From eeb70047c9849fcc59686bdd3edd2923ee1be134 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: May 27 2020 19:19:49 +0000 Subject: test_smb: test S4U2Self operation by IPA service Kerberos service might request a ticket to itself on behalf of a user to perform protocol transition, so-called S4U2Self extension defined in [MS-SFU] specification. Processing of this request by KDC differs for in-realm and cross-realm configurations. Use SMB service to test S4U2Self performed against AD and IPA users. Fixes: https://pagure.io/freeipa/issue/8319 Signed-off-by: Alexander Bokovoy Reviewed-By: Isaac Boukris Reviewed-By: Florence Blanc-Renaud --- diff --git a/ipatests/test_integration/test_smb.py b/ipatests/test_integration/test_smb.py index d736780..b86b383 100644 --- a/ipatests/test_integration/test_smb.py +++ b/ipatests/test_integration/test_smb.py @@ -11,8 +11,10 @@ from __future__ import absolute_import from functools import partial import textwrap import re +import os import pytest +from contextlib import contextmanager from ipatests.test_integration.base import IntegrationTest from ipatests.pytest_ipa.integration import tasks @@ -77,14 +79,16 @@ class TestSMB(IntegrationTest): @pytest.fixture def enable_smb_client_dns_lookup_kdc(self): - smbclient = self.smbclient - with tasks.FileBackup(smbclient, paths.KRB5_CONF): - krb5_conf = smbclient.get_file_contents( - paths.KRB5_CONF, encoding='utf-8') - krb5_conf = krb5_conf.replace( - 'dns_lookup_kdc = false', 'dns_lookup_kdc = true') - smbclient.put_file_contents(paths.KRB5_CONF, krb5_conf) - yield + @contextmanager + def _enable_for(smbclient): + with tasks.FileBackup(smbclient, paths.KRB5_CONF): + krb5_conf = smbclient.get_file_contents( + paths.KRB5_CONF, encoding='utf-8') + krb5_conf = krb5_conf.replace( + 'dns_lookup_kdc = false', 'dns_lookup_kdc = true') + smbclient.put_file_contents(paths.KRB5_CONF, krb5_conf) + yield + return _enable_for @pytest.fixture def samba_share_public(self): @@ -313,14 +317,15 @@ class TestSMB(IntegrationTest): def test_smb_access_for_ad_user_at_ipa_client( self, enable_smb_client_dns_lookup_kdc): - samba_share = { - 'name': 'homes', - 'server_path': '/home/{}/{}'.format(self.ad.domain.name, - self.ad_user_login), - 'unc': '//{}/homes'.format(self.smbserver.hostname) - } - self.check_smb_access_at_ipa_client( - self.ad_user, self.ad_user_password, samba_share) + with enable_smb_client_dns_lookup_kdc(self.smbclient): + samba_share = { + 'name': 'homes', + 'server_path': '/home/{}/{}'.format(self.ad.domain.name, + self.ad_user_login), + 'unc': '//{}/homes'.format(self.smbserver.hostname) + } + self.check_smb_access_at_ipa_client( + self.ad_user, self.ad_user_password, samba_share) def test_smb_mount_and_access_by_different_users(self, samba_share_public): user1 = self.ipa_user1 @@ -340,6 +345,39 @@ class TestSMB(IntegrationTest): finally: self.cleanup_mount(mount_point) + def test_smb_service_s4u2self( + self, enable_smb_client_dns_lookup_kdc): + """Test S4U2Self operation by IPA service + against both AD and IPA users + """ + script = textwrap.dedent("""export KRB5_TRACE=/dev/stderr + kdestroy -A + kinit -kt /etc/samba/samba.keytab {principal} + klist -f + {print_pac} -k /etc/samba/samba.keytab -E impersonate {user_princ} + klist -f + """) + with enable_smb_client_dns_lookup_kdc(self.smbserver): + principal = 'cifs/{hostname}'.format( + hostname=self.smbserver.hostname) + # Copy ipa-print-pac to SMB server + # We can do so because Samba and GSSAPI libraries + # are present there + print_pac = self.master.get_file_contents( + os.path.join(paths.LIBEXEC_IPA_DIR, "ipa-print-pac")) + result = self.smbserver.run_command(['mktemp']) + tmpname = result.stdout_text.strip() + self.smbserver.put_file_contents(tmpname, print_pac) + self.smbserver.run_command(['chmod', 'a+x', tmpname]) + for user in (self.ad_user, self.ipa_user1,): + shell_script = script.format(principal=principal, + user_princ=user, + print_pac=tmpname) + self.smbserver.run_command(['/bin/bash', '-s', '-e'], + stdin_text=shell_script) + self.smbserver.run_command(['rm', '-f', tmpname]) + tasks.kdestroy_all(self.smbserver) + def test_smb_mount_fails_without_kerberos_ticket(self, samba_share_public): mountpoint = '/mnt/smb' try: