain}', raiseonerr=False)
+ f'hostname {hostname}', raiseonerr=False)
def restore():
""" Restore hostname """
@@ -54,16 +48,17 @@ def test_0001_bz2013297(multihost, adchildjoin):
3. Change ad_enabled_domains parameter
4. Lookup user from child domain
5. Lookup user from parent domain
- :expectedresults:
+ :expected results:
1. Parent user is found
2. Child user is found
3. Parent user is not found
4. Child user is found
- :customerscenario: True
+ :customer scenario: True
"""
adchildjoin(membersw='adcli')
ad_domain = multihost.ad[0].domainname
- ad_child_domain = multihost.ad[1].domainname
+ child_domain = multihost.ad[1].domainname
+ ad_server = multihost.ad[1].hostname
# Configure sssd
multihost.client[0].service_sssd('stop')
@@ -71,22 +66,23 @@ def test_0001_bz2013297(multihost, adchildjoin):
client.backup_sssd_conf()
dom_section = f'domain/{client.get_domain_section_name()}'
sssd_params = {
- 'ad_domain': ad_child_domain,
+ 'ad_domain': child_domain,
'debug_level': '9',
'use_fully_qualified_names': 'True',
+ 'ad_server': ad_server,
'cache_credentials': 'True',
}
client.sssd_conf(dom_section, sssd_params)
client.clear_sssd_cache()
# Search for the user in root domain
- parent_cmd = multihost.client[0].run_command(
+ getent_root_user1 = multihost.client[0].run_command(
f'getent passwd user1@{ad_domain}',
raiseonerr=False
)
# Search for the user in child domain
- child_cmd = multihost.client[0].run_command(
- f'getent passwd child_user1@{ad_child_domain}',
+ getent_child_user1 = multihost.client[0].run_command(
+ f'getent passwd child_user1@{child_domain}',
raiseonerr=False
)
@@ -94,28 +90,29 @@ def test_0001_bz2013297(multihost, adchildjoin):
client.clear_sssd_cache()
# Evaluate test results
- assert parent_cmd.returncode == 0
- assert child_cmd.returncode == 0
+ assert getent_root_user1.returncode == 0
+ assert getent_child_user1.returncode == 0
dom_section = f'domain/{client.get_domain_section_name()}'
sssd_params = {
- 'ad_domain': ad_child_domain,
+ 'ad_domain': child_domain,
'debug_level': '9',
'use_fully_qualified_names': 'True',
'cache_credentials': 'True',
- 'ad_enabled_domains': ad_child_domain
+ 'ad_server': ad_server,
+ 'ad_enabled_domains': child_domain
}
client.sssd_conf(dom_section, sssd_params)
client.clear_sssd_cache()
# Search for the user in root domain
- parent_cmd = multihost.client[0].run_command(
+ getent_root_user2 = multihost.client[0].run_command(
f'getent passwd user1@{ad_domain}',
raiseonerr=False
)
# Search for the user in child domain
- child_cmd = multihost.client[0].run_command(
- f'getent passwd child_user1@{ad_child_domain}',
+ getent_child_user2 = multihost.client[0].run_command(
+ f'getent passwd child_user1@{child_domain}',
raiseonerr=False
)
@@ -123,29 +120,27 @@ def test_0001_bz2013297(multihost, adchildjoin):
client.clear_sssd_cache()
# Evaluate test results
- assert parent_cmd.returncode == 2
- assert child_cmd.returncode == 0
+ assert getent_root_user2.returncode == 2
+ assert getent_child_user2.returncode == 0
@staticmethod
def test_0002_bz2018432(multihost, adjoin):
"""
:title: IDM-SSSD-TC: ad_provider: forests: based SSSD adds more AD
- domains than it should based on the configuration file
+ domains than it should be based on the configuration file
:id:
:setup:
1. Configure several domains, this suite contains 4 trusted domains
2. Join client to parent domain
:steps:
1. Perform sssctl domain-list
- :expectedresults:
+ :expected results:
1. Only trusted domains listed
- :customerscenario: True
+ :customer scenario: True
"""
adjoin(membersw='adcli')
ad_domain = multihost.ad[0].domainname
- ad_child_domain = multihost.ad[1].domainname
- ad_child1_domain = multihost.ad[2].domainname
- ad_tree_domain = multihost.ad[3].domainname
+ ad_server = multihost.ad[0].hostname
# Configure sssd
multihost.client[0].service_sssd('stop')
@@ -156,19 +151,23 @@ def test_0002_bz2018432(multihost, adjoin):
'ad_domain': ad_domain,
'debug_level': '9',
'use_fully_qualified_names': 'True',
+ 'ad_server': ad_server,
'cache_credentials': 'True'
}
client.sssd_conf(dom_section, sssd_params)
client.clear_sssd_cache()
# List domains
+ # The lists have to be manipulated, the DC in the other forest
+ # needs to be removed as well as implicit_files from the output
domain_list_cmd = multihost.client[0].run_command(
'sssctl domain-list', raiseonerr=False)
- ad_count = len(multihost.ad)
+ domain_list = domain_list_cmd.stdout_text.split('\n')
+ domain_list.remove("implicit_files")
+ domain_list = domain_list[:-1]
+ multihost_list = multihost.ad
+ multihost_list = multihost_list[:-1]
- assert str(ad_domain) \
- and str(ad_child_domain) \
- and str(ad_child1_domain) \
- and str(ad_tree_domain) \
- in domain_list_cmd.stdout_text
+ for x in multihost_list:
+ assert x.domainname in domain_list
- assert (len(domain_list_cmd.stdout_text.split('\n'))-1) == ad_count
+ assert len(domain_list) == len(multihost_list)
diff --git a/src/tests/multihost/admultidomain/test_multiforest.py b/src/tests/multihost/admultidomain/test_multiforest.py
new file mode 100644
index 0000000000..9a5de8cd60
--- /dev/null
+++ b/src/tests/multihost/admultidomain/test_multiforest.py
@@ -0,0 +1,152 @@
+import subprocess
+import time
+
+import pytest
+import random
+
+from sssd.testlib.common.utils import sssdTools
+from sssd.testlib.common.utils import SSSDException
+from sssd.testlib.common.utils import ADOperations
+
+
+@pytest.fixture(scope="class")
+def change_client_hostname(session_multihost, request):
+ """ Change client hostname to a truncated version in the AD domain"""
+ cmd = session_multihost.client[0].run_command(
+ 'hostname', raiseonerr=False)
+ old_hostname = cmd.stdout_text.rstrip()
+ ad_domain = session_multihost.ad[0].domainname
+ hostname = f'client{random.randint(1, 99)}.{ad_domain}'
+ session_multihost.client[0].run_command(
+ f'hostname {hostname}', raiseonerr=False)
+
+ def restore():
+ """ Restore hostname """
+ session_multihost.client[0].run_command(
+ f'hostname {old_hostname}', raiseonerr=False
+ )
+
+ request.addfinalizer(restore)
+
+
+@pytest.mark.tier1
+@pytest.mark.admultiforest
+@pytest.mark.usefixtures("change_client_hostname")
+class TestADMultiForest(object):
+
+ @staticmethod
+ def test_0001_multiforest(multihost, adjoin):
+ """
+ :title: IDM-SSSD-TC: ad_provider: admultiforest
+ :id:
+ :setup:
+ 1. Configure two domain controllers in different forests
+ 2. Join client to the first domain
+ 3. Update sssd.conf for second domain
+ 4. Update krb5.conf for second domain
+ 5. Create krb principal and update sssd.conf
+ :steps:
+ 1. Lookup user in the first domain
+ 2. Lookup user in the second domain
+ :expected results:
+ 1. User is found in the first domain
+ 2. User is found in the second domain
+ :customer scenario: True
+ """
+ adjoin(membersw='adcli')
+ ad_domain = multihost.ad[0].domainname
+ ad_server = multihost.ad[0].hostname
+ # This must be the last AD server in the metadata file
+ ad1_domain = multihost.ad[len(multihost.ad) - 1].domainname
+ ad1_domain_upper = str.upper(ad1_domain)
+ ad1_server = multihost.ad[len(multihost.ad) - 1].hostname
+ ad1_password = multihost.ad[len(multihost.ad) - 1].ssh_password
+
+ get_keytab = f'adcli join --host-keytab=/etc/krb5.keytab-domain1 {ad1_domain}'
+ change_context = 'chcon -t krb5_keytab_t /etc/krb5.keytab-domain1'
+ backup_krb5 = 'cp -rf /etc/krb5.conf /etc/krb5.conf.bak'
+ restore_krb5 = 'mv /etc/krb5.conf.bak /etc/krb5.conf ; restorecon -Rv /etc/krb5.conf'
+ cleanup_krb5 = 'rm -rf /etc/krb5.keytab-domain1'
+ edit_krb5_conf = f'sed -i "/domain_realm/a .{ad1_domain} = {ad1_domain_upper}" /etc/krb5.conf'
+ edit1_krb5_conf = f'sed -i "/domain_realm/a {ad1_domain} = {ad1_domain_upper}" /etc/krb5.conf'
+
+ try:
+ multihost.client[0].run_command(get_keytab, stdin_text=ad1_password)
+ except subprocess.CalledProcessError:
+ pytest.fail("adcli join failed")
+ multihost.client[0].run_command(backup_krb5, raiseonerr=False)
+ multihost.client[0].run_command(edit_krb5_conf, raiseonerr=False)
+ multihost.client[0].run_command(edit1_krb5_conf, raiseonerr=False)
+ multihost.client[0].run_command(change_context, raiseonerr=False)
+
+ # Configure sssd
+ multihost.client[0].service_sssd('stop')
+ client = sssdTools(multihost.client[0], multihost.ad[0])
+ client.backup_sssd_conf()
+ client.sssd_conf("sssd", {
+ 'domains': f'{ad_domain}, {ad1_domain}'}, action='update')
+ domain_params = {
+ 'ad_domain': f'{ad_domain}',
+ 'dns_discovery_domain': f'{ad_domain}',
+ 'ad_server': f'{ad_server}',
+ 'debug_level': '9',
+ 'use_fully_qualified_names': 'True',
+ 'cache_credentials': 'True',
+ 'dyndns_update': 'True'}
+ client.sssd_conf(
+ f'domain/{ad_domain}', domain_params, action='update')
+ domain1_params = {
+ 'ad_domain': f'{ad1_domain}',
+ 'ad_server': f'{ad1_server}',
+ 'krb5_realm': f'{ad1_domain_upper}',
+ 'debug_level': '9',
+ 'use_fully_qualified_names': 'False',
+ 'cache_credentials': 'True',
+ 'realmd_tags': 'manages-system joined-with-samba',
+ 'dyndns_update': 'False',
+ 'krb5_keytab': '/etc/krb5.keytab-domain1',
+ 'ldap_krb5_keytab': '/etc/krb5.keytab-domain1',
+ 'id_provider': 'ad',
+ 'access_provider': 'ad',
+ 'timeout': '3600',
+ 'krb5_store_password_if_offline': 'True',
+ 'default_shell': '/bin/bash',
+ 'ldap_id_mapping': 'True'}
+ client.sssd_conf(
+ f'domain/{ad1_domain}', domain1_params, action='update')
+ client.clear_sssd_cache()
+ multihost.client[0].service_sssd('start')
+ time.sleep(10)
+ # Search for the user in same forest and domain
+ getent_domain_user1 = multihost.client[0].run_command(
+ f'getent passwd user1@{ad_domain}', raiseonerr=False)
+ getent_domain_user2 = multihost.client[0].run_command(
+ f'getent passwd user2@{ad_domain}', raiseonerr=False)
+ id_domain_user1 = multihost.client[0].run_command(
+ f'id user1@{ad_domain}', raiseonerr=False)
+ id_domain_user2 = multihost.client[0].run_command(
+ f'id user2@{ad_domain}', raiseonerr=False)
+ # Search for the user in a different forest and domain
+ getent_domain1_user1 = multihost.client[0].run_command(
+ f'getent passwd user1@{ad1_domain}', raiseonerr=False)
+ getent_domain1_user2 = multihost.client[0].run_command(
+ f'getent passwd user2@{ad1_domain}', raiseonerr=False)
+ id_domain1_user1 = multihost.client[0].run_command(
+ f'id user1@{ad1_domain}', raiseonerr=False)
+ id_domain1_user2 = multihost.client[0].run_command(
+ f'id user2@{ad1_domain}', raiseonerr=False)
+
+ multihost.client[0].run_command(restore_krb5, raiseonerr=False)
+ multihost.client[0].run_command(cleanup_krb5, raiseonerr=False)
+ client.restore_sssd_conf()
+ client.clear_sssd_cache()
+
+ # Evaluate test results
+ assert getent_domain_user1.returncode == 0
+ assert getent_domain_user2.returncode == 0
+ assert id_domain_user1.returncode == 0
+ assert id_domain_user2.returncode == 0
+ assert getent_domain1_user1.returncode == 0
+ assert getent_domain1_user2.returncode == 0
+ assert id_domain1_user1.returncode == 0
+ assert id_domain1_user2.returncode == 0
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
