mirror of
https://pagure.io/fedora-qa/os-autoinst-distri-fedora.git
synced 2024-12-22 02:13:08 +00:00
Add Samba AD tests
This adds a Samba AD server test, and client enrolment tests via sssd, Cockpit and kickstart. Requires the matching createhdds commit to add the kickstart to the disk_ks image. Signed-off-by: Adam Williamson <awilliam@redhat.com>
This commit is contained in:
parent
f528904344
commit
74b468b949
22
needles/cockpit/join_complete-ad-20230722.json
Normal file
22
needles/cockpit/join_complete-ad-20230722.json
Normal file
@ -0,0 +1,22 @@
|
||||
{
|
||||
"area": [
|
||||
{
|
||||
"ypos": 528,
|
||||
"xpos": 690,
|
||||
"type": "match",
|
||||
"width": 217,
|
||||
"height": 14
|
||||
},
|
||||
{
|
||||
"type": "match",
|
||||
"height": 13,
|
||||
"width": 48,
|
||||
"xpos": 587,
|
||||
"ypos": 527
|
||||
}
|
||||
],
|
||||
"properties": [],
|
||||
"tags": [
|
||||
"cockpit_join_complete"
|
||||
]
|
||||
}
|
BIN
needles/cockpit/join_complete-ad-20230722.png
Normal file
BIN
needles/cockpit/join_complete-ad-20230722.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 158 KiB |
@ -474,6 +474,13 @@
|
||||
"fedora-updates-server-x86_64-*-64bit": 5
|
||||
}
|
||||
},
|
||||
"realmd_join_cockpit_ad": {
|
||||
"profiles": {
|
||||
"fedora-updates-server-aarch64-*-aarch64": 5,
|
||||
"fedora-updates-server-ppc64le-*-ppc64le": 5,
|
||||
"fedora-updates-server-x86_64-*-64bit": 5
|
||||
}
|
||||
},
|
||||
"realmd_join_sssd": {
|
||||
"profiles": {
|
||||
"fedora-updates-server-aarch64-*-aarch64": 5,
|
||||
@ -481,6 +488,13 @@
|
||||
"fedora-updates-server-x86_64-*-64bit": 5
|
||||
}
|
||||
},
|
||||
"realmd_join_sssd_ad": {
|
||||
"profiles": {
|
||||
"fedora-updates-server-aarch64-*-aarch64": 5,
|
||||
"fedora-updates-server-ppc64le-*-ppc64le": 5,
|
||||
"fedora-updates-server-x86_64-*-64bit": 5
|
||||
}
|
||||
},
|
||||
"rpmostree_overlay": {
|
||||
"profiles": {
|
||||
"fedora-updates-silverblue-dvd_ostree-iso-x86_64-*-64bit": 5
|
||||
@ -569,6 +583,13 @@
|
||||
"fedora-updates-server-x86_64-*-64bit": 5
|
||||
}
|
||||
},
|
||||
"server_samba_domain_controller": {
|
||||
"profiles": {
|
||||
"fedora-updates-server-aarch64-*-aarch64": 5,
|
||||
"fedora-updates-server-ppc64le-*-ppc64le": 5,
|
||||
"fedora-updates-server-x86_64-*-64bit": 5
|
||||
}
|
||||
},
|
||||
"support_server": {
|
||||
"profiles": {
|
||||
"fedora-updates-everything-boot-iso-x86_64-*-64bit": 5
|
||||
|
@ -1713,7 +1713,7 @@
|
||||
},
|
||||
"settings": {
|
||||
"GRUB": "inst.ks=hd:vdb1:/root-user-crypted-net.ks",
|
||||
"HDD_2": "disk_ks_6.img",
|
||||
"HDD_2": "disk_ks_7.img",
|
||||
"KICKSTART": "1",
|
||||
"NUMDISKS": "2",
|
||||
"ROOT_PASSWORD": "111111",
|
||||
@ -2360,13 +2360,37 @@
|
||||
"BOOTFROM": "c",
|
||||
"NICTYPE": "tap",
|
||||
"PARALLEL_WITH": "server_role_deploy_domain_controller",
|
||||
"POSTINSTALL": "realmd_join_cockpit freeipa_webui freeipa_password_change freeipa_client",
|
||||
"POSTINSTALL": "realmd_join_cockpit freeipa_webui freeipa_password_change domain_client",
|
||||
"POST_STATIC": "172.16.2.102 client002.test.openqa.fedoraproject.org",
|
||||
"ROOT_PASSWORD": "weakpassword",
|
||||
"USER_LOGIN": "false",
|
||||
"WORKER_CLASS": "tap"
|
||||
}
|
||||
},
|
||||
"realmd_join_cockpit_ad": {
|
||||
"profiles": {
|
||||
"fedora-Server-dvd-iso-aarch64-*-aarch64": 30,
|
||||
"fedora-Server-dvd-iso-ppc64le-*-ppc64le": 30,
|
||||
"fedora-Server-dvd-iso-x86_64-*-64bit": 30
|
||||
},
|
||||
"settings": {
|
||||
"+HDD_1": "disk_%MACHINE%_cockpit.qcow2",
|
||||
"+START_AFTER_TEST": "server_cockpit_default",
|
||||
"BOOTFROM": "c",
|
||||
"NICTYPE": "tap",
|
||||
"PARALLEL_WITH": "server_samba_domain_controller",
|
||||
"POSTINSTALL": "realmd_join_cockpit domain_client",
|
||||
"POST_STATIC": "172.16.2.132 adclient002.samdom.openqa.fedoraproject.org",
|
||||
"REALMD_ADMIN_USER": "administrator",
|
||||
"REALMD_ADMIN_PASSWORD": "129ho3eau47#qm9to9s^",
|
||||
"REALMD_DNS_SERVER_HOST": "ad001.samdom.openqa.fedoraproject.org",
|
||||
"REALMD_DNS_SERVER_IP": "172.16.2.130",
|
||||
"REALMD_DOMAIN": "samdom.openqa.fedoraproject.org",
|
||||
"ROOT_PASSWORD": "weakpassword",
|
||||
"USER_LOGIN": "false",
|
||||
"WORKER_CLASS": "tap"
|
||||
}
|
||||
},
|
||||
"realmd_join_sssd": {
|
||||
"profiles": {
|
||||
"fedora-Server-dvd-iso-aarch64-*-aarch64": 20,
|
||||
@ -2378,7 +2402,7 @@
|
||||
"HDD_1": "disk_%FLAVOR%_%MACHINE%.qcow2",
|
||||
"NICTYPE": "tap",
|
||||
"PARALLEL_WITH": "server_role_deploy_domain_controller",
|
||||
"POSTINSTALL": "realmd_join_sssd freeipa_client",
|
||||
"POSTINSTALL": "realmd_join_sssd domain_client",
|
||||
"POST_STATIC": "172.16.2.103 client003.test.openqa.fedoraproject.org",
|
||||
"ROOT_PASSWORD": "weakpassword",
|
||||
"START_AFTER_TEST": "%DEPLOY_UPLOAD_TEST%",
|
||||
@ -2386,6 +2410,30 @@
|
||||
"WORKER_CLASS": "tap"
|
||||
}
|
||||
},
|
||||
"realmd_join_sssd_ad": {
|
||||
"profiles": {
|
||||
"fedora-Server-dvd-iso-aarch64-*-aarch64": 20,
|
||||
"fedora-Server-dvd-iso-ppc64le-*-ppc64le": 20,
|
||||
"fedora-Server-dvd-iso-x86_64-*-64bit": 20
|
||||
},
|
||||
"settings": {
|
||||
"BOOTFROM": "c",
|
||||
"HDD_1": "disk_%FLAVOR%_%MACHINE%.qcow2",
|
||||
"NICTYPE": "tap",
|
||||
"PARALLEL_WITH": "server_samba_domain_controller",
|
||||
"POSTINSTALL": "realmd_join_sssd domain_client",
|
||||
"POST_STATIC": "172.16.2.131 adclient001.samdom.openqa.fedoraproject.org",
|
||||
"REALMD_ADMIN_USER": "administrator",
|
||||
"REALMD_ADMIN_PASSWORD": "129ho3eau47#qm9to9s^",
|
||||
"REALMD_DNS_SERVER_HOST": "ad001.samdom.openqa.fedoraproject.org",
|
||||
"REALMD_DNS_SERVER_IP": "172.16.2.130",
|
||||
"REALMD_DOMAIN": "samdom.openqa.fedoraproject.org",
|
||||
"ROOT_PASSWORD": "weakpassword",
|
||||
"START_AFTER_TEST": "%DEPLOY_UPLOAD_TEST%",
|
||||
"USER_LOGIN": "false",
|
||||
"WORKER_CLASS": "tap"
|
||||
}
|
||||
},
|
||||
"release_identification": {
|
||||
"profiles": {
|
||||
"fedora-CoreOS-colive-iso-x86_64-*-64bit": 50,
|
||||
@ -2547,12 +2595,14 @@
|
||||
},
|
||||
"settings": {
|
||||
"BOOTFROM": "c",
|
||||
"FREEIPA_REPLICA_CLIENT": "1",
|
||||
"HDD_1": "disk_%FLAVOR%_%MACHINE%.qcow2",
|
||||
"NICTYPE": "tap",
|
||||
"PARALLEL_WITH": "server_freeipa_replication_replica",
|
||||
"POSTINSTALL": "realmd_join_sssd freeipa_client",
|
||||
"POSTINSTALL": "realmd_join_sssd domain_client",
|
||||
"POST_STATIC": "172.16.2.108 client005.test.openqa.fedoraproject.org",
|
||||
"REALMD_DNS_SERVER_HOST": "ipa003.test.openqa.fedoraproject.org",
|
||||
"REALMD_DNS_SERVER_IP": "172.16.2.107",
|
||||
"REALMD_SERVER_MUTEX": "domain_replica_ready",
|
||||
"ROOT_PASSWORD": "weakpassword",
|
||||
"START_AFTER_TEST": "%DEPLOY_UPLOAD_TEST%",
|
||||
"USER_LOGIN": "false",
|
||||
@ -2594,6 +2644,8 @@
|
||||
"PARALLEL_WITH": "server_freeipa_replication_master",
|
||||
"POSTINSTALL": "realmd_join_sssd",
|
||||
"POST_STATIC": "172.16.2.107 ipa003.test.openqa.fedoraproject.org",
|
||||
"REALMD_DNS_SERVER_HOST": "ipa002.test.openqa.fedoraproject.org",
|
||||
"REALMD_DNS_SERVER_IP": "172.16.2.106",
|
||||
"ROOT_PASSWORD": "weakpassword",
|
||||
"START_AFTER_TEST": "%DEPLOY_UPLOAD_TEST%",
|
||||
"USER_LOGIN": "false",
|
||||
@ -2608,13 +2660,35 @@
|
||||
},
|
||||
"settings": {
|
||||
"GRUB": "inst.ks=hd:vdb1:/freeipaclient.ks",
|
||||
"HDD_2": "disk_ks_6.img",
|
||||
"INSTALL_UNLOCK": "freeipa_ready",
|
||||
"HDD_2": "disk_ks_7.img",
|
||||
"INSTALL_UNLOCK": "domain_server_ready",
|
||||
"KICKSTART": "1",
|
||||
"NICTYPE": "tap",
|
||||
"NUMDISKS": "2",
|
||||
"PARALLEL_WITH": "server_role_deploy_domain_controller",
|
||||
"POSTINSTALL": "freeipa_client",
|
||||
"POSTINSTALL": "domain_client",
|
||||
"ROOT_PASSWORD": "anaconda",
|
||||
"USER_LOGIN": "false",
|
||||
"WORKER_CLASS": "tap"
|
||||
}
|
||||
},
|
||||
"server_realmd_join_kickstart_ad": {
|
||||
"profiles": {
|
||||
"fedora-Server-dvd-iso-aarch64-*-aarch64": 20,
|
||||
"fedora-Server-dvd-iso-ppc64le-*-ppc64le": 20,
|
||||
"fedora-Server-dvd-iso-x86_64-*-64bit": 20
|
||||
},
|
||||
"settings": {
|
||||
"GRUB": "inst.ks=hd:vdb1:/adclient.ks",
|
||||
"HDD_2": "disk_ks_7.img",
|
||||
"INSTALL_UNLOCK": "domain_server_ready",
|
||||
"KICKSTART": "1",
|
||||
"NICTYPE": "tap",
|
||||
"NUMDISKS": "2",
|
||||
"PARALLEL_WITH": "server_samba_domain_controller",
|
||||
"POSTINSTALL": "domain_client",
|
||||
"REALMD_ADMIN_USER": "administrator",
|
||||
"REALMD_DOMAIN": "samdom.openqa.fedoraproject.org",
|
||||
"ROOT_PASSWORD": "anaconda",
|
||||
"USER_LOGIN": "false",
|
||||
"WORKER_CLASS": "tap"
|
||||
@ -2696,6 +2770,25 @@
|
||||
"WORKER_CLASS": "tap"
|
||||
}
|
||||
},
|
||||
"server_samba_domain_controller": {
|
||||
"profiles": {
|
||||
"fedora-Server-dvd-iso-aarch64-*-aarch64": 20,
|
||||
"fedora-Server-dvd-iso-ppc64le-*-ppc64le": 20,
|
||||
"fedora-Server-dvd-iso-x86_64-*-64bit": 20
|
||||
},
|
||||
"settings": {
|
||||
"BOOTFROM": "c",
|
||||
"HDD_1": "disk_%FLAVOR%_%MACHINE%.qcow2",
|
||||
"NICTYPE": "tap",
|
||||
"PARALLEL_CANCEL_WHOLE_CLUSTER": "0",
|
||||
"POSTINSTALL": "samba_domain_controller samba_domain_controller_check",
|
||||
"POST_STATIC": "172.16.2.130 ad001.samdom.openqa.fedoraproject.org",
|
||||
"ROOT_PASSWORD": "weakpassword",
|
||||
"START_AFTER_TEST": "%DEPLOY_UPLOAD_TEST%",
|
||||
"USER_LOGIN": "false",
|
||||
"WORKER_CLASS": "tap"
|
||||
}
|
||||
},
|
||||
"support_server": {
|
||||
"profiles": {
|
||||
"fedora-Server-dvd-iso-aarch64-*-aarch64": 10,
|
||||
@ -2839,7 +2932,7 @@
|
||||
"BOOTFROM": "c",
|
||||
"NICTYPE": "tap",
|
||||
"PARALLEL_WITH": "upgrade_2_server_domain_controller",
|
||||
"POSTINSTALL": "_setup_browser freeipa_webui freeipa_password_change freeipa_client",
|
||||
"POSTINSTALL": "_setup_browser freeipa_webui freeipa_password_change domain_client",
|
||||
"POST_STATIC": "172.16.2.103 client003.test.openqa.fedoraproject.org",
|
||||
"PREUPGRADE": "realmd_join_sssd",
|
||||
"ROOT_PASSWORD": "weakpassword",
|
||||
@ -2975,7 +3068,7 @@
|
||||
"MAX_JOB_TIME": "10800",
|
||||
"NICTYPE": "tap",
|
||||
"PARALLEL_WITH": "upgrade_server_domain_controller",
|
||||
"POSTINSTALL": "_setup_browser freeipa_webui freeipa_password_change freeipa_client",
|
||||
"POSTINSTALL": "_setup_browser freeipa_webui freeipa_password_change domain_client",
|
||||
"POST_STATIC": "172.16.2.103 client003.test.openqa.fedoraproject.org",
|
||||
"PREUPGRADE": "realmd_join_sssd",
|
||||
"ROOT_PASSWORD": "weakpassword",
|
||||
|
63
tests/domain_client.pm
Normal file
63
tests/domain_client.pm
Normal file
@ -0,0 +1,63 @@
|
||||
use base "installedtest";
|
||||
use strict;
|
||||
use testapi;
|
||||
use utils;
|
||||
|
||||
sub run {
|
||||
my $self = shift;
|
||||
my $admin = get_var("REALMD_ADMIN_USER", "admin");
|
||||
my $domain = get_var("REALMD_DOMAIN", "test.openqa.fedoraproject.org");
|
||||
my $udomain = uc($domain);
|
||||
my $qdomain = quotemeta($domain);
|
||||
my $qudomain = uc($qdomain);
|
||||
# switch to tty1 (we're usually there already, but just in case
|
||||
# we're carrying on from a failed freeipa_webui that didn't fail
|
||||
# at tty1)
|
||||
send_key "ctrl-alt-f1";
|
||||
wait_still_screen 1;
|
||||
# check domain is listed in 'realm list'
|
||||
validate_script_output 'realm list', sub { $_ =~ m/domain-name: $qdomain.*configured: kerberos-member/s };
|
||||
# check we can resolve domain accounts
|
||||
assert_script_run "getent passwd $admin\@$udomain";
|
||||
# check keytab entries
|
||||
# on AD clients, this isn't automatically installed
|
||||
assert_script_run "dnf -y install krb5-workstation", 180;
|
||||
my $hostname = script_output 'hostname';
|
||||
my $qhost = quotemeta($hostname);
|
||||
validate_script_output 'klist -k', sub { $_ =~ m/$qhost\@$qudomain/ };
|
||||
# check we can kinit with the host principal
|
||||
if ($domain =~ m/samdom/) {
|
||||
my $shorthost = uc((split(/\./, $hostname))[0]);
|
||||
assert_script_run "kinit -k $shorthost\\\$\@$udomain";
|
||||
}
|
||||
else {
|
||||
assert_script_run "kinit -k host/$hostname\@$udomain";
|
||||
}
|
||||
# Set a longer timeout for login(1) to workaround RHBZ #1661273
|
||||
assert_script_run 'echo "LOGIN_TIMEOUT 180" >> /etc/login.defs';
|
||||
# switch to tty2 for login tests
|
||||
send_key "ctrl-alt-f2";
|
||||
# try and login as test1, should work
|
||||
console_login(user => "test1\@$domain", password => 'batterystaple');
|
||||
type_string "exit\n";
|
||||
unless ($domain =~ m/samdom/) {
|
||||
# try and login as test2, should fail. we cannot use console_login
|
||||
# as it takes 10 seconds to complete when login fails, and
|
||||
# "permission denied" message doesn't last that long
|
||||
sleep 2;
|
||||
assert_screen "text_console_login";
|
||||
type_string "test2\@$udomain\n";
|
||||
assert_screen "console_password_required";
|
||||
type_string "batterystaple\n";
|
||||
assert_screen "login_permission_denied";
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
sub test_flags {
|
||||
return {fatal => 1};
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
# vim: set sw=4 et:
|
@ -1,48 +0,0 @@
|
||||
use base "installedtest";
|
||||
use strict;
|
||||
use testapi;
|
||||
use utils;
|
||||
|
||||
sub run {
|
||||
my $self = shift;
|
||||
# switch to tty1 (we're usually there already, but just in case
|
||||
# we're carrying on from a failed freeipa_webui that didn't fail
|
||||
# at tty1)
|
||||
send_key "ctrl-alt-f1";
|
||||
wait_still_screen 1;
|
||||
# check domain is listed in 'realm list'
|
||||
validate_script_output 'realm list', sub { $_ =~ m/domain-name: test\.openqa\.fedoraproject\.org.*configured: kerberos-member/s };
|
||||
# check we can see the admin user in getent
|
||||
assert_script_run 'getent passwd admin@TEST.OPENQA.FEDORAPROJECT.ORG';
|
||||
# check keytab entries
|
||||
my $hostname = script_output 'hostname';
|
||||
my $qhost = quotemeta($hostname);
|
||||
validate_script_output 'klist -k', sub { $_ =~ m/$qhost\@TEST\.OPENQA\.FEDORAPROJECT\.ORG/ };
|
||||
# check we can kinit with the host principal
|
||||
assert_script_run "kinit -k host/$hostname\@TEST.OPENQA.FEDORAPROJECT.ORG";
|
||||
# Set a longer timeout for login(1) to workaround RHBZ #1661273
|
||||
assert_script_run 'echo "LOGIN_TIMEOUT 180" >> /etc/login.defs';
|
||||
# switch to tty2 for login tests
|
||||
send_key "ctrl-alt-f2";
|
||||
# try and login as test1, should work
|
||||
console_login(user => 'test1@TEST.OPENQA.FEDORAPROJECT.ORG', password => 'batterystaple');
|
||||
type_string "exit\n";
|
||||
# try and login as test2, should fail. we cannot use console_login
|
||||
# as it takes 10 seconds to complete when login fails, and
|
||||
# "permission denied" message doesn't last that long
|
||||
sleep 2;
|
||||
assert_screen "text_console_login";
|
||||
type_string "test2\@TEST.OPENQA.FEDORAPROJECT.ORG\n";
|
||||
assert_screen "console_password_required";
|
||||
type_string "batterystaple\n";
|
||||
assert_screen "login_permission_denied";
|
||||
}
|
||||
|
||||
|
||||
sub test_flags {
|
||||
return {fatal => 1};
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
# vim: set sw=4 et:
|
@ -40,14 +40,14 @@ sub run {
|
||||
# check we can kinit with changed password
|
||||
assert_script_run 'printf "loremipsum" | kinit test3';
|
||||
# change password via CLI (back to batterystaple, as that's what
|
||||
# freeipa_client test expects)
|
||||
# domain_client test expects)
|
||||
assert_script_run 'dnf -y install freeipa-admintools';
|
||||
assert_script_run 'printf "batterystaple\nbatterystaple" | ipa user-mod test3 --password';
|
||||
# check we can kinit again
|
||||
assert_script_run 'printf "batterystaple" | kinit test3';
|
||||
# clear kerberos ticket for freeipa_client test
|
||||
# clear kerberos ticket for domain_client test
|
||||
assert_script_run 'kdestroy -A';
|
||||
# we just stay here - freeipa_client will pick right up
|
||||
# we just stay here - domain_client will pick right up
|
||||
}
|
||||
|
||||
sub test_flags {
|
||||
|
@ -8,18 +8,27 @@ use cockpit;
|
||||
|
||||
sub run {
|
||||
my $self = shift;
|
||||
# use FreeIPA server as DNS server
|
||||
assert_script_run "printf 'search test.openqa.fedoraproject.org\nnameserver 172.16.2.100' > /etc/resolv.conf";
|
||||
# use appropriate server IP, hostname, mutex and admin password
|
||||
# Several tests use the 'regular' FreeIPA server, so the values
|
||||
# for that are the defaults; other tests use a replica server, or
|
||||
# the AD server, so they specify this in their vars.
|
||||
my $server = get_var("REALMD_DNS_SERVER_HOST", 'ipa001.test.openqa.fedoraproject.org');
|
||||
my $server_ip = get_var("REALMD_DNS_SERVER_IP", '172.16.2.100');
|
||||
my $server_mutex = get_var("REALMD_SERVER_MUTEX", 'domain_server_ready');
|
||||
my $admin_pw = get_var("REALMD_ADMIN_PASSWORD", 'monkeys123');
|
||||
my $admin_user = get_var("REALMD_ADMIN_USER", 'admin');
|
||||
my $domain = get_var("REALMD_DOMAIN", "test.openqa.fedoraproject.org");
|
||||
assert_script_run "printf '$domain\nnameserver $server_ip' > /etc/resolv.conf";
|
||||
# this gets us the name of the first connection in the list,
|
||||
# which should be what we want
|
||||
my $connection = script_output "nmcli --fields NAME con show | head -2 | tail -1";
|
||||
assert_script_run "nmcli con mod '$connection' ipv4.dns '172.16.2.100'";
|
||||
assert_script_run "nmcli con mod '$connection' ipv4.dns '$server_ip'";
|
||||
assert_script_run "nmcli con down '$connection'";
|
||||
assert_script_run "nmcli con up '$connection'";
|
||||
# wait for the server to be ready (do it now just to make sure name
|
||||
# resolution is working before we proceed)
|
||||
mutex_lock "freeipa_ready";
|
||||
mutex_unlock "freeipa_ready";
|
||||
mutex_lock "domain_server_ready";
|
||||
mutex_unlock "domain_server_ready";
|
||||
# do repo setup
|
||||
repo_setup();
|
||||
# set sssd debugging level higher (useful for debugging failures)
|
||||
@ -52,12 +61,12 @@ sub run {
|
||||
# ...but two tabs in both places on earlier versions
|
||||
$tabs = "\t\t" if ($cockpitver < 255);
|
||||
type_string($tabs, 4);
|
||||
type_string("ipa001.test.openqa.fedoraproject.org", 4);
|
||||
type_string($server, 4);
|
||||
type_string($tabs, 4);
|
||||
type_string("admin", 4);
|
||||
type_string($admin_user, 4);
|
||||
send_key "tab";
|
||||
sleep 3;
|
||||
type_string("monkeys123", 4);
|
||||
type_string($admin_pw, 4);
|
||||
sleep 3;
|
||||
assert_and_click "cockpit_join_button";
|
||||
# join involves package installs, so it may take some time
|
||||
|
@ -8,19 +8,15 @@ use utils;
|
||||
|
||||
sub run {
|
||||
my $self = shift;
|
||||
# use FreeIPA server or replica as DNS server
|
||||
my $server = 'ipa001.test.openqa.fedoraproject.org';
|
||||
my $server_ip = '172.16.2.100';
|
||||
my $server_mutex = 'freeipa_ready';
|
||||
if (get_var("FREEIPA_REPLICA")) {
|
||||
$server = 'ipa002.test.openqa.fedoraproject.org';
|
||||
$server_ip = '172.16.2.106';
|
||||
}
|
||||
if (get_var("FREEIPA_REPLICA_CLIENT")) {
|
||||
$server = 'ipa003.test.openqa.fedoraproject.org';
|
||||
$server_ip = '172.16.2.107';
|
||||
$server_mutex = 'replica_ready';
|
||||
}
|
||||
# use appropriate server IP, hostname, mutex and admin password
|
||||
# Several tests use the 'regular' FreeIPA server, so the values
|
||||
# for that are the defaults; other tests use a replica server, or
|
||||
# the AD server, so they specify this in their vars.
|
||||
my $server = get_var("REALMD_DNS_SERVER_HOST", 'ipa001.test.openqa.fedoraproject.org');
|
||||
my $server_ip = get_var("REALMD_DNS_SERVER_IP", '172.16.2.100');
|
||||
my $server_mutex = get_var("REALMD_SERVER_MUTEX", 'domain_server_ready');
|
||||
my $admin_pw = get_var("REALMD_ADMIN_PASSWORD", 'monkeys123');
|
||||
my $admin_user = get_var("REALMD_ADMIN_USER", 'admin');
|
||||
# this gets us the name of the first connection in the list,
|
||||
# which should be what we want
|
||||
my $connection = script_output "nmcli --fields NAME con show | head -2 | tail -1";
|
||||
@ -63,13 +59,13 @@ sub run {
|
||||
assert_script_run "systemctl start ipa.service", 300;
|
||||
|
||||
# report that we're ready to go
|
||||
mutex_create('replica_ready');
|
||||
mutex_create('domain_replica_ready');
|
||||
|
||||
# wait for the client test
|
||||
wait_for_children;
|
||||
}
|
||||
else {
|
||||
assert_script_run "echo 'monkeys123' | realm join --user=admin ${server}", 300;
|
||||
assert_script_run "echo '${admin_pw}' | realm join --user=${admin_user} ${server}", 300;
|
||||
}
|
||||
# set sssd debugging level higher (useful for debugging failures)
|
||||
# optional as it's not really part of the test
|
||||
|
@ -66,7 +66,7 @@ sub run {
|
||||
assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test1@TEST.OPENQA.FEDORAPROJECT.ORG';
|
||||
assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test2@TEST.OPENQA.FEDORAPROJECT.ORG';
|
||||
# we're ready for children to enrol, now
|
||||
mutex_create("freeipa_ready");
|
||||
mutex_create("domain_server_ready");
|
||||
# if upgrade test, wait for children to enrol before upgrade
|
||||
if (get_var("UPGRADE")) {
|
||||
my $children = get_children();
|
||||
|
88
tests/samba_domain_controller.pm
Normal file
88
tests/samba_domain_controller.pm
Normal file
@ -0,0 +1,88 @@
|
||||
use base "installedtest";
|
||||
use strict;
|
||||
use testapi;
|
||||
use lockapi;
|
||||
use mmapi;
|
||||
use tapnet;
|
||||
use utils;
|
||||
|
||||
# thanks to:
|
||||
# https://fedoramagazine.org/samba-as-ad-and-domain-controller/
|
||||
# https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
|
||||
|
||||
sub run {
|
||||
my $self = shift;
|
||||
# login
|
||||
$self->root_console();
|
||||
# use compose repo, disable u-t, etc. unless this is an upgrade
|
||||
# test (in which case we're on the 'old' release at this point;
|
||||
# one of the upgrade test modules does repo_setup later)
|
||||
repo_setup() unless get_var("UPGRADE");
|
||||
# this seems to cause problems if it runs before clients are done
|
||||
assert_script_run "systemctl stop systemd-tmpfiles-clean.timer";
|
||||
# we need a lot of entropy for this, and we don't care how good
|
||||
# it is, so let's use haveged
|
||||
assert_script_run "dnf -y install haveged", 300;
|
||||
assert_script_run 'systemctl start haveged.service';
|
||||
assert_script_run "rm -f /etc/samba/smb.conf";
|
||||
# First install the necessary packages
|
||||
assert_script_run "dnf -y install samba-dc samba-tools krb5-workstation adcli", 600;
|
||||
# configure the firewall
|
||||
assert_script_run "firewall-cmd --permanent --add-service samba-dc";
|
||||
assert_script_run "systemctl restart firewalld.service";
|
||||
# configure SELinux
|
||||
assert_script_run "setsebool -P samba_create_home_dirs=on samba_domain_controller=on samba_enable_home_dirs=on samba_portmapper=on use_samba_home_dirs=on";
|
||||
# extract our IP and hostname from POST_STATIC
|
||||
my $poststatic = get_var("POST_STATIC");
|
||||
my ($ip, $hostname) = split(" ", $poststatic);
|
||||
# set up DNS
|
||||
script_run "mkdir -p /etc/systemd/resolved.conf.d";
|
||||
assert_script_run 'printf "[Resolve]\nDNSStubListener=no\nDomains=samdom.openqa.fedoraproject.org\nDNS=' . $ip . '\n" > /etc/systemd/resolved.conf.d/sambaad.conf';
|
||||
upload_logs "/etc/systemd/resolved.conf.d/sambaad.conf";
|
||||
assert_script_run "systemctl restart systemd-resolved.service";
|
||||
# deploy the server
|
||||
assert_script_run "samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=SAMDOM.OPENQA.FEDORAPROJECT.ORG --domain=samdom --adminpass=129ho3eau47#qm9to9s^", 1200;
|
||||
# set up DNS forwarding
|
||||
my ($forwarder, $others) = get_host_dns();
|
||||
assert_script_run 'sed -i -e "s,dns forwarder =.*,dns forwarder = ' . $forwarder . ',g" /etc/samba/smb.conf';
|
||||
upload_logs "/etc/samba/smb.conf";
|
||||
# set up kerberos
|
||||
assert_script_run "cp /var/lib/samba/private/krb5.conf /etc/krb5.conf.d/samba-dc";
|
||||
upload_logs "/etc/krb5.conf.d/samba-dc";
|
||||
# enable and start the systemd service
|
||||
assert_script_run "systemctl enable samba.service";
|
||||
assert_script_run "systemctl start samba.service", 300;
|
||||
|
||||
# kinit as admin
|
||||
assert_script_run 'echo "129ho3eau47#qm9to9s^" | kinit administrator';
|
||||
# turn off annoying password constraints
|
||||
assert_script_run "samba-tool domain passwordsettings set --complexity=off", 1200;
|
||||
# set up an OTP for adclient003 enrolment (it will enrol with a kickstart)
|
||||
assert_script_run 'echo "129ho3eau47#qm9to9s^" | adcli preset-computer -U administrator --verbose --domain samdom.openqa.fedoraproject.org --stdin-password --one-time-password=monkeys adclient003.samdom.openqa.fedoraproject.org';
|
||||
# create two user accounts, test1 and test2
|
||||
assert_script_run 'samba-tool user add test1 batterystaple --unix-home=/home/test1 --login-shell=/bin/bash --uid=number=10000 --gid-number=10000';
|
||||
# add a rule allowing access to all hosts and services
|
||||
#assert_script_run 'ipa hbacrule-add testrule --servicecat=all --hostcat=all';
|
||||
# add test1 (but not test2) to the rule
|
||||
#assert_script_run 'ipa hbacrule-add-user testrule --users=test1';
|
||||
# disable the default 'everyone everywhere' rule
|
||||
#assert_script_run 'ipa hbacrule-disable allow_all';
|
||||
# allow immediate password changes (as we need to test this)
|
||||
#assert_script_run 'ipa pwpolicy-mod --minlife=0';
|
||||
# magic voodoo crap to allow reverse DNS client sync to work
|
||||
# https://docs.pagure.org/bind-dyndb-ldap/BIND9/SyncPTR.html
|
||||
#assert_script_run 'ipa dnszone-mod test.openqa.fedoraproject.org. --allow-sync-ptr=TRUE';
|
||||
# check we can kinit as each user
|
||||
assert_script_run 'printf "batterystaple" | kinit test1@SAMDOM.OPENQA.FEDORAPROJECT.ORG';
|
||||
# we're ready for children to enrol, now
|
||||
mutex_create("domain_server_ready");
|
||||
}
|
||||
|
||||
|
||||
sub test_flags {
|
||||
return {fatal => 1};
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
# vim: set sw=4 et:
|
44
tests/samba_domain_controller_check.pm
Normal file
44
tests/samba_domain_controller_check.pm
Normal file
@ -0,0 +1,44 @@
|
||||
use base "installedtest";
|
||||
use strict;
|
||||
use testapi;
|
||||
use lockapi;
|
||||
use mmapi;
|
||||
|
||||
sub run {
|
||||
my $self = shift;
|
||||
# make sure ipa.service actually came up successfully
|
||||
my $count = 40;
|
||||
while (1) {
|
||||
$count -= 1;
|
||||
die "Waited too long for samba.service to show up!" if ($count == 0);
|
||||
sleep 3;
|
||||
# if it's active, we're done here
|
||||
last unless script_run 'systemctl is-active samba.service';
|
||||
# if it's not...fail if it's failed
|
||||
assert_script_run '! systemctl is-failed samba.service';
|
||||
# if we get here, it's activating, so loop around
|
||||
}
|
||||
# if this is an update, notify clients that we're now up again
|
||||
mutex_create('server_upgraded') if get_var("UPGRADE");
|
||||
# once child jobs are done, stop the server
|
||||
# debug debug
|
||||
type_string "journalctl -f\n";
|
||||
wait_for_children;
|
||||
send_key "ctrl-c";
|
||||
# run post-fail hook to upload logs - even when this test passes
|
||||
# there are often cases where we need to see the logs (e.g. client
|
||||
# test failed due to server issue)
|
||||
$self->post_fail_hook();
|
||||
assert_script_run 'systemctl stop samba.service';
|
||||
# check server is stopped
|
||||
assert_script_run '! systemctl is-active samba.service';
|
||||
}
|
||||
|
||||
|
||||
sub test_flags {
|
||||
return {fatal => 1};
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
# vim: set sw=4 et:
|
Loading…
Reference in New Issue
Block a user