use base "installedtest"; use strict; use testapi; use utils; sub run { my $self = shift; my $admin = get_var("REALMD_ADMIN_USER", "admin"); my $tcadmin = ucfirst($admin); my $domain = get_var("REALMD_DOMAIN", "test.openqa.fedoraproject.org"); my $shortdom = uc((split(/\./, $domain))[0]); my $udomain = uc($domain); my $qdomain = quotemeta($domain); my $qudomain = uc($qdomain); # switch to tty1 (we're usually there already, but just in case # we're carrying on from a failed freeipa_webui that didn't fail # at tty1) select_console "tty1-console"; wait_still_screen 1; if (get_var("KICKSTART")) { # we don't have sssd debugging enabled yet assert_script_run 'dnf -y install sssd-tools', 240; assert_script_run 'sss_debuglevel 9'; } # check domain is listed in 'realm list' validate_script_output 'realm list', sub { $_ =~ m/domain-name: $qdomain.*configured: kerberos-member/s }; # check we can resolve domain accounts if ($domain =~ m/samdom/) { # give this two tries, to see if it helps the problem where # it sometimes fails for no reason if (script_run "getent passwd '$shortdom\\$tcadmin'") { assert_script_run "getent passwd '$shortdom\\$tcadmin'"; } } else { assert_script_run "getent passwd $admin\@$udomain"; } # check keytab entries # on AD clients, this isn't automatically installed assert_script_run "dnf -y install krb5-workstation", 180; my $hostname = script_output 'hostname'; my $qhost = quotemeta($hostname); validate_script_output 'klist -k', sub { $_ =~ m/$qhost\@$qudomain/ }; # check we can kinit with the host principal if ($domain =~ m/samdom/) { my $shorthost = uc((split(/\./, $hostname))[0]); assert_script_run "kinit -k $shorthost\\\$\@$udomain"; } else { assert_script_run "kinit -k host/$hostname\@$udomain"; } # Set a longer timeout for login(1) to workaround RHBZ #1661273 assert_script_run 'echo "LOGIN_TIMEOUT 180" >> /etc/login.defs'; # switch to tty2 for login tests select_console "tty2-console"; # try and login as test1, should work console_login(user => "test1\@$domain", password => 'batterystaple'); type_string "exit\n"; unless ($domain =~ m/samdom/) { # try and login as test2, should fail. we cannot use console_login # as it takes 10 seconds to complete when login fails, and # "permission denied" message doesn't last that long sleep 2; assert_screen "text_console_login"; type_string "test2\@$udomain\n"; assert_screen "console_password_required"; type_string "batterystaple\n"; assert_screen "login_permission_denied"; } } sub test_flags { return {fatal => 1}; } 1; # vim: set sw=4 et: