#48343 lib389 krb5 realm management
Closed: Fixed None Opened 4 years ago by firstyear.

We need to be able to test gssapi and other functions for 389. Historically we used external krb5 services, but that led to potential issues with keytab state and reliability.

This will allow us to create and destroy basic krb5 realms for testing purposes.


Thank you for new feature implementation. I think krb5 realm management comes like a very useful thing.

About some issues with the patch.
'''1.''' I have clean cloned lib389 repo. And when I try to apply your patch, it goes with errors.
For example:
Patch tries to insert lines there
{{{
54 from lib389._entry import Entry
55 from lib389._replication import CSN, RUV
56 from lib389._ldifconn import LDIFConn
57 from lib389.tools import DirSrvTools

58 from lib389.mit_krb5 import MitKrb5
}}}
But truth is:
{{{
46 from lib389._entry import Entry
47 from lib389._ldifconn import LDIFConn
48 from lib389.tools import DirSrvTools
}}}
And it's a common thing, that line's numbers don't match.

'''2.''' I installed all required packages to my machine in the first time ever and, because of that, I had this error:

{{{
def create_realm(self, ignore=False):
...
# Write to /etc/krb5.conf.d/example.com

  with open(self.krb5conf, 'w') as cfile:
        cfile.write("""

E IOError: [Errno 2] No such file or directory: '/etc/krb5.conf.d/example.com'

lib389/mit_krb5.py:73: IOError
}}}

We can fix it by adding this two lines:
{{{
def create_realm(self, ignore=False):
...

    if not os.path.exists(os.path.dirname(self.krb5conf)):
        os.makedirs(os.path.dirname(self.krb5conf))

    # Write to  /etc/krb5.conf.d/example.com
  with open(self.krb5conf, 'w') as cfile:
        cfile.write("""

}}}

'''3.''' I run the test on my virtual machine, so I don't have a big natural entropy.
When /usr/sbin/kdb5_util creates new realm, it executes "Loading random data" and waits for the enough entropy has been happening on the machine. I think, the best way is don't wait(I wait for 20 minutes or more, while it went to the next step), but generate some entropy in the daemon or any other way you want.

lib389/mit_krb5.py:

{{{
115 p = Popen([self.kdb5_util, 'create', '-r', self.realm, '-s', '-P', self.krb_master_password] , env=self.krb_env)
}}}

'''4.''' One more error happens, and I didn't reach the source of problem, may be you will be more lucky:

{{{
def test_gssapi(topology, add_user):
"""Check that our bind completese with ldapwhoami correctly mapped from
the principal to our test user object.
"""
# Init our local ccache

  kclient = KrbClient("test@%s" % REALM, "/tmp/test.keytab")

tests/krb5_create_test.py:85:


lib389/mit_krb5.py:186: in init
self.reinit()


self = <lib389.mit_krb5.krbclient object="" at="" 0x1dd9e90="">

def reinit(self):
    assert self._keytab
    assert self._principal
    self.ccache.init(self._principal)
  self.ccache.init_creds_keytab(keytab=self._keytab, principal=self._principal)

E Krb5Error: (-1765328230, 'Cannot find KDC for requested realm')

lib389/mit_krb5.py:192: Krb5Error
}}}

Replying to [comment:2 spichugi]:

Thank you for new feature implementation. I think krb5 realm management comes like a very useful thing.

About some issues with the patch.
'''1.''' I have clean cloned lib389 repo. And when I try to apply your patch, it goes with errors.

And it's a common thing, that line's numbers don't match.

I don't know how to fix that I'm sorry. :(

'''2.''' I installed all required packages to my machine in the first time ever and, because of that, I had this error:

We can fix it by adding this two lines:
{{{
if not os.path.exists(os.path.dirname(self.krb5conf)):
os.makedirs(os.path.dirname(self.krb5conf))

}}}

I have added these now, but in the case this directory doesn't exist then it may indicate that the version of krb5 you have installed doesn't support conf.d. What krb5-workstation do you have installed?

'''3.''' I run the test on my virtual machine, so I don't have a big natural entropy.
When /usr/sbin/kdb5_util creates new realm, it executes "Loading random data" and waits for the enough entropy has been happening on the machine. I think, the best way is don't wait(I wait for 20 minutes or more, while it went to the next step), but generate some entropy in the daemon or any other way you want.

lib389/mit_krb5.py:

{{{
115 p = Popen([self.kdb5_util, 'create', '-r', self.realm, '-s', '-P', self.krb_master_password] , env=self.krb_env)
}}}

Again, not much I can do here but suggest that you run processes, type on the keyboard, wiggle the mouse etc. Anything that will help the kernel collect entropy. It's not a great idea to try and artificially create entropy, but for this which is a test case it may not be a bad thing either. The flip side, is this is for test cases, so waiting isn't a problem either. I'm open to more suggestions here.

'''4.''' One more error happens, and I didn't reach the source of problem, may be you will be more lucky:

{{{
E Krb5Error: (-1765328230, 'Cannot find KDC for requested realm')
}}}

Can you show me the contents of your hosts file?
Are you running this as the test (py.test tests/krb5_create_test.py)?

Rebased to latest master, and applied the directory creation change.

Replying to [comment:3 firstyear]:

'''2.''' I installed all required packages to my machine in the first time ever and, because of that, I had this error:

We can fix it by adding this two lines:
{{{
if not os.path.exists(os.path.dirname(self.krb5conf)):
os.makedirs(os.path.dirname(self.krb5conf))

}}}

I have added these now, but in the case this directory doesn't exist then it may indicate that the version of krb5 you have installed doesn't support conf.d. What krb5-workstation do you have installed?
'''krb5-workstation-1.13.2-10.el7.x86_64
krb5-server-1.13.2-10.el7.x86_64'''

Again, not much I can do here but suggest that you run processes, type on the keyboard, wiggle the mouse etc. Anything that will help the kernel collect entropy. It's not a great idea to try and artificially create entropy, but for this which is a test case it may not be a bad thing either. The flip side, is this is for test cases, so waiting isn't a problem either. I'm open to more suggestions here.

Sure, I think we will generate more entropy, if it will be necessary, on the preparation phase(while setting up all requirements on the machine).

'''4.''' One more error happens, and I didn't reach the source of problem, may be you will be more lucky:

{{{
E Krb5Error: (-1765328230, 'Cannot find KDC for requested realm')
}}}

Can you show me the contents of your hosts file?
Are you running this as the test (py.test tests/krb5_create_test.py)?

Yes, I run the test through py.test tool.

{{{
12.32.5.88 lib389-devel.test.redhat.com
127.0.0.1 localhost.localdomain localhost4 localhost4.localdomain4 localhost
::1 localhost.localdomain localhost6 localhost6.localdomain6 localhost
}}}

Oh, and one more thing. When I tested, I had the issue with existing realm and unexisting instance. Can you please divide this:

tests/krb5_create_test.py:
{{{
45 if instance.exists():
46 # Its likely our realm exists too
47 instance.delete()
48 try:
49 krb.destroy_realm()
50 except:
51 pass
}}}

Into two different parts. Like this:
{{{
45 if instance.exists():
47 instance.delete()
48
49 if krb.check_realm():
50 krb.destroy_realm()
}}}

Replying to [comment:5 spichugi]:

Replying to [comment:3 firstyear]:

'''2.''' I installed all required packages to my machine in the first time ever and, because of that, I had this error:

We can fix it by adding this two lines:
{{{
if not os.path.exists(os.path.dirname(self.krb5conf)):
os.makedirs(os.path.dirname(self.krb5conf))

}}}

I have added these now, but in the case this directory doesn't exist then it may indicate that the version of krb5 you have installed doesn't support conf.d. What krb5-workstation do you have installed?
'''krb5-workstation-1.13.2-10.el7.x86_64
krb5-server-1.13.2-10.el7.x86_64'''

I have a feeling that these don't support the krb5.conf.d directory ... which leads to ...

Again, not much I can do here but suggest that you run processes, type on the keyboard, wiggle the mouse etc. Anything that will help the kernel collect entropy. It's not a great idea to try and artificially create entropy, but for this which is a test case it may not be a bad thing either. The flip side, is this is for test cases, so waiting isn't a problem either. I'm open to more suggestions here.

Sure, I think we will generate more entropy, if it will be necessary, on the preparation phase(while setting up all requirements on the machine).

'''4.''' One more error happens, and I didn't reach the source of problem, may be you will be more lucky:

{{{
E Krb5Error: (-1765328230, 'Cannot find KDC for requested realm')
}}}

Can you show me the contents of your hosts file?
Are you running this as the test (py.test tests/krb5_create_test.py)?

Yes, I run the test through py.test tool.

{{{
12.32.5.88 lib389-devel.test.redhat.com
127.0.0.1 localhost.localdomain localhost4 localhost4.localdomain4 localhost
::1 localhost.localdomain localhost6 localhost6.localdomain6 localhost
}}}

Why this is failing. Because krb5.conf.d/<realm.com> is specificing where the KDC is located. Because it can't look it up, it's having a bad day.

Either I need to append to krb5.conf, which could get messy, or we wait for krb5 to be updated in el7. I'm testing on f22 / f23 atm. Open to suggestions on best way forwards here.

Replying to [comment:6 spichugi]:

Oh, and one more thing. When I tested, I had the issue with existing realm and unexisting instance. Can you please divide this:

tests/krb5_create_test.py:
{{{
45 if instance.exists():
46 # Its likely our realm exists too
47 instance.delete()
48 try:
49 krb.destroy_realm()
50 except:
51 pass
}}}

Into two different parts. Like this:
{{{
45 if instance.exists():
47 instance.delete()
48
49 if krb.check_realm():
50 krb.destroy_realm()
}}}

I much prefer your code. I will add this to the patch.

Replying to [comment:7 firstyear]:

Replying to [comment:5 spichugi]:

Replying to [comment:3 firstyear]:

'''2.''' I installed all required packages to my machine in the first time ever and, because of that, I had this error:

We can fix it by adding this two lines:
{{{
if not os.path.exists(os.path.dirname(self.krb5conf)):
os.makedirs(os.path.dirname(self.krb5conf))

}}}

I have added these now, but in the case this directory doesn't exist then it may indicate that the version of krb5 you have installed doesn't support conf.d. What krb5-workstation do you have installed?
'''krb5-workstation-1.13.2-10.el7.x86_64
krb5-server-1.13.2-10.el7.x86_64'''

I have a feeling that these don't support the krb5.conf.d directory ... which leads to ...

Again, not much I can do here but suggest that you run processes, type on the keyboard, wiggle the mouse etc. Anything that will help the kernel collect entropy. It's not a great idea to try and artificially create entropy, but for this which is a test case it may not be a bad thing either. The flip side, is this is for test cases, so waiting isn't a problem either. I'm open to more suggestions here.

Sure, I think we will generate more entropy, if it will be necessary, on the preparation phase(while setting up all requirements on the machine).

'''4.''' One more error happens, and I didn't reach the source of problem, may be you will be more lucky:

{{{
E Krb5Error: (-1765328230, 'Cannot find KDC for requested realm')
}}}

Can you show me the contents of your hosts file?
Are you running this as the test (py.test tests/krb5_create_test.py)?

Yes, I run the test through py.test tool.

{{{
12.32.5.88 lib389-devel.test.redhat.com
127.0.0.1 localhost.localdomain localhost4 localhost4.localdomain4 localhost
::1 localhost.localdomain localhost6 localhost6.localdomain6 localhost
}}}

Why this is failing. Because krb5.conf.d/<realm.com> is specificing where the KDC is located. Because it can't look it up, it's having a bad day.

Either I need to append to krb5.conf, which could get messy, or we wait for krb5 to be updated in el7. I'm testing on f22 / f23 atm. Open to suggestions on best way forwards here.

Use augeas to hack krb5.conf?

Replying to [comment:7 firstyear]:

Replying to [comment:5 spichugi]:

Replying to [comment:3 firstyear]:

{{{
E Krb5Error: (-1765328230, 'Cannot find KDC for requested realm')
}}}

Can you show me the contents of your hosts file?
Are you running this as the test (py.test tests/krb5_create_test.py)?

Yes, I run the test through py.test tool.

{{{
12.32.5.88 lib389-devel.test.redhat.com
127.0.0.1 localhost.localdomain localhost4 localhost4.localdomain4 localhost
::1 localhost.localdomain localhost6 localhost6.localdomain6 localhost
}}}

Why this is failing. Because krb5.conf.d/<realm.com> is specificing where the KDC is located. Because it can't look it up, it's having a bad day.

Either I need to append to krb5.conf, which could get messy, or we wait for krb5 to be updated in el7. I'm testing on f22 / f23 atm. Open to suggestions on best way forwards here.

I tried on f23 with:
'''krb5-workstation-1.13.2-13.fc23.x86_64
krb5-server-1.13.2-13.fc23.x86_64'''

And it goes with the same error. There is log from py.test:

{{{
INFO:tests.krb5_create_test:Create a user entry: uid=test,dc=example,dc=com
Authenticating as principal test/admin@EXAMPLE.COM with password.
WARNING: no policy specified for test@EXAMPLE.COM; defaulting to no policy
Principal "test@EXAMPLE.COM" created.
Authenticating as principal test/admin@EXAMPLE.COM with password.
K/M@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/spichugi.usersys.redhat.com@EXAMPLE.COM
kiprop/spichugi.usersys.redhat.com@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
ldap/localhost.localdomain@EXAMPLE.COM
test@EXAMPLE.COM
Authenticating as principal test/admin@EXAMPLE.COM with password.
Entry for principal test@EXAMPLE.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/test.keytab.
Entry for principal test@EXAMPLE.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/test.keytab.
FAILED
}}}

Did you try execute tests on the fully clean machine? May be something within your environment interferes? Or may be I miss some setup steps.

I think the error is in the krb5.conf. I believe I have fixed this for el7 and f23 now. Please try it again.

Everything works! Thank you, William, for such a good patch. :)

To ssh://git.fedorahosted.org/git/389/lib389.git
37af5e5..d343b74 master -> master
commit d343b747afb04cf9e4c645a2ca9793222b2ec2eb

Milestone lib389 1.0 deleted

Metadata Update from @firstyear:
- Issue assigned to firstyear

3 years ago

Login to comment on this ticket.

Metadata