diff --git a/needles/cockpit/join_complete-ad-20230722.json b/needles/cockpit/join_complete-ad-20230722.json new file mode 100644 index 00000000..3fbff2a8 --- /dev/null +++ b/needles/cockpit/join_complete-ad-20230722.json @@ -0,0 +1,22 @@ +{ + "area": [ + { + "ypos": 528, + "xpos": 690, + "type": "match", + "width": 217, + "height": 14 + }, + { + "type": "match", + "height": 13, + "width": 48, + "xpos": 587, + "ypos": 527 + } + ], + "properties": [], + "tags": [ + "cockpit_join_complete" + ] +} \ No newline at end of file diff --git a/needles/cockpit/join_complete-ad-20230722.png b/needles/cockpit/join_complete-ad-20230722.png new file mode 100644 index 00000000..90c562db Binary files /dev/null and b/needles/cockpit/join_complete-ad-20230722.png differ diff --git a/templates-updates.fif.json b/templates-updates.fif.json index 49c83102..8a519aae 100644 --- a/templates-updates.fif.json +++ b/templates-updates.fif.json @@ -474,6 +474,13 @@ "fedora-updates-server-x86_64-*-64bit": 5 } }, + "realmd_join_cockpit_ad": { + "profiles": { + "fedora-updates-server-aarch64-*-aarch64": 5, + "fedora-updates-server-ppc64le-*-ppc64le": 5, + "fedora-updates-server-x86_64-*-64bit": 5 + } + }, "realmd_join_sssd": { "profiles": { "fedora-updates-server-aarch64-*-aarch64": 5, @@ -481,6 +488,13 @@ "fedora-updates-server-x86_64-*-64bit": 5 } }, + "realmd_join_sssd_ad": { + "profiles": { + "fedora-updates-server-aarch64-*-aarch64": 5, + "fedora-updates-server-ppc64le-*-ppc64le": 5, + "fedora-updates-server-x86_64-*-64bit": 5 + } + }, "rpmostree_overlay": { "profiles": { "fedora-updates-silverblue-dvd_ostree-iso-x86_64-*-64bit": 5 @@ -569,6 +583,13 @@ "fedora-updates-server-x86_64-*-64bit": 5 } }, + "server_samba_domain_controller": { + "profiles": { + "fedora-updates-server-aarch64-*-aarch64": 5, + "fedora-updates-server-ppc64le-*-ppc64le": 5, + "fedora-updates-server-x86_64-*-64bit": 5 + } + }, "support_server": { "profiles": { "fedora-updates-everything-boot-iso-x86_64-*-64bit": 5 diff --git a/templates.fif.json b/templates.fif.json index 4e4f8319..c9535e24 100644 --- a/templates.fif.json +++ b/templates.fif.json @@ -1713,7 +1713,7 @@ }, "settings": { "GRUB": "inst.ks=hd:vdb1:/root-user-crypted-net.ks", - "HDD_2": "disk_ks_6.img", + "HDD_2": "disk_ks_7.img", "KICKSTART": "1", "NUMDISKS": "2", "ROOT_PASSWORD": "111111", @@ -2360,13 +2360,37 @@ "BOOTFROM": "c", "NICTYPE": "tap", "PARALLEL_WITH": "server_role_deploy_domain_controller", - "POSTINSTALL": "realmd_join_cockpit freeipa_webui freeipa_password_change freeipa_client", + "POSTINSTALL": "realmd_join_cockpit freeipa_webui freeipa_password_change domain_client", "POST_STATIC": "172.16.2.102 client002.test.openqa.fedoraproject.org", "ROOT_PASSWORD": "weakpassword", "USER_LOGIN": "false", "WORKER_CLASS": "tap" } }, + "realmd_join_cockpit_ad": { + "profiles": { + "fedora-Server-dvd-iso-aarch64-*-aarch64": 30, + "fedora-Server-dvd-iso-ppc64le-*-ppc64le": 30, + "fedora-Server-dvd-iso-x86_64-*-64bit": 30 + }, + "settings": { + "+HDD_1": "disk_%MACHINE%_cockpit.qcow2", + "+START_AFTER_TEST": "server_cockpit_default", + "BOOTFROM": "c", + "NICTYPE": "tap", + "PARALLEL_WITH": "server_samba_domain_controller", + "POSTINSTALL": "realmd_join_cockpit domain_client", + "POST_STATIC": "172.16.2.132 adclient002.samdom.openqa.fedoraproject.org", + "REALMD_ADMIN_USER": "administrator", + "REALMD_ADMIN_PASSWORD": "129ho3eau47#qm9to9s^", + "REALMD_DNS_SERVER_HOST": "ad001.samdom.openqa.fedoraproject.org", + "REALMD_DNS_SERVER_IP": "172.16.2.130", + "REALMD_DOMAIN": "samdom.openqa.fedoraproject.org", + "ROOT_PASSWORD": "weakpassword", + "USER_LOGIN": "false", + "WORKER_CLASS": "tap" + } + }, "realmd_join_sssd": { "profiles": { "fedora-Server-dvd-iso-aarch64-*-aarch64": 20, @@ -2378,7 +2402,7 @@ "HDD_1": "disk_%FLAVOR%_%MACHINE%.qcow2", "NICTYPE": "tap", "PARALLEL_WITH": "server_role_deploy_domain_controller", - "POSTINSTALL": "realmd_join_sssd freeipa_client", + "POSTINSTALL": "realmd_join_sssd domain_client", "POST_STATIC": "172.16.2.103 client003.test.openqa.fedoraproject.org", "ROOT_PASSWORD": "weakpassword", "START_AFTER_TEST": "%DEPLOY_UPLOAD_TEST%", @@ -2386,6 +2410,30 @@ "WORKER_CLASS": "tap" } }, + "realmd_join_sssd_ad": { + "profiles": { + "fedora-Server-dvd-iso-aarch64-*-aarch64": 20, + "fedora-Server-dvd-iso-ppc64le-*-ppc64le": 20, + "fedora-Server-dvd-iso-x86_64-*-64bit": 20 + }, + "settings": { + "BOOTFROM": "c", + "HDD_1": "disk_%FLAVOR%_%MACHINE%.qcow2", + "NICTYPE": "tap", + "PARALLEL_WITH": "server_samba_domain_controller", + "POSTINSTALL": "realmd_join_sssd domain_client", + "POST_STATIC": "172.16.2.131 adclient001.samdom.openqa.fedoraproject.org", + "REALMD_ADMIN_USER": "administrator", + "REALMD_ADMIN_PASSWORD": "129ho3eau47#qm9to9s^", + "REALMD_DNS_SERVER_HOST": "ad001.samdom.openqa.fedoraproject.org", + "REALMD_DNS_SERVER_IP": "172.16.2.130", + "REALMD_DOMAIN": "samdom.openqa.fedoraproject.org", + "ROOT_PASSWORD": "weakpassword", + "START_AFTER_TEST": "%DEPLOY_UPLOAD_TEST%", + "USER_LOGIN": "false", + "WORKER_CLASS": "tap" + } + }, "release_identification": { "profiles": { "fedora-CoreOS-colive-iso-x86_64-*-64bit": 50, @@ -2547,12 +2595,14 @@ }, "settings": { "BOOTFROM": "c", - "FREEIPA_REPLICA_CLIENT": "1", "HDD_1": "disk_%FLAVOR%_%MACHINE%.qcow2", "NICTYPE": "tap", "PARALLEL_WITH": "server_freeipa_replication_replica", - "POSTINSTALL": "realmd_join_sssd freeipa_client", + "POSTINSTALL": "realmd_join_sssd domain_client", "POST_STATIC": "172.16.2.108 client005.test.openqa.fedoraproject.org", + "REALMD_DNS_SERVER_HOST": "ipa003.test.openqa.fedoraproject.org", + "REALMD_DNS_SERVER_IP": "172.16.2.107", + "REALMD_SERVER_MUTEX": "domain_replica_ready", "ROOT_PASSWORD": "weakpassword", "START_AFTER_TEST": "%DEPLOY_UPLOAD_TEST%", "USER_LOGIN": "false", @@ -2594,6 +2644,8 @@ "PARALLEL_WITH": "server_freeipa_replication_master", "POSTINSTALL": "realmd_join_sssd", "POST_STATIC": "172.16.2.107 ipa003.test.openqa.fedoraproject.org", + "REALMD_DNS_SERVER_HOST": "ipa002.test.openqa.fedoraproject.org", + "REALMD_DNS_SERVER_IP": "172.16.2.106", "ROOT_PASSWORD": "weakpassword", "START_AFTER_TEST": "%DEPLOY_UPLOAD_TEST%", "USER_LOGIN": "false", @@ -2608,13 +2660,35 @@ }, "settings": { "GRUB": "inst.ks=hd:vdb1:/freeipaclient.ks", - "HDD_2": "disk_ks_6.img", - "INSTALL_UNLOCK": "freeipa_ready", + "HDD_2": "disk_ks_7.img", + "INSTALL_UNLOCK": "domain_server_ready", "KICKSTART": "1", "NICTYPE": "tap", "NUMDISKS": "2", "PARALLEL_WITH": "server_role_deploy_domain_controller", - "POSTINSTALL": "freeipa_client", + "POSTINSTALL": "domain_client", + "ROOT_PASSWORD": "anaconda", + "USER_LOGIN": "false", + "WORKER_CLASS": "tap" + } + }, + "server_realmd_join_kickstart_ad": { + "profiles": { + "fedora-Server-dvd-iso-aarch64-*-aarch64": 20, + "fedora-Server-dvd-iso-ppc64le-*-ppc64le": 20, + "fedora-Server-dvd-iso-x86_64-*-64bit": 20 + }, + "settings": { + "GRUB": "inst.ks=hd:vdb1:/adclient.ks", + "HDD_2": "disk_ks_7.img", + "INSTALL_UNLOCK": "domain_server_ready", + "KICKSTART": "1", + "NICTYPE": "tap", + "NUMDISKS": "2", + "PARALLEL_WITH": "server_samba_domain_controller", + "POSTINSTALL": "domain_client", + "REALMD_ADMIN_USER": "administrator", + "REALMD_DOMAIN": "samdom.openqa.fedoraproject.org", "ROOT_PASSWORD": "anaconda", "USER_LOGIN": "false", "WORKER_CLASS": "tap" @@ -2696,6 +2770,25 @@ "WORKER_CLASS": "tap" } }, + "server_samba_domain_controller": { + "profiles": { + "fedora-Server-dvd-iso-aarch64-*-aarch64": 20, + "fedora-Server-dvd-iso-ppc64le-*-ppc64le": 20, + "fedora-Server-dvd-iso-x86_64-*-64bit": 20 + }, + "settings": { + "BOOTFROM": "c", + "HDD_1": "disk_%FLAVOR%_%MACHINE%.qcow2", + "NICTYPE": "tap", + "PARALLEL_CANCEL_WHOLE_CLUSTER": "0", + "POSTINSTALL": "samba_domain_controller samba_domain_controller_check", + "POST_STATIC": "172.16.2.130 ad001.samdom.openqa.fedoraproject.org", + "ROOT_PASSWORD": "weakpassword", + "START_AFTER_TEST": "%DEPLOY_UPLOAD_TEST%", + "USER_LOGIN": "false", + "WORKER_CLASS": "tap" + } + }, "support_server": { "profiles": { "fedora-Server-dvd-iso-aarch64-*-aarch64": 10, @@ -2839,7 +2932,7 @@ "BOOTFROM": "c", "NICTYPE": "tap", "PARALLEL_WITH": "upgrade_2_server_domain_controller", - "POSTINSTALL": "_setup_browser freeipa_webui freeipa_password_change freeipa_client", + "POSTINSTALL": "_setup_browser freeipa_webui freeipa_password_change domain_client", "POST_STATIC": "172.16.2.103 client003.test.openqa.fedoraproject.org", "PREUPGRADE": "realmd_join_sssd", "ROOT_PASSWORD": "weakpassword", @@ -2975,7 +3068,7 @@ "MAX_JOB_TIME": "10800", "NICTYPE": "tap", "PARALLEL_WITH": "upgrade_server_domain_controller", - "POSTINSTALL": "_setup_browser freeipa_webui freeipa_password_change freeipa_client", + "POSTINSTALL": "_setup_browser freeipa_webui freeipa_password_change domain_client", "POST_STATIC": "172.16.2.103 client003.test.openqa.fedoraproject.org", "PREUPGRADE": "realmd_join_sssd", "ROOT_PASSWORD": "weakpassword", diff --git a/tests/domain_client.pm b/tests/domain_client.pm new file mode 100644 index 00000000..97e51ac2 --- /dev/null +++ b/tests/domain_client.pm @@ -0,0 +1,63 @@ +use base "installedtest"; +use strict; +use testapi; +use utils; + +sub run { + my $self = shift; + my $admin = get_var("REALMD_ADMIN_USER", "admin"); + my $domain = get_var("REALMD_DOMAIN", "test.openqa.fedoraproject.org"); + my $udomain = uc($domain); + my $qdomain = quotemeta($domain); + my $qudomain = uc($qdomain); + # switch to tty1 (we're usually there already, but just in case + # we're carrying on from a failed freeipa_webui that didn't fail + # at tty1) + send_key "ctrl-alt-f1"; + wait_still_screen 1; + # check domain is listed in 'realm list' + validate_script_output 'realm list', sub { $_ =~ m/domain-name: $qdomain.*configured: kerberos-member/s }; + # check we can resolve domain accounts + assert_script_run "getent passwd $admin\@$udomain"; + # check keytab entries + # on AD clients, this isn't automatically installed + assert_script_run "dnf -y install krb5-workstation", 180; + my $hostname = script_output 'hostname'; + my $qhost = quotemeta($hostname); + validate_script_output 'klist -k', sub { $_ =~ m/$qhost\@$qudomain/ }; + # check we can kinit with the host principal + if ($domain =~ m/samdom/) { + my $shorthost = uc((split(/\./, $hostname))[0]); + assert_script_run "kinit -k $shorthost\\\$\@$udomain"; + } + else { + assert_script_run "kinit -k host/$hostname\@$udomain"; + } + # Set a longer timeout for login(1) to workaround RHBZ #1661273 + assert_script_run 'echo "LOGIN_TIMEOUT 180" >> /etc/login.defs'; + # switch to tty2 for login tests + send_key "ctrl-alt-f2"; + # try and login as test1, should work + console_login(user => "test1\@$domain", password => 'batterystaple'); + type_string "exit\n"; + unless ($domain =~ m/samdom/) { + # try and login as test2, should fail. we cannot use console_login + # as it takes 10 seconds to complete when login fails, and + # "permission denied" message doesn't last that long + sleep 2; + assert_screen "text_console_login"; + type_string "test2\@$udomain\n"; + assert_screen "console_password_required"; + type_string "batterystaple\n"; + assert_screen "login_permission_denied"; + } +} + + +sub test_flags { + return {fatal => 1}; +} + +1; + +# vim: set sw=4 et: diff --git a/tests/freeipa_client.pm b/tests/freeipa_client.pm deleted file mode 100644 index 3273b529..00000000 --- a/tests/freeipa_client.pm +++ /dev/null @@ -1,48 +0,0 @@ -use base "installedtest"; -use strict; -use testapi; -use utils; - -sub run { - my $self = shift; - # switch to tty1 (we're usually there already, but just in case - # we're carrying on from a failed freeipa_webui that didn't fail - # at tty1) - send_key "ctrl-alt-f1"; - wait_still_screen 1; - # check domain is listed in 'realm list' - validate_script_output 'realm list', sub { $_ =~ m/domain-name: test\.openqa\.fedoraproject\.org.*configured: kerberos-member/s }; - # check we can see the admin user in getent - assert_script_run 'getent passwd admin@TEST.OPENQA.FEDORAPROJECT.ORG'; - # check keytab entries - my $hostname = script_output 'hostname'; - my $qhost = quotemeta($hostname); - validate_script_output 'klist -k', sub { $_ =~ m/$qhost\@TEST\.OPENQA\.FEDORAPROJECT\.ORG/ }; - # check we can kinit with the host principal - assert_script_run "kinit -k host/$hostname\@TEST.OPENQA.FEDORAPROJECT.ORG"; - # Set a longer timeout for login(1) to workaround RHBZ #1661273 - assert_script_run 'echo "LOGIN_TIMEOUT 180" >> /etc/login.defs'; - # switch to tty2 for login tests - send_key "ctrl-alt-f2"; - # try and login as test1, should work - console_login(user => 'test1@TEST.OPENQA.FEDORAPROJECT.ORG', password => 'batterystaple'); - type_string "exit\n"; - # try and login as test2, should fail. we cannot use console_login - # as it takes 10 seconds to complete when login fails, and - # "permission denied" message doesn't last that long - sleep 2; - assert_screen "text_console_login"; - type_string "test2\@TEST.OPENQA.FEDORAPROJECT.ORG\n"; - assert_screen "console_password_required"; - type_string "batterystaple\n"; - assert_screen "login_permission_denied"; -} - - -sub test_flags { - return {fatal => 1}; -} - -1; - -# vim: set sw=4 et: diff --git a/tests/freeipa_password_change.pm b/tests/freeipa_password_change.pm index 4d9d1631..ef32c73e 100644 --- a/tests/freeipa_password_change.pm +++ b/tests/freeipa_password_change.pm @@ -40,14 +40,14 @@ sub run { # check we can kinit with changed password assert_script_run 'printf "loremipsum" | kinit test3'; # change password via CLI (back to batterystaple, as that's what - # freeipa_client test expects) + # domain_client test expects) assert_script_run 'dnf -y install freeipa-admintools'; assert_script_run 'printf "batterystaple\nbatterystaple" | ipa user-mod test3 --password'; # check we can kinit again assert_script_run 'printf "batterystaple" | kinit test3'; - # clear kerberos ticket for freeipa_client test + # clear kerberos ticket for domain_client test assert_script_run 'kdestroy -A'; - # we just stay here - freeipa_client will pick right up + # we just stay here - domain_client will pick right up } sub test_flags { diff --git a/tests/realmd_join_cockpit.pm b/tests/realmd_join_cockpit.pm index a49e6829..d35daaee 100644 --- a/tests/realmd_join_cockpit.pm +++ b/tests/realmd_join_cockpit.pm @@ -8,18 +8,27 @@ use cockpit; sub run { my $self = shift; - # use FreeIPA server as DNS server - assert_script_run "printf 'search test.openqa.fedoraproject.org\nnameserver 172.16.2.100' > /etc/resolv.conf"; + # use appropriate server IP, hostname, mutex and admin password + # Several tests use the 'regular' FreeIPA server, so the values + # for that are the defaults; other tests use a replica server, or + # the AD server, so they specify this in their vars. + my $server = get_var("REALMD_DNS_SERVER_HOST", 'ipa001.test.openqa.fedoraproject.org'); + my $server_ip = get_var("REALMD_DNS_SERVER_IP", '172.16.2.100'); + my $server_mutex = get_var("REALMD_SERVER_MUTEX", 'domain_server_ready'); + my $admin_pw = get_var("REALMD_ADMIN_PASSWORD", 'monkeys123'); + my $admin_user = get_var("REALMD_ADMIN_USER", 'admin'); + my $domain = get_var("REALMD_DOMAIN", "test.openqa.fedoraproject.org"); + assert_script_run "printf '$domain\nnameserver $server_ip' > /etc/resolv.conf"; # this gets us the name of the first connection in the list, # which should be what we want my $connection = script_output "nmcli --fields NAME con show | head -2 | tail -1"; - assert_script_run "nmcli con mod '$connection' ipv4.dns '172.16.2.100'"; + assert_script_run "nmcli con mod '$connection' ipv4.dns '$server_ip'"; assert_script_run "nmcli con down '$connection'"; assert_script_run "nmcli con up '$connection'"; # wait for the server to be ready (do it now just to make sure name # resolution is working before we proceed) - mutex_lock "freeipa_ready"; - mutex_unlock "freeipa_ready"; + mutex_lock "domain_server_ready"; + mutex_unlock "domain_server_ready"; # do repo setup repo_setup(); # set sssd debugging level higher (useful for debugging failures) @@ -52,12 +61,12 @@ sub run { # ...but two tabs in both places on earlier versions $tabs = "\t\t" if ($cockpitver < 255); type_string($tabs, 4); - type_string("ipa001.test.openqa.fedoraproject.org", 4); + type_string($server, 4); type_string($tabs, 4); - type_string("admin", 4); + type_string($admin_user, 4); send_key "tab"; sleep 3; - type_string("monkeys123", 4); + type_string($admin_pw, 4); sleep 3; assert_and_click "cockpit_join_button"; # join involves package installs, so it may take some time diff --git a/tests/realmd_join_sssd.pm b/tests/realmd_join_sssd.pm index cf8f4ed8..f79c121d 100644 --- a/tests/realmd_join_sssd.pm +++ b/tests/realmd_join_sssd.pm @@ -8,19 +8,15 @@ use utils; sub run { my $self = shift; - # use FreeIPA server or replica as DNS server - my $server = 'ipa001.test.openqa.fedoraproject.org'; - my $server_ip = '172.16.2.100'; - my $server_mutex = 'freeipa_ready'; - if (get_var("FREEIPA_REPLICA")) { - $server = 'ipa002.test.openqa.fedoraproject.org'; - $server_ip = '172.16.2.106'; - } - if (get_var("FREEIPA_REPLICA_CLIENT")) { - $server = 'ipa003.test.openqa.fedoraproject.org'; - $server_ip = '172.16.2.107'; - $server_mutex = 'replica_ready'; - } + # use appropriate server IP, hostname, mutex and admin password + # Several tests use the 'regular' FreeIPA server, so the values + # for that are the defaults; other tests use a replica server, or + # the AD server, so they specify this in their vars. + my $server = get_var("REALMD_DNS_SERVER_HOST", 'ipa001.test.openqa.fedoraproject.org'); + my $server_ip = get_var("REALMD_DNS_SERVER_IP", '172.16.2.100'); + my $server_mutex = get_var("REALMD_SERVER_MUTEX", 'domain_server_ready'); + my $admin_pw = get_var("REALMD_ADMIN_PASSWORD", 'monkeys123'); + my $admin_user = get_var("REALMD_ADMIN_USER", 'admin'); # this gets us the name of the first connection in the list, # which should be what we want my $connection = script_output "nmcli --fields NAME con show | head -2 | tail -1"; @@ -63,13 +59,13 @@ sub run { assert_script_run "systemctl start ipa.service", 300; # report that we're ready to go - mutex_create('replica_ready'); + mutex_create('domain_replica_ready'); # wait for the client test wait_for_children; } else { - assert_script_run "echo 'monkeys123' | realm join --user=admin ${server}", 300; + assert_script_run "echo '${admin_pw}' | realm join --user=${admin_user} ${server}", 300; } # set sssd debugging level higher (useful for debugging failures) # optional as it's not really part of the test diff --git a/tests/role_deploy_domain_controller.pm b/tests/role_deploy_domain_controller.pm index 65a3d364..0ad1293d 100644 --- a/tests/role_deploy_domain_controller.pm +++ b/tests/role_deploy_domain_controller.pm @@ -66,7 +66,7 @@ sub run { assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test1@TEST.OPENQA.FEDORAPROJECT.ORG'; assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test2@TEST.OPENQA.FEDORAPROJECT.ORG'; # we're ready for children to enrol, now - mutex_create("freeipa_ready"); + mutex_create("domain_server_ready"); # if upgrade test, wait for children to enrol before upgrade if (get_var("UPGRADE")) { my $children = get_children(); diff --git a/tests/samba_domain_controller.pm b/tests/samba_domain_controller.pm new file mode 100644 index 00000000..684e1d39 --- /dev/null +++ b/tests/samba_domain_controller.pm @@ -0,0 +1,88 @@ +use base "installedtest"; +use strict; +use testapi; +use lockapi; +use mmapi; +use tapnet; +use utils; + +# thanks to: +# https://fedoramagazine.org/samba-as-ad-and-domain-controller/ +# https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller + +sub run { + my $self = shift; + # login + $self->root_console(); + # use compose repo, disable u-t, etc. unless this is an upgrade + # test (in which case we're on the 'old' release at this point; + # one of the upgrade test modules does repo_setup later) + repo_setup() unless get_var("UPGRADE"); + # this seems to cause problems if it runs before clients are done + assert_script_run "systemctl stop systemd-tmpfiles-clean.timer"; + # we need a lot of entropy for this, and we don't care how good + # it is, so let's use haveged + assert_script_run "dnf -y install haveged", 300; + assert_script_run 'systemctl start haveged.service'; + assert_script_run "rm -f /etc/samba/smb.conf"; + # First install the necessary packages + assert_script_run "dnf -y install samba-dc samba-tools krb5-workstation adcli", 600; + # configure the firewall + assert_script_run "firewall-cmd --permanent --add-service samba-dc"; + assert_script_run "systemctl restart firewalld.service"; + # configure SELinux + assert_script_run "setsebool -P samba_create_home_dirs=on samba_domain_controller=on samba_enable_home_dirs=on samba_portmapper=on use_samba_home_dirs=on"; + # extract our IP and hostname from POST_STATIC + my $poststatic = get_var("POST_STATIC"); + my ($ip, $hostname) = split(" ", $poststatic); + # set up DNS + script_run "mkdir -p /etc/systemd/resolved.conf.d"; + assert_script_run 'printf "[Resolve]\nDNSStubListener=no\nDomains=samdom.openqa.fedoraproject.org\nDNS=' . $ip . '\n" > /etc/systemd/resolved.conf.d/sambaad.conf'; + upload_logs "/etc/systemd/resolved.conf.d/sambaad.conf"; + assert_script_run "systemctl restart systemd-resolved.service"; + # deploy the server + assert_script_run "samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=SAMDOM.OPENQA.FEDORAPROJECT.ORG --domain=samdom --adminpass=129ho3eau47#qm9to9s^", 1200; + # set up DNS forwarding + my ($forwarder, $others) = get_host_dns(); + assert_script_run 'sed -i -e "s,dns forwarder =.*,dns forwarder = ' . $forwarder . ',g" /etc/samba/smb.conf'; + upload_logs "/etc/samba/smb.conf"; + # set up kerberos + assert_script_run "cp /var/lib/samba/private/krb5.conf /etc/krb5.conf.d/samba-dc"; + upload_logs "/etc/krb5.conf.d/samba-dc"; + # enable and start the systemd service + assert_script_run "systemctl enable samba.service"; + assert_script_run "systemctl start samba.service", 300; + + # kinit as admin + assert_script_run 'echo "129ho3eau47#qm9to9s^" | kinit administrator'; + # turn off annoying password constraints + assert_script_run "samba-tool domain passwordsettings set --complexity=off", 1200; + # set up an OTP for adclient003 enrolment (it will enrol with a kickstart) + assert_script_run 'echo "129ho3eau47#qm9to9s^" | adcli preset-computer -U administrator --verbose --domain samdom.openqa.fedoraproject.org --stdin-password --one-time-password=monkeys adclient003.samdom.openqa.fedoraproject.org'; + # create two user accounts, test1 and test2 + assert_script_run 'samba-tool user add test1 batterystaple --unix-home=/home/test1 --login-shell=/bin/bash --uid=number=10000 --gid-number=10000'; + # add a rule allowing access to all hosts and services + #assert_script_run 'ipa hbacrule-add testrule --servicecat=all --hostcat=all'; + # add test1 (but not test2) to the rule + #assert_script_run 'ipa hbacrule-add-user testrule --users=test1'; + # disable the default 'everyone everywhere' rule + #assert_script_run 'ipa hbacrule-disable allow_all'; + # allow immediate password changes (as we need to test this) + #assert_script_run 'ipa pwpolicy-mod --minlife=0'; + # magic voodoo crap to allow reverse DNS client sync to work + # https://docs.pagure.org/bind-dyndb-ldap/BIND9/SyncPTR.html + #assert_script_run 'ipa dnszone-mod test.openqa.fedoraproject.org. --allow-sync-ptr=TRUE'; + # check we can kinit as each user + assert_script_run 'printf "batterystaple" | kinit test1@SAMDOM.OPENQA.FEDORAPROJECT.ORG'; + # we're ready for children to enrol, now + mutex_create("domain_server_ready"); +} + + +sub test_flags { + return {fatal => 1}; +} + +1; + +# vim: set sw=4 et: diff --git a/tests/samba_domain_controller_check.pm b/tests/samba_domain_controller_check.pm new file mode 100644 index 00000000..87595aad --- /dev/null +++ b/tests/samba_domain_controller_check.pm @@ -0,0 +1,44 @@ +use base "installedtest"; +use strict; +use testapi; +use lockapi; +use mmapi; + +sub run { + my $self = shift; + # make sure ipa.service actually came up successfully + my $count = 40; + while (1) { + $count -= 1; + die "Waited too long for samba.service to show up!" if ($count == 0); + sleep 3; + # if it's active, we're done here + last unless script_run 'systemctl is-active samba.service'; + # if it's not...fail if it's failed + assert_script_run '! systemctl is-failed samba.service'; + # if we get here, it's activating, so loop around + } + # if this is an update, notify clients that we're now up again + mutex_create('server_upgraded') if get_var("UPGRADE"); + # once child jobs are done, stop the server + # debug debug + type_string "journalctl -f\n"; + wait_for_children; + send_key "ctrl-c"; + # run post-fail hook to upload logs - even when this test passes + # there are often cases where we need to see the logs (e.g. client + # test failed due to server issue) + $self->post_fail_hook(); + assert_script_run 'systemctl stop samba.service'; + # check server is stopped + assert_script_run '! systemctl is-active samba.service'; +} + + +sub test_flags { + return {fatal => 1}; +} + +1; + +# vim: set sw=4 et: