From 39e92c4033d0ecd702281f3ecbeac3b5f654e973 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 19 Jun 2025 17:17:44 +0200
Subject: [PATCH] ipatests: fix test_adtrust_install_with_non_ipa_user

Fix the test scenario:
create a user with a second krbprincipalname but no
krbcanonical name.
kinit -E with the other name
try ipa-adtrust-install with the other name
It should fail with the error message 'user not found'

Fixes: https://pagure.io/freeipa/issue/9812
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
---
 .../test_integration/test_adtrust_install.py  | 48 ++++++++++++++-----
 1 file changed, 36 insertions(+), 12 deletions(-)

diff --git a/ipatests/test_integration/test_adtrust_install.py b/ipatests/test_integration/test_adtrust_install.py
index 99d3029443ea39bb5f0e333a5087d30291191968..09e227ec8125e90b37d1d92f0512f9819f5b48c3 100644
--- a/ipatests/test_integration/test_adtrust_install.py
+++ b/ipatests/test_integration/test_adtrust_install.py
@@ -360,27 +360,51 @@ class TestIpaAdTrustInstall(IntegrationTest):
         assert msg in result.stdout_text
         assert result.returncode == 0
 
-    def test_adtrust_install_with_non_ipa_user(self):
+    @pytest.fixture
+    def create_user(self):
+        # create a user with 'othername' as 2nd krbprincipalname but
+        # no krbcanonicalname
+        basedn = self.master.domain.basedn
+        self.test_user = 'idmuser'
+        self.test_alias = 'othername'
+        tasks.create_active_user(
+            self.master, self.test_user, self.master.config.admin_password,
+            first=self.test_user, last=self.test_user)
+        user_update_ldif = textwrap.dedent("""
+            dn: uid={user},cn=users,cn=accounts,{base_dn}
+            changetype: modify
+            add: krbprincipalname
+            krbprincipalname: {alias}@{realm}
+            -
+            delete: krbcanonicalname
+            """.format(base_dn=basedn, user=self.test_user,
+                       alias=self.test_alias, realm=self.master.domain.realm))
+        tasks.ldapmodify_dm(self.master, user_update_ldif)
+        yield
+        tasks.kinit_admin(self.master)
+        self.master.run_command(["ipa", "user-del", self.test_user])
+
+    def test_adtrust_install_with_user_missing_krbcanonical(self, create_user):
         """
         Test that ipa-adtrust-install command returns
-        an error when kinit is done as alias
-        i.e root which is not an ipa user.
+        an error when kinit is done as an alias
+        for which there is no krbcanonicalname.
         """
-        msg = (
-            'Unrecognized error during check of admin rights: '
-            'root: user not found'
-        )
-        user = 'root'
+        self.master.run_command(["kdestroy", "-A"])
         self.master.run_command(
-            ["kinit", "-E", user],
-            stdin_text=self.master.config.admin_password
-        )
+            ["kinit", "-E", self.test_alias],
+            stdin_text=self.master.config.admin_password)
+
         result = self.master.run_command(
-            ["ipa-adtrust-install", "-A", user,
+            ["ipa-adtrust-install", "-A", self.test_alias,
              "-a", self.master.config.admin_password,
              "-U"], raiseonerr=False
         )
         assert result.returncode != 0
+        msg = (
+            'Unrecognized error during check of admin rights: '
+            '{alias}: user not found'
+        ).format(alias=self.test_alias)
         assert msg in result.stderr_text
 
     def test_adtrust_install_as_regular_ipa_user(self):
-- 
2.50.0