1
0
mirror of https://pagure.io/fedora-qa/os-autoinst-distri-fedora.git synced 2024-11-21 21:43:08 +00:00

Add Samba AD tests

This adds a Samba AD server test, and client enrolment tests via
sssd, Cockpit and kickstart. Requires the matching createhdds
commit to add the kickstart to the disk_ks image.

Signed-off-by: Adam Williamson <awilliam@redhat.com>
This commit is contained in:
Adam Williamson 2023-07-19 16:41:21 -07:00
parent f528904344
commit 74b468b949
12 changed files with 373 additions and 85 deletions

View File

@ -0,0 +1,22 @@
{
"area": [
{
"ypos": 528,
"xpos": 690,
"type": "match",
"width": 217,
"height": 14
},
{
"type": "match",
"height": 13,
"width": 48,
"xpos": 587,
"ypos": 527
}
],
"properties": [],
"tags": [
"cockpit_join_complete"
]
}

Binary file not shown.

After

Width:  |  Height:  |  Size: 158 KiB

View File

@ -474,6 +474,13 @@
"fedora-updates-server-x86_64-*-64bit": 5 "fedora-updates-server-x86_64-*-64bit": 5
} }
}, },
"realmd_join_cockpit_ad": {
"profiles": {
"fedora-updates-server-aarch64-*-aarch64": 5,
"fedora-updates-server-ppc64le-*-ppc64le": 5,
"fedora-updates-server-x86_64-*-64bit": 5
}
},
"realmd_join_sssd": { "realmd_join_sssd": {
"profiles": { "profiles": {
"fedora-updates-server-aarch64-*-aarch64": 5, "fedora-updates-server-aarch64-*-aarch64": 5,
@ -481,6 +488,13 @@
"fedora-updates-server-x86_64-*-64bit": 5 "fedora-updates-server-x86_64-*-64bit": 5
} }
}, },
"realmd_join_sssd_ad": {
"profiles": {
"fedora-updates-server-aarch64-*-aarch64": 5,
"fedora-updates-server-ppc64le-*-ppc64le": 5,
"fedora-updates-server-x86_64-*-64bit": 5
}
},
"rpmostree_overlay": { "rpmostree_overlay": {
"profiles": { "profiles": {
"fedora-updates-silverblue-dvd_ostree-iso-x86_64-*-64bit": 5 "fedora-updates-silverblue-dvd_ostree-iso-x86_64-*-64bit": 5
@ -569,6 +583,13 @@
"fedora-updates-server-x86_64-*-64bit": 5 "fedora-updates-server-x86_64-*-64bit": 5
} }
}, },
"server_samba_domain_controller": {
"profiles": {
"fedora-updates-server-aarch64-*-aarch64": 5,
"fedora-updates-server-ppc64le-*-ppc64le": 5,
"fedora-updates-server-x86_64-*-64bit": 5
}
},
"support_server": { "support_server": {
"profiles": { "profiles": {
"fedora-updates-everything-boot-iso-x86_64-*-64bit": 5 "fedora-updates-everything-boot-iso-x86_64-*-64bit": 5

View File

@ -1713,7 +1713,7 @@
}, },
"settings": { "settings": {
"GRUB": "inst.ks=hd:vdb1:/root-user-crypted-net.ks", "GRUB": "inst.ks=hd:vdb1:/root-user-crypted-net.ks",
"HDD_2": "disk_ks_6.img", "HDD_2": "disk_ks_7.img",
"KICKSTART": "1", "KICKSTART": "1",
"NUMDISKS": "2", "NUMDISKS": "2",
"ROOT_PASSWORD": "111111", "ROOT_PASSWORD": "111111",
@ -2360,13 +2360,37 @@
"BOOTFROM": "c", "BOOTFROM": "c",
"NICTYPE": "tap", "NICTYPE": "tap",
"PARALLEL_WITH": "server_role_deploy_domain_controller", "PARALLEL_WITH": "server_role_deploy_domain_controller",
"POSTINSTALL": "realmd_join_cockpit freeipa_webui freeipa_password_change freeipa_client", "POSTINSTALL": "realmd_join_cockpit freeipa_webui freeipa_password_change domain_client",
"POST_STATIC": "172.16.2.102 client002.test.openqa.fedoraproject.org", "POST_STATIC": "172.16.2.102 client002.test.openqa.fedoraproject.org",
"ROOT_PASSWORD": "weakpassword", "ROOT_PASSWORD": "weakpassword",
"USER_LOGIN": "false", "USER_LOGIN": "false",
"WORKER_CLASS": "tap" "WORKER_CLASS": "tap"
} }
}, },
"realmd_join_cockpit_ad": {
"profiles": {
"fedora-Server-dvd-iso-aarch64-*-aarch64": 30,
"fedora-Server-dvd-iso-ppc64le-*-ppc64le": 30,
"fedora-Server-dvd-iso-x86_64-*-64bit": 30
},
"settings": {
"+HDD_1": "disk_%MACHINE%_cockpit.qcow2",
"+START_AFTER_TEST": "server_cockpit_default",
"BOOTFROM": "c",
"NICTYPE": "tap",
"PARALLEL_WITH": "server_samba_domain_controller",
"POSTINSTALL": "realmd_join_cockpit domain_client",
"POST_STATIC": "172.16.2.132 adclient002.samdom.openqa.fedoraproject.org",
"REALMD_ADMIN_USER": "administrator",
"REALMD_ADMIN_PASSWORD": "129ho3eau47#qm9to9s^",
"REALMD_DNS_SERVER_HOST": "ad001.samdom.openqa.fedoraproject.org",
"REALMD_DNS_SERVER_IP": "172.16.2.130",
"REALMD_DOMAIN": "samdom.openqa.fedoraproject.org",
"ROOT_PASSWORD": "weakpassword",
"USER_LOGIN": "false",
"WORKER_CLASS": "tap"
}
},
"realmd_join_sssd": { "realmd_join_sssd": {
"profiles": { "profiles": {
"fedora-Server-dvd-iso-aarch64-*-aarch64": 20, "fedora-Server-dvd-iso-aarch64-*-aarch64": 20,
@ -2378,7 +2402,7 @@
"HDD_1": "disk_%FLAVOR%_%MACHINE%.qcow2", "HDD_1": "disk_%FLAVOR%_%MACHINE%.qcow2",
"NICTYPE": "tap", "NICTYPE": "tap",
"PARALLEL_WITH": "server_role_deploy_domain_controller", "PARALLEL_WITH": "server_role_deploy_domain_controller",
"POSTINSTALL": "realmd_join_sssd freeipa_client", "POSTINSTALL": "realmd_join_sssd domain_client",
"POST_STATIC": "172.16.2.103 client003.test.openqa.fedoraproject.org", "POST_STATIC": "172.16.2.103 client003.test.openqa.fedoraproject.org",
"ROOT_PASSWORD": "weakpassword", "ROOT_PASSWORD": "weakpassword",
"START_AFTER_TEST": "%DEPLOY_UPLOAD_TEST%", "START_AFTER_TEST": "%DEPLOY_UPLOAD_TEST%",
@ -2386,6 +2410,30 @@
"WORKER_CLASS": "tap" "WORKER_CLASS": "tap"
} }
}, },
"realmd_join_sssd_ad": {
"profiles": {
"fedora-Server-dvd-iso-aarch64-*-aarch64": 20,
"fedora-Server-dvd-iso-ppc64le-*-ppc64le": 20,
"fedora-Server-dvd-iso-x86_64-*-64bit": 20
},
"settings": {
"BOOTFROM": "c",
"HDD_1": "disk_%FLAVOR%_%MACHINE%.qcow2",
"NICTYPE": "tap",
"PARALLEL_WITH": "server_samba_domain_controller",
"POSTINSTALL": "realmd_join_sssd domain_client",
"POST_STATIC": "172.16.2.131 adclient001.samdom.openqa.fedoraproject.org",
"REALMD_ADMIN_USER": "administrator",
"REALMD_ADMIN_PASSWORD": "129ho3eau47#qm9to9s^",
"REALMD_DNS_SERVER_HOST": "ad001.samdom.openqa.fedoraproject.org",
"REALMD_DNS_SERVER_IP": "172.16.2.130",
"REALMD_DOMAIN": "samdom.openqa.fedoraproject.org",
"ROOT_PASSWORD": "weakpassword",
"START_AFTER_TEST": "%DEPLOY_UPLOAD_TEST%",
"USER_LOGIN": "false",
"WORKER_CLASS": "tap"
}
},
"release_identification": { "release_identification": {
"profiles": { "profiles": {
"fedora-CoreOS-colive-iso-x86_64-*-64bit": 50, "fedora-CoreOS-colive-iso-x86_64-*-64bit": 50,
@ -2547,12 +2595,14 @@
}, },
"settings": { "settings": {
"BOOTFROM": "c", "BOOTFROM": "c",
"FREEIPA_REPLICA_CLIENT": "1",
"HDD_1": "disk_%FLAVOR%_%MACHINE%.qcow2", "HDD_1": "disk_%FLAVOR%_%MACHINE%.qcow2",
"NICTYPE": "tap", "NICTYPE": "tap",
"PARALLEL_WITH": "server_freeipa_replication_replica", "PARALLEL_WITH": "server_freeipa_replication_replica",
"POSTINSTALL": "realmd_join_sssd freeipa_client", "POSTINSTALL": "realmd_join_sssd domain_client",
"POST_STATIC": "172.16.2.108 client005.test.openqa.fedoraproject.org", "POST_STATIC": "172.16.2.108 client005.test.openqa.fedoraproject.org",
"REALMD_DNS_SERVER_HOST": "ipa003.test.openqa.fedoraproject.org",
"REALMD_DNS_SERVER_IP": "172.16.2.107",
"REALMD_SERVER_MUTEX": "domain_replica_ready",
"ROOT_PASSWORD": "weakpassword", "ROOT_PASSWORD": "weakpassword",
"START_AFTER_TEST": "%DEPLOY_UPLOAD_TEST%", "START_AFTER_TEST": "%DEPLOY_UPLOAD_TEST%",
"USER_LOGIN": "false", "USER_LOGIN": "false",
@ -2594,6 +2644,8 @@
"PARALLEL_WITH": "server_freeipa_replication_master", "PARALLEL_WITH": "server_freeipa_replication_master",
"POSTINSTALL": "realmd_join_sssd", "POSTINSTALL": "realmd_join_sssd",
"POST_STATIC": "172.16.2.107 ipa003.test.openqa.fedoraproject.org", "POST_STATIC": "172.16.2.107 ipa003.test.openqa.fedoraproject.org",
"REALMD_DNS_SERVER_HOST": "ipa002.test.openqa.fedoraproject.org",
"REALMD_DNS_SERVER_IP": "172.16.2.106",
"ROOT_PASSWORD": "weakpassword", "ROOT_PASSWORD": "weakpassword",
"START_AFTER_TEST": "%DEPLOY_UPLOAD_TEST%", "START_AFTER_TEST": "%DEPLOY_UPLOAD_TEST%",
"USER_LOGIN": "false", "USER_LOGIN": "false",
@ -2608,13 +2660,35 @@
}, },
"settings": { "settings": {
"GRUB": "inst.ks=hd:vdb1:/freeipaclient.ks", "GRUB": "inst.ks=hd:vdb1:/freeipaclient.ks",
"HDD_2": "disk_ks_6.img", "HDD_2": "disk_ks_7.img",
"INSTALL_UNLOCK": "freeipa_ready", "INSTALL_UNLOCK": "domain_server_ready",
"KICKSTART": "1", "KICKSTART": "1",
"NICTYPE": "tap", "NICTYPE": "tap",
"NUMDISKS": "2", "NUMDISKS": "2",
"PARALLEL_WITH": "server_role_deploy_domain_controller", "PARALLEL_WITH": "server_role_deploy_domain_controller",
"POSTINSTALL": "freeipa_client", "POSTINSTALL": "domain_client",
"ROOT_PASSWORD": "anaconda",
"USER_LOGIN": "false",
"WORKER_CLASS": "tap"
}
},
"server_realmd_join_kickstart_ad": {
"profiles": {
"fedora-Server-dvd-iso-aarch64-*-aarch64": 20,
"fedora-Server-dvd-iso-ppc64le-*-ppc64le": 20,
"fedora-Server-dvd-iso-x86_64-*-64bit": 20
},
"settings": {
"GRUB": "inst.ks=hd:vdb1:/adclient.ks",
"HDD_2": "disk_ks_7.img",
"INSTALL_UNLOCK": "domain_server_ready",
"KICKSTART": "1",
"NICTYPE": "tap",
"NUMDISKS": "2",
"PARALLEL_WITH": "server_samba_domain_controller",
"POSTINSTALL": "domain_client",
"REALMD_ADMIN_USER": "administrator",
"REALMD_DOMAIN": "samdom.openqa.fedoraproject.org",
"ROOT_PASSWORD": "anaconda", "ROOT_PASSWORD": "anaconda",
"USER_LOGIN": "false", "USER_LOGIN": "false",
"WORKER_CLASS": "tap" "WORKER_CLASS": "tap"
@ -2696,6 +2770,25 @@
"WORKER_CLASS": "tap" "WORKER_CLASS": "tap"
} }
}, },
"server_samba_domain_controller": {
"profiles": {
"fedora-Server-dvd-iso-aarch64-*-aarch64": 20,
"fedora-Server-dvd-iso-ppc64le-*-ppc64le": 20,
"fedora-Server-dvd-iso-x86_64-*-64bit": 20
},
"settings": {
"BOOTFROM": "c",
"HDD_1": "disk_%FLAVOR%_%MACHINE%.qcow2",
"NICTYPE": "tap",
"PARALLEL_CANCEL_WHOLE_CLUSTER": "0",
"POSTINSTALL": "samba_domain_controller samba_domain_controller_check",
"POST_STATIC": "172.16.2.130 ad001.samdom.openqa.fedoraproject.org",
"ROOT_PASSWORD": "weakpassword",
"START_AFTER_TEST": "%DEPLOY_UPLOAD_TEST%",
"USER_LOGIN": "false",
"WORKER_CLASS": "tap"
}
},
"support_server": { "support_server": {
"profiles": { "profiles": {
"fedora-Server-dvd-iso-aarch64-*-aarch64": 10, "fedora-Server-dvd-iso-aarch64-*-aarch64": 10,
@ -2839,7 +2932,7 @@
"BOOTFROM": "c", "BOOTFROM": "c",
"NICTYPE": "tap", "NICTYPE": "tap",
"PARALLEL_WITH": "upgrade_2_server_domain_controller", "PARALLEL_WITH": "upgrade_2_server_domain_controller",
"POSTINSTALL": "_setup_browser freeipa_webui freeipa_password_change freeipa_client", "POSTINSTALL": "_setup_browser freeipa_webui freeipa_password_change domain_client",
"POST_STATIC": "172.16.2.103 client003.test.openqa.fedoraproject.org", "POST_STATIC": "172.16.2.103 client003.test.openqa.fedoraproject.org",
"PREUPGRADE": "realmd_join_sssd", "PREUPGRADE": "realmd_join_sssd",
"ROOT_PASSWORD": "weakpassword", "ROOT_PASSWORD": "weakpassword",
@ -2975,7 +3068,7 @@
"MAX_JOB_TIME": "10800", "MAX_JOB_TIME": "10800",
"NICTYPE": "tap", "NICTYPE": "tap",
"PARALLEL_WITH": "upgrade_server_domain_controller", "PARALLEL_WITH": "upgrade_server_domain_controller",
"POSTINSTALL": "_setup_browser freeipa_webui freeipa_password_change freeipa_client", "POSTINSTALL": "_setup_browser freeipa_webui freeipa_password_change domain_client",
"POST_STATIC": "172.16.2.103 client003.test.openqa.fedoraproject.org", "POST_STATIC": "172.16.2.103 client003.test.openqa.fedoraproject.org",
"PREUPGRADE": "realmd_join_sssd", "PREUPGRADE": "realmd_join_sssd",
"ROOT_PASSWORD": "weakpassword", "ROOT_PASSWORD": "weakpassword",

63
tests/domain_client.pm Normal file
View File

@ -0,0 +1,63 @@
use base "installedtest";
use strict;
use testapi;
use utils;
sub run {
my $self = shift;
my $admin = get_var("REALMD_ADMIN_USER", "admin");
my $domain = get_var("REALMD_DOMAIN", "test.openqa.fedoraproject.org");
my $udomain = uc($domain);
my $qdomain = quotemeta($domain);
my $qudomain = uc($qdomain);
# switch to tty1 (we're usually there already, but just in case
# we're carrying on from a failed freeipa_webui that didn't fail
# at tty1)
send_key "ctrl-alt-f1";
wait_still_screen 1;
# check domain is listed in 'realm list'
validate_script_output 'realm list', sub { $_ =~ m/domain-name: $qdomain.*configured: kerberos-member/s };
# check we can resolve domain accounts
assert_script_run "getent passwd $admin\@$udomain";
# check keytab entries
# on AD clients, this isn't automatically installed
assert_script_run "dnf -y install krb5-workstation", 180;
my $hostname = script_output 'hostname';
my $qhost = quotemeta($hostname);
validate_script_output 'klist -k', sub { $_ =~ m/$qhost\@$qudomain/ };
# check we can kinit with the host principal
if ($domain =~ m/samdom/) {
my $shorthost = uc((split(/\./, $hostname))[0]);
assert_script_run "kinit -k $shorthost\\\$\@$udomain";
}
else {
assert_script_run "kinit -k host/$hostname\@$udomain";
}
# Set a longer timeout for login(1) to workaround RHBZ #1661273
assert_script_run 'echo "LOGIN_TIMEOUT 180" >> /etc/login.defs';
# switch to tty2 for login tests
send_key "ctrl-alt-f2";
# try and login as test1, should work
console_login(user => "test1\@$domain", password => 'batterystaple');
type_string "exit\n";
unless ($domain =~ m/samdom/) {
# try and login as test2, should fail. we cannot use console_login
# as it takes 10 seconds to complete when login fails, and
# "permission denied" message doesn't last that long
sleep 2;
assert_screen "text_console_login";
type_string "test2\@$udomain\n";
assert_screen "console_password_required";
type_string "batterystaple\n";
assert_screen "login_permission_denied";
}
}
sub test_flags {
return {fatal => 1};
}
1;
# vim: set sw=4 et:

View File

@ -1,48 +0,0 @@
use base "installedtest";
use strict;
use testapi;
use utils;
sub run {
my $self = shift;
# switch to tty1 (we're usually there already, but just in case
# we're carrying on from a failed freeipa_webui that didn't fail
# at tty1)
send_key "ctrl-alt-f1";
wait_still_screen 1;
# check domain is listed in 'realm list'
validate_script_output 'realm list', sub { $_ =~ m/domain-name: test\.openqa\.fedoraproject\.org.*configured: kerberos-member/s };
# check we can see the admin user in getent
assert_script_run 'getent passwd admin@TEST.OPENQA.FEDORAPROJECT.ORG';
# check keytab entries
my $hostname = script_output 'hostname';
my $qhost = quotemeta($hostname);
validate_script_output 'klist -k', sub { $_ =~ m/$qhost\@TEST\.OPENQA\.FEDORAPROJECT\.ORG/ };
# check we can kinit with the host principal
assert_script_run "kinit -k host/$hostname\@TEST.OPENQA.FEDORAPROJECT.ORG";
# Set a longer timeout for login(1) to workaround RHBZ #1661273
assert_script_run 'echo "LOGIN_TIMEOUT 180" >> /etc/login.defs';
# switch to tty2 for login tests
send_key "ctrl-alt-f2";
# try and login as test1, should work
console_login(user => 'test1@TEST.OPENQA.FEDORAPROJECT.ORG', password => 'batterystaple');
type_string "exit\n";
# try and login as test2, should fail. we cannot use console_login
# as it takes 10 seconds to complete when login fails, and
# "permission denied" message doesn't last that long
sleep 2;
assert_screen "text_console_login";
type_string "test2\@TEST.OPENQA.FEDORAPROJECT.ORG\n";
assert_screen "console_password_required";
type_string "batterystaple\n";
assert_screen "login_permission_denied";
}
sub test_flags {
return {fatal => 1};
}
1;
# vim: set sw=4 et:

View File

@ -40,14 +40,14 @@ sub run {
# check we can kinit with changed password # check we can kinit with changed password
assert_script_run 'printf "loremipsum" | kinit test3'; assert_script_run 'printf "loremipsum" | kinit test3';
# change password via CLI (back to batterystaple, as that's what # change password via CLI (back to batterystaple, as that's what
# freeipa_client test expects) # domain_client test expects)
assert_script_run 'dnf -y install freeipa-admintools'; assert_script_run 'dnf -y install freeipa-admintools';
assert_script_run 'printf "batterystaple\nbatterystaple" | ipa user-mod test3 --password'; assert_script_run 'printf "batterystaple\nbatterystaple" | ipa user-mod test3 --password';
# check we can kinit again # check we can kinit again
assert_script_run 'printf "batterystaple" | kinit test3'; assert_script_run 'printf "batterystaple" | kinit test3';
# clear kerberos ticket for freeipa_client test # clear kerberos ticket for domain_client test
assert_script_run 'kdestroy -A'; assert_script_run 'kdestroy -A';
# we just stay here - freeipa_client will pick right up # we just stay here - domain_client will pick right up
} }
sub test_flags { sub test_flags {

View File

@ -8,18 +8,27 @@ use cockpit;
sub run { sub run {
my $self = shift; my $self = shift;
# use FreeIPA server as DNS server # use appropriate server IP, hostname, mutex and admin password
assert_script_run "printf 'search test.openqa.fedoraproject.org\nnameserver 172.16.2.100' > /etc/resolv.conf"; # Several tests use the 'regular' FreeIPA server, so the values
# for that are the defaults; other tests use a replica server, or
# the AD server, so they specify this in their vars.
my $server = get_var("REALMD_DNS_SERVER_HOST", 'ipa001.test.openqa.fedoraproject.org');
my $server_ip = get_var("REALMD_DNS_SERVER_IP", '172.16.2.100');
my $server_mutex = get_var("REALMD_SERVER_MUTEX", 'domain_server_ready');
my $admin_pw = get_var("REALMD_ADMIN_PASSWORD", 'monkeys123');
my $admin_user = get_var("REALMD_ADMIN_USER", 'admin');
my $domain = get_var("REALMD_DOMAIN", "test.openqa.fedoraproject.org");
assert_script_run "printf '$domain\nnameserver $server_ip' > /etc/resolv.conf";
# this gets us the name of the first connection in the list, # this gets us the name of the first connection in the list,
# which should be what we want # which should be what we want
my $connection = script_output "nmcli --fields NAME con show | head -2 | tail -1"; my $connection = script_output "nmcli --fields NAME con show | head -2 | tail -1";
assert_script_run "nmcli con mod '$connection' ipv4.dns '172.16.2.100'"; assert_script_run "nmcli con mod '$connection' ipv4.dns '$server_ip'";
assert_script_run "nmcli con down '$connection'"; assert_script_run "nmcli con down '$connection'";
assert_script_run "nmcli con up '$connection'"; assert_script_run "nmcli con up '$connection'";
# wait for the server to be ready (do it now just to make sure name # wait for the server to be ready (do it now just to make sure name
# resolution is working before we proceed) # resolution is working before we proceed)
mutex_lock "freeipa_ready"; mutex_lock "domain_server_ready";
mutex_unlock "freeipa_ready"; mutex_unlock "domain_server_ready";
# do repo setup # do repo setup
repo_setup(); repo_setup();
# set sssd debugging level higher (useful for debugging failures) # set sssd debugging level higher (useful for debugging failures)
@ -52,12 +61,12 @@ sub run {
# ...but two tabs in both places on earlier versions # ...but two tabs in both places on earlier versions
$tabs = "\t\t" if ($cockpitver < 255); $tabs = "\t\t" if ($cockpitver < 255);
type_string($tabs, 4); type_string($tabs, 4);
type_string("ipa001.test.openqa.fedoraproject.org", 4); type_string($server, 4);
type_string($tabs, 4); type_string($tabs, 4);
type_string("admin", 4); type_string($admin_user, 4);
send_key "tab"; send_key "tab";
sleep 3; sleep 3;
type_string("monkeys123", 4); type_string($admin_pw, 4);
sleep 3; sleep 3;
assert_and_click "cockpit_join_button"; assert_and_click "cockpit_join_button";
# join involves package installs, so it may take some time # join involves package installs, so it may take some time

View File

@ -8,19 +8,15 @@ use utils;
sub run { sub run {
my $self = shift; my $self = shift;
# use FreeIPA server or replica as DNS server # use appropriate server IP, hostname, mutex and admin password
my $server = 'ipa001.test.openqa.fedoraproject.org'; # Several tests use the 'regular' FreeIPA server, so the values
my $server_ip = '172.16.2.100'; # for that are the defaults; other tests use a replica server, or
my $server_mutex = 'freeipa_ready'; # the AD server, so they specify this in their vars.
if (get_var("FREEIPA_REPLICA")) { my $server = get_var("REALMD_DNS_SERVER_HOST", 'ipa001.test.openqa.fedoraproject.org');
$server = 'ipa002.test.openqa.fedoraproject.org'; my $server_ip = get_var("REALMD_DNS_SERVER_IP", '172.16.2.100');
$server_ip = '172.16.2.106'; my $server_mutex = get_var("REALMD_SERVER_MUTEX", 'domain_server_ready');
} my $admin_pw = get_var("REALMD_ADMIN_PASSWORD", 'monkeys123');
if (get_var("FREEIPA_REPLICA_CLIENT")) { my $admin_user = get_var("REALMD_ADMIN_USER", 'admin');
$server = 'ipa003.test.openqa.fedoraproject.org';
$server_ip = '172.16.2.107';
$server_mutex = 'replica_ready';
}
# this gets us the name of the first connection in the list, # this gets us the name of the first connection in the list,
# which should be what we want # which should be what we want
my $connection = script_output "nmcli --fields NAME con show | head -2 | tail -1"; my $connection = script_output "nmcli --fields NAME con show | head -2 | tail -1";
@ -63,13 +59,13 @@ sub run {
assert_script_run "systemctl start ipa.service", 300; assert_script_run "systemctl start ipa.service", 300;
# report that we're ready to go # report that we're ready to go
mutex_create('replica_ready'); mutex_create('domain_replica_ready');
# wait for the client test # wait for the client test
wait_for_children; wait_for_children;
} }
else { else {
assert_script_run "echo 'monkeys123' | realm join --user=admin ${server}", 300; assert_script_run "echo '${admin_pw}' | realm join --user=${admin_user} ${server}", 300;
} }
# set sssd debugging level higher (useful for debugging failures) # set sssd debugging level higher (useful for debugging failures)
# optional as it's not really part of the test # optional as it's not really part of the test

View File

@ -66,7 +66,7 @@ sub run {
assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test1@TEST.OPENQA.FEDORAPROJECT.ORG'; assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test1@TEST.OPENQA.FEDORAPROJECT.ORG';
assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test2@TEST.OPENQA.FEDORAPROJECT.ORG'; assert_script_run 'printf "correcthorse\nbatterystaple\nbatterystaple" | kinit test2@TEST.OPENQA.FEDORAPROJECT.ORG';
# we're ready for children to enrol, now # we're ready for children to enrol, now
mutex_create("freeipa_ready"); mutex_create("domain_server_ready");
# if upgrade test, wait for children to enrol before upgrade # if upgrade test, wait for children to enrol before upgrade
if (get_var("UPGRADE")) { if (get_var("UPGRADE")) {
my $children = get_children(); my $children = get_children();

View File

@ -0,0 +1,88 @@
use base "installedtest";
use strict;
use testapi;
use lockapi;
use mmapi;
use tapnet;
use utils;
# thanks to:
# https://fedoramagazine.org/samba-as-ad-and-domain-controller/
# https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
sub run {
my $self = shift;
# login
$self->root_console();
# use compose repo, disable u-t, etc. unless this is an upgrade
# test (in which case we're on the 'old' release at this point;
# one of the upgrade test modules does repo_setup later)
repo_setup() unless get_var("UPGRADE");
# this seems to cause problems if it runs before clients are done
assert_script_run "systemctl stop systemd-tmpfiles-clean.timer";
# we need a lot of entropy for this, and we don't care how good
# it is, so let's use haveged
assert_script_run "dnf -y install haveged", 300;
assert_script_run 'systemctl start haveged.service';
assert_script_run "rm -f /etc/samba/smb.conf";
# First install the necessary packages
assert_script_run "dnf -y install samba-dc samba-tools krb5-workstation adcli", 600;
# configure the firewall
assert_script_run "firewall-cmd --permanent --add-service samba-dc";
assert_script_run "systemctl restart firewalld.service";
# configure SELinux
assert_script_run "setsebool -P samba_create_home_dirs=on samba_domain_controller=on samba_enable_home_dirs=on samba_portmapper=on use_samba_home_dirs=on";
# extract our IP and hostname from POST_STATIC
my $poststatic = get_var("POST_STATIC");
my ($ip, $hostname) = split(" ", $poststatic);
# set up DNS
script_run "mkdir -p /etc/systemd/resolved.conf.d";
assert_script_run 'printf "[Resolve]\nDNSStubListener=no\nDomains=samdom.openqa.fedoraproject.org\nDNS=' . $ip . '\n" > /etc/systemd/resolved.conf.d/sambaad.conf';
upload_logs "/etc/systemd/resolved.conf.d/sambaad.conf";
assert_script_run "systemctl restart systemd-resolved.service";
# deploy the server
assert_script_run "samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=SAMDOM.OPENQA.FEDORAPROJECT.ORG --domain=samdom --adminpass=129ho3eau47#qm9to9s^", 1200;
# set up DNS forwarding
my ($forwarder, $others) = get_host_dns();
assert_script_run 'sed -i -e "s,dns forwarder =.*,dns forwarder = ' . $forwarder . ',g" /etc/samba/smb.conf';
upload_logs "/etc/samba/smb.conf";
# set up kerberos
assert_script_run "cp /var/lib/samba/private/krb5.conf /etc/krb5.conf.d/samba-dc";
upload_logs "/etc/krb5.conf.d/samba-dc";
# enable and start the systemd service
assert_script_run "systemctl enable samba.service";
assert_script_run "systemctl start samba.service", 300;
# kinit as admin
assert_script_run 'echo "129ho3eau47#qm9to9s^" | kinit administrator';
# turn off annoying password constraints
assert_script_run "samba-tool domain passwordsettings set --complexity=off", 1200;
# set up an OTP for adclient003 enrolment (it will enrol with a kickstart)
assert_script_run 'echo "129ho3eau47#qm9to9s^" | adcli preset-computer -U administrator --verbose --domain samdom.openqa.fedoraproject.org --stdin-password --one-time-password=monkeys adclient003.samdom.openqa.fedoraproject.org';
# create two user accounts, test1 and test2
assert_script_run 'samba-tool user add test1 batterystaple --unix-home=/home/test1 --login-shell=/bin/bash --uid=number=10000 --gid-number=10000';
# add a rule allowing access to all hosts and services
#assert_script_run 'ipa hbacrule-add testrule --servicecat=all --hostcat=all';
# add test1 (but not test2) to the rule
#assert_script_run 'ipa hbacrule-add-user testrule --users=test1';
# disable the default 'everyone everywhere' rule
#assert_script_run 'ipa hbacrule-disable allow_all';
# allow immediate password changes (as we need to test this)
#assert_script_run 'ipa pwpolicy-mod --minlife=0';
# magic voodoo crap to allow reverse DNS client sync to work
# https://docs.pagure.org/bind-dyndb-ldap/BIND9/SyncPTR.html
#assert_script_run 'ipa dnszone-mod test.openqa.fedoraproject.org. --allow-sync-ptr=TRUE';
# check we can kinit as each user
assert_script_run 'printf "batterystaple" | kinit test1@SAMDOM.OPENQA.FEDORAPROJECT.ORG';
# we're ready for children to enrol, now
mutex_create("domain_server_ready");
}
sub test_flags {
return {fatal => 1};
}
1;
# vim: set sw=4 et:

View File

@ -0,0 +1,44 @@
use base "installedtest";
use strict;
use testapi;
use lockapi;
use mmapi;
sub run {
my $self = shift;
# make sure ipa.service actually came up successfully
my $count = 40;
while (1) {
$count -= 1;
die "Waited too long for samba.service to show up!" if ($count == 0);
sleep 3;
# if it's active, we're done here
last unless script_run 'systemctl is-active samba.service';
# if it's not...fail if it's failed
assert_script_run '! systemctl is-failed samba.service';
# if we get here, it's activating, so loop around
}
# if this is an update, notify clients that we're now up again
mutex_create('server_upgraded') if get_var("UPGRADE");
# once child jobs are done, stop the server
# debug debug
type_string "journalctl -f\n";
wait_for_children;
send_key "ctrl-c";
# run post-fail hook to upload logs - even when this test passes
# there are often cases where we need to see the logs (e.g. client
# test failed due to server issue)
$self->post_fail_hook();
assert_script_run 'systemctl stop samba.service';
# check server is stopped
assert_script_run '! systemctl is-active samba.service';
}
sub test_flags {
return {fatal => 1};
}
1;
# vim: set sw=4 et: