c91a1a0 ipatests: when talking to AD DCs, use FQDN credentials

4 files Authored by abbra 3 years ago, Committed by rcritten 3 years ago,
    ipatests: when talking to AD DCs, use FQDN credentials
    
    Samba 4.13+ in Fedora 33+ and RHEL 8.4+ defaults to Kerberos
    authentication. This means user name used for authentication must be
    mapped to a target realm.
    
    We have to remove trust on AD side first before removing it locally or
    otherwise MIT Kerberos might not be able to locate DCs from AD as
    removal of the trust information would cause SSSD to clear the details
    for a KDC locator plugin as well.
    
    For the test that modifies AD DNS zone on IPA side to inject unreachable
    DCs addresses, the configuration has to be reverted first, to allow
    plain 'kinit' during removal of trust to reach AD DCs directly.
    
    Fixes: https://pagure.io/freeipa/issue/8678
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
    
        
file modified
+1 -1