--- a/ipatests/test_integration/test_commands.py 2025-09-17 10:36:00.180673487 -0300 +++ b/ipatests/test_integration/test_commands.py 2025-09-17 10:37:31.294681273 -0300 @@ -1554,80 +1554,6 @@ assert result.returncode == 1 assert 'cannot be deleted or disabled' in result.stderr_text - def test_unique_krbcanonicalname(self): - """Verify that the uniqueness for krbcanonicalname is working""" - master = self.master - - base_dn = str(master.domain.basedn) - hostname = master.hostname - realm = master.domain.realm - principal = f'test/{hostname}@{realm}' - entry_ldif_template = textwrap.dedent(""" - dn: krbprincipalname={principal},cn=services,cn=accounts,{base_dn} - changetype: add - ipakrbprincipalalias: test/{hostname}@{realm} - krbprincipalname: {principal} - objectclass: ipakrbprincipal - objectclass: ipaobject - objectclass: ipaservice - objectclass: krbprincipal - objectclass: krbprincipalaux - objectclass: top - krbcanonicalname: {user}@{realm} - managedby: fqdn={hostname},cn=computers,cn=accounts,{base_dn} - """) - entry_ldif = entry_ldif_template.format( - base_dn=base_dn, - hostname=hostname, - principal=principal, - realm=realm, - user='admin') - tasks.kdestroy_all(master) - master.run_command( - ['kinit', '-kt', '/etc/krb5.keytab', f'host/{hostname}@{realm}']) - args = [ - 'ldapmodify', - '-Y', - 'GSSAPI' - ] - result = master.run_command(args, stdin_text=entry_ldif, - raiseonerr=False) - assert "entry with the same attribute value" in result.stderr_text - - # Now try with root@realm instead of admin@realm - entry_ldif = entry_ldif_template.format( - base_dn=base_dn, - hostname=hostname, - principal=principal, - realm=realm, - user='root') - args = [ - 'ldapmodify', - '-Y', - 'GSSAPI' - ] - result = master.run_command(args, stdin_text=entry_ldif, - raiseonerr=False) - assert "entry with the same attribute value" in result.stderr_text - tasks.kdestroy_all(master) - - def test_no_request_pac(self): - # Try to use a TGT obtained without PAC - # Should fail as the presence of the PAC when processing TGTs - # provided by TGS-REQ is now enforced. - hostname = self.master.hostname - realm = self.master.domain.realm - self.master.run_command([ - 'kinit', '-kt', '/etc/krb5.keytab', f'host/{hostname}@{realm}', - '--no-request-pac' - ]) - result = self.master.run_command( - ['kvno', f'ldap/{hostname}@{realm}'], - raiseonerr=False - ) - assert result.returncode == 1 - assert "PAC_ENFORCEMENT_TGT_WITHOUT_PAC" in result.stderr_text - class TestIPACommandWithoutReplica(IntegrationTest): """ @@ -1749,7 +1675,7 @@ api.bootstrap_with_global_options(context='server') api.finalize() api.Backend.ldap2.connect() - + api.Command["group_add"]("testgroup1", external=True) api.Command["group_add"]("testgroup2", external=False) result1 = api.Command["group_show"]("testgroup1", all=True)["result"] # noqa: E501 @@ -1794,6 +1720,80 @@ '/tmp/reproducer2_code.py']) assert "missing attribute" not in result.stdout_text + def test_unique_krbcanonicalname(self): + """Verify that the uniqueness for krbcanonicalname is working""" + master = self.master + + base_dn = str(master.domain.basedn) + hostname = master.hostname + realm = master.domain.realm + principal = f'test/{hostname}@{realm}' + entry_ldif_template = textwrap.dedent(""" + dn: krbprincipalname={principal},cn=services,cn=accounts,{base_dn} + changetype: add + ipakrbprincipalalias: test/{hostname}@{realm} + krbprincipalname: {principal} + objectclass: ipakrbprincipal + objectclass: ipaobject + objectclass: ipaservice + objectclass: krbprincipal + objectclass: krbprincipalaux + objectclass: top + krbcanonicalname: {user}@{realm} + managedby: fqdn={hostname},cn=computers,cn=accounts,{base_dn} + """) + entry_ldif = entry_ldif_template.format( + base_dn=base_dn, + hostname=hostname, + principal=principal, + realm=realm, + user='admin') + tasks.kdestroy_all(master) + master.run_command( + ['kinit', '-kt', '/etc/krb5.keytab', f'host/{hostname}@{realm}']) + args = [ + 'ldapmodify', + '-Y', + 'GSSAPI' + ] + result = master.run_command(args, stdin_text=entry_ldif, + raiseonerr=False) + assert "entry with the same attribute value" in result.stderr_text + + # Now try with root@realm instead of admin@realm + entry_ldif = entry_ldif_template.format( + base_dn=base_dn, + hostname=hostname, + principal=principal, + realm=realm, + user='root') + args = [ + 'ldapmodify', + '-Y', + 'GSSAPI' + ] + result = master.run_command(args, stdin_text=entry_ldif, + raiseonerr=False) + assert "entry with the same attribute value" in result.stderr_text + tasks.kdestroy_all(master) + + def test_no_request_pac(self): + # Try to use a TGT obtained without PAC + # Should fail as the presence of the PAC when processing TGTs + # provided by TGS-REQ is now enforced. + hostname = self.master.hostname + realm = self.master.domain.realm + self.master.run_command([ + 'kinit', '-kt', '/etc/krb5.keytab', f'host/{hostname}@{realm}', + '--no-request-pac' + ]) + result = self.master.run_command( + ['kvno', f'ldap/{hostname}@{realm}'], + raiseonerr=False + ) + assert result.returncode == 1 + assert "PAC_ENFORCEMENT_TGT_WITHOUT_PAC" in result.stderr_text + class TestIPAautomount(IntegrationTest): @classmethod