Multiple issues found in trust tests, will update
Issues with tests:
1) trust can be established only in the environment with external DNS server with DNSSEC support, which contains A records for Windows servers and SRV records for AD services.
It is rather complicated to create such setup (and it is not documented). This happens due to not creating dns forwarder for AD domain.
2) (Not broken, but strange) Tests expect that in the config file all three AD instances are located in one domain.hosts object. Because of that, to find domain name of AD machines we split and join hostname (lines 51 and 59 at test_trust.py) instead of using host.domain.name property provided by pytest_multihost plugin. I think every AD machine must be in its own domain in test config (as domain names are different indeed).
3) Tests fail randomly when trying to synchronize time before establishing trust (at least in vagrant). I've read that windows time server can have very big jitter value and chronyd must be invoked with maxlag and maxdistance options (need do investigate)
4) TestExternalTrustWithRootDomain is mistakenly inherited from ADTrustSubdomainBase instead of ADTrustBase. So external trust with subdomain is checked twice.
5) ADTrustBase.test_all_trustdomains_found expects that after establishing trust with forest root domain ipa trustdomain-find will show all three domains. I think this is wrong, it should only retrieve root domain and its subdomain, but not the other tree domain. I suspect the test could pass with invalid test configuration, when domain.hosts.*.name field contained value without dot at end. in this case multihost plugin constructs hostname from first part of name and the value of domain.name. And as all AD machines are in same domain object (see 2), we actually three times check that root domain is visible in output.
6) Test module contains 10 test classes. Each class requires ipa server setup/teardown. This results in tests running for about 1.5 hours. But there is nothing in those tests that require reinstalling ipa server when changing trust type and target. If we add simple cleanup (ipa trust-del, remove sssd keytab), we could place all tests in one class and run them in under 20 minutes. The better option would be to create module-level fixture for topolgy installation/uninstallation (similar to IntegrationTest.install/uninstall methods) but I think it is too much for the scope of this task.
7) Time on ipa master is synchronized with AD after ipa-server installation. This can (and sometimes does in my setup) lead to ipa certificat being not yet valid.
Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.3
- Issue tagged with: tests
Need to update test documentation:
1. Each AD machine must reside in its own domain object of multihost configuration
2. Add proper description of test objects that must be created on AD machines, possibly provide powershell snippet
Metadata Update from @sorlov:
- Custom field affects_doc adjusted to on
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
to comment on this ticket.