Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tests: adding client ipa trust authentication tests #7779

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

tests: adding client ipa trust authentication tests #7779

wants to merge 1 commit into from

Conversation

danlavu
Copy link

@danlavu danlavu commented Dec 20, 2024

No description provided.

@danlavu danlavu force-pushed the tests-ipa-trust-lookup-fqn branch 4 times, most recently from 90cc21e to bede40a Compare December 20, 2024 21:25
jakub-vavra-cz
jakub-vavra-cz requested changes Jan 14, 2025
View reviewed changes
Copy link
Contributor

@jakub-vavra-cz jakub-vavra-cz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The error messages should be different to make it easy to see which exact assert failed. I wonder if it would make a sense to create tests also with authentication using su. I would not parametrize these as they would be unsightly but test_ipa_trusts__authentication_with_default_settings_su seems worth adding.

justin-stephenson
justin-stephenson reviewed Jan 15, 2025
View reviewed changes
src/tests/system/tests/test_ipa_trusts.py
ipa_user = ipa.user("user1").add(password="Secret123").name
ipa_user_fqn = f"{ipa_user}@{ipa.domain}"
ad_user = trusted.user("user2").add(password="Secret123").name
ad_user_fqn = f"{ad_user}@{trusted.domain}"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For ad, you can use ad_user_fqn = trusted.fqn("user2")

I added this fqn method to the IPA role here https://github.com/SSSD/sssd-test-framework/pull/119/files but it won't work until merged obviously

justin-stephenson
justin-stephenson reviewed Jan 15, 2025
View reviewed changes
src/tests/system/tests/test_ipa_trusts.py
ad_user = trusted.user("user2").add(password="Secret123").name
ad_user_fqn = f"{ad_user}@{trusted.domain}"

client.sssd.enable_responder("ssh")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this really needed?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let me double-check: the other IPA trust tests are using the IPA host to do the lookups; IIRC, this wasn't enabled on the client.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, but we should update the IPA config in the framework. It's because

services = nss, pam

justin-stephenson
justin-stephenson reviewed Jan 15, 2025
View reviewed changes
src/tests/system/tests/test_ipa_trusts.py
ad_user = trusted.user("user2").add(password="Secret123").name
ad_user_fqn = f"{ad_user}@{trusted.domain}"

client.sssd.enable_responder("ssh")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this really needed?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IPA was not doing that on RHEL 10 beta so we had this as a workaround. New IPA on 10.0 should include it but better to be safe.

@danlavu danlavu force-pushed the tests-ipa-trust-lookup-fqn branch from bede40a to dc1414a Compare January 16, 2025 05:42
@danlavu danlavu force-pushed the tests-ipa-trust-lookup-fqn branch from dc1414a to bfdfc67 Compare January 16, 2025 19:12
@justin-stephenson
Copy link
Contributor

Please fix the ipa-trust-samba errors in PRCI.

@danlavu
Copy link
Author

danlavu commented Jan 22, 2025
edited
Loading

Please fix the ipa-trust-samba errors in PRCI.

Digging into it, ssh isn't working for Samba, below you can see the trusted user is found, password is correct via kinit but ssh and su au fails, logs are attached, mind taking a look @justin-stephenson ?

[root@client sssd]# id [email protected] 
uid=1321601105([email protected]) gid=1321601105([email protected]) groups=1321601105([email protected]),1321600513(domain [email protected])

[root@client sssd]# kinit [email protected]
Password for [email protected]: 
[root@client sssd]# klist
Ticket cache: KCM:0
Default principal: [email protected]

Valid starting     Expires            Service principal
01/22/25 00:26:08  01/22/25 10:26:08  krbtgt/[email protected]
	renew until 01/23/25 00:26:05


[root@client sssd]# ssh [email protected]@localhost
([email protected]@localhost) Password: 
([email protected]@localhost) Password: 
([email protected]@localhost) Password: 


[root@client sssd]# su - [email protected]
Last login: Wed Jan 22 00:29:52 UTC 2025 on pts/0
-sh-5.2$ su - [email protected]
Password: 
su: Authentication failure
-sh-5.2$ 


[root@client sssd]# hostname
client.test

sssd.tar.gz

@justin-stephenson
Copy link
Contributor 


[sssd.tar.gz](https://github.com/user-attachments/files/18497956/sssd.tar.gz)

[be[test]] [krb5_auth_done] (0x3f7c0): [RID#12] The krb5_child process returned an error. Please inspect the krb5_child.log file or the journal for more information

...

(2025-01-22  0:20:24): [krb5_child[27103]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [27103] 1737505224.543848: Sending request (1995 bytes) to IPA.TEST
(2025-01-22  0:20:24): [krb5_child[27103]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [27103] 1737505224.543849: Initiating TCP connection to stream 172.16.100.10:88
(2025-01-22  0:20:24): [krb5_child[27103]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [27103] 1737505224.543850: Sending TCP request to stream 172.16.100.10:88
(2025-01-22  0:20:24): [krb5_child[27103]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [27103] 1737505224.543851: Received answer (433 bytes) from stream 172.16.100.10:88
(2025-01-22  0:20:24): [krb5_child[27103]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [27103] 1737505224.543852: Terminating TCP connection to stream 172.16.100.10:88
(2025-01-22  0:20:24): [krb5_child[27103]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [27103] 1737505224.543853: Response was from primary KDC
(2025-01-22  0:20:24): [krb5_child[27103]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [27103] 1737505224.543854: Decoding FAST response
(2025-01-22  0:20:24): [krb5_child[27103]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [27103] 1737505224.543855: TGS request result: -1765328377/Server krbtgt/[email protected] not found
 in Kerberos database
(2025-01-22  0:20:24): [krb5_child[27103]] [get_and_save_tgt] (0x0020): [RID#12] 2363: [-1765328377][Error constructing AP-REQ armor: Server krbtgt/[email protected] not found in Kerberos 
database]
(2025-01-22  0:20:24): [krb5_child[27103]] [map_krb5_error] (0x0040): [RID#12] 2492: [-1765328377][Error constructing AP-REQ armor: Server krbtgt/[email protected] not found in Kerberos database]
(2025-01-22  0:20:24): [krb5_child[27103]] [k5c_send_data] (0x0200): [RID#12] Received error code 1432158209
(2025-01-22  0:20:24): [krb5_child[27103]] [pack_response_packet] (0x2000): [RID#12] response packet size: [4]

Failure is due to the above errors, but i'm not sure what is the cause. I'll have to do more digging.

@justin-stephenson
Copy link
Contributor 


[sssd.tar.gz](https://github.com/user-attachments/files/18497956/sssd.tar.gz)

[be[test]] [krb5_auth_done] (0x3f7c0): [RID#12] The krb5_child process returned an error. Please inspect the krb5_child.log file or the journal for more information

...

(2025-01-22  0:20:24): [krb5_child[27103]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [27103] 1737505224.543848: Sending request (1995 bytes) to IPA.TEST
(2025-01-22  0:20:24): [krb5_child[27103]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [27103] 1737505224.543849: Initiating TCP connection to stream 172.16.100.10:88
(2025-01-22  0:20:24): [krb5_child[27103]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [27103] 1737505224.543850: Sending TCP request to stream 172.16.100.10:88
(2025-01-22  0:20:24): [krb5_child[27103]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [27103] 1737505224.543851: Received answer (433 bytes) from stream 172.16.100.10:88
(2025-01-22  0:20:24): [krb5_child[27103]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [27103] 1737505224.543852: Terminating TCP connection to stream 172.16.100.10:88
(2025-01-22  0:20:24): [krb5_child[27103]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [27103] 1737505224.543853: Response was from primary KDC
(2025-01-22  0:20:24): [krb5_child[27103]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [27103] 1737505224.543854: Decoding FAST response
(2025-01-22  0:20:24): [krb5_child[27103]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [27103] 1737505224.543855: TGS request result: -1765328377/Server krbtgt/[email protected] not found
 in Kerberos database
(2025-01-22  0:20:24): [krb5_child[27103]] [get_and_save_tgt] (0x0020): [RID#12] 2363: [-1765328377][Error constructing AP-REQ armor: Server krbtgt/[email protected] not found in Kerberos 
database]
(2025-01-22  0:20:24): [krb5_child[27103]] [map_krb5_error] (0x0040): [RID#12] 2492: [-1765328377][Error constructing AP-REQ armor: Server krbtgt/[email protected] not found in Kerberos database]
(2025-01-22  0:20:24): [krb5_child[27103]] [k5c_send_data] (0x0200): [RID#12] Received error code 1432158209
(2025-01-22  0:20:24): [krb5_child[27103]] [pack_response_packet] (0x2000): [RID#12] response packet size: [4]

Failure is due to the above errors, but i'm not sure what is the cause. I'll have to do more digging.

Hi @sumit-bose Dan is adding some new tests in this PR but authentication fails for IPA trust samba AD user on the client system, see the above errors (client logs). Do you have any ideas why this fails? I suppose that authentication for samba AD user through IPA trust has never been tried until now. The trust to samba.test gets added in https://github.com/SSSD/sssd-ci-containers/blob/master/src/ansible/roles/ipa/tasks/main.yml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jakub-vavra-cz jakub-vavra-cz jakub-vavra-cz requested changes

@justin-stephenson justin-stephenson justin-stephenson left review comments

Assignees

@justin-stephenson justin-stephenson

@jakub-vavra-cz jakub-vavra-cz

Labels
branch: sssd-2-9 branch: sssd-2-10 Tests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@danlavu @justin-stephenson @jakub-vavra-cz