From ca99bf2abc793d77e889c91d2a436c3de96eb36e Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: May 27 2020 19:19:49 +0000 Subject: ipa-tests: add a test to make sure MS-PAC is produced by KDC When ipa-adtrust-install is used, IPA KDC will be configured to issue tickets with MS-PAC record in them for users and services that have ipaNTSecurityIdentifier (SID) attribute in the LDAP record. Test that a newly added user can kinit and obtain a ticket that has a PAC structure. Test that a service can impersonate a user and the resulting S4U2Self requested service ticket also has PAC structure. Related: https://pagure.io/freeipa/issue/8319 Signed-off-by: Alexander Bokovoy Reviewed-By: Isaac Boukris Reviewed-By: Florence Blanc-Renaud --- diff --git a/ipatests/test_integration/test_adtrust_install.py b/ipatests/test_integration/test_adtrust_install.py index 5c207a4..d2eeed2 100644 --- a/ipatests/test_integration/test_adtrust_install.py +++ b/ipatests/test_integration/test_adtrust_install.py @@ -5,6 +5,7 @@ """This module provides tests for ipa-adtrust-install utility""" import re +import os import textwrap from ipaplatform.paths import paths @@ -214,3 +215,50 @@ class TestIpaAdTrustInstall(IntegrationTest): value = (r'ipaexternalmember=%deref_r(' '"member","ipaexternalmember")') assert value in entry_list + + def test_ipa_user_pac(self): + """Test that a user can request a service ticket with PAC""" + user = 'testpacuser' + user_princ = '@'.join([user, self.master.domain.realm]) + passwd = 'Secret123' + # Create a user with a password + tasks.create_active_user(self.master, user, passwd, extra_args=[ + '--homedir', '/home/{}'.format(user)]) + try: + # Defaults: host/... principal for service + # keytab in /etc/krb5.keytab + self.master.run_command(["kinit", '-k']) + # Don't use enterprise principal here because it doesn't work + # bug in krb5: src/lib/gssapi/krb5/acquire_cred.c:scan_cache() + # where enterprise principals aren't taken into account + result = self.master.run_command( + [os.path.join(paths.LIBEXEC_IPA_DIR, "ipa-print-pac"), + "ticket", user_princ], + stdin_text=(passwd + '\n'), raiseonerr=False + ) + assert "PAC_DATA" in result.stdout_text + finally: + tasks.kinit_admin(self.master) + self.master.run_command(['ipa', 'user-del', user]) + + def test_ipa_user_s4u2self_pac(self): + """Test that a service can request S4U2Self ticket with PAC""" + user = 'tests4u2selfuser' + user_princ = '@'.join([user, self.master.domain.realm]) + passwd = 'Secret123' + # Create a user with a password + tasks.create_active_user(self.master, user, passwd, extra_args=[ + '--homedir', '/home/{}'.format(user)]) + try: + # Defaults: host/... principal for service + # keytab in /etc/krb5.keytab + self.master.run_command(["kinit", '-k']) + result = self.master.run_command( + [os.path.join(paths.LIBEXEC_IPA_DIR, "ipa-print-pac"), + "-E", "impersonate", user_princ], + raiseonerr=False + ) + assert "PAC_DATA" in result.stdout_text + finally: + tasks.kinit_admin(self.master) + self.master.run_command(['ipa', 'user-del', user])