test_smb: test S4U2Self operation by IPA service

Kerberos service might request a ticket to itself on behalf of a user to perform protocol transition, so-called S4U2Self extension defined in [MS-SFU] specification. Processing of this request by KDC differs for in-realm and cross-realm configurations. Use SMB service to test S4U2Self performed against AD and IPA users. Fixes: https://pagure.io/freeipa/issue/8319 Signed-off-by: Alexander Bokovoy <[email protected]>
f-trivino · May 19, 2020 · d387f9d · d387f9d
1 parent 4491269
commit d387f9d
Showing 1 changed file with 54 additions and 16 deletions.
diff --git a/ipatests/test_integration/test_smb.py b/ipatests/test_integration/test_smb.py
@@ -11,8 +11,10 @@
 from functools import partial
 import textwrap
 import re
+import os
 
 import pytest
+from contextlib import contextmanager
 
 from ipatests.test_integration.base import IntegrationTest
 from ipatests.pytest_ipa.integration import tasks
@@ -77,14 +79,16 @@ def install(cls, mh):
 
     @pytest.fixture
     def enable_smb_client_dns_lookup_kdc(self):
-        smbclient = self.smbclient
-        with tasks.FileBackup(smbclient, paths.KRB5_CONF):
-            krb5_conf = smbclient.get_file_contents(
-                paths.KRB5_CONF, encoding='utf-8')
-            krb5_conf = krb5_conf.replace(
-                'dns_lookup_kdc = false', 'dns_lookup_kdc = true')
-            smbclient.put_file_contents(paths.KRB5_CONF, krb5_conf)
-            yield
+        @contextmanager
+        def _enable_for(smbclient):
+            with tasks.FileBackup(smbclient, paths.KRB5_CONF):
+                krb5_conf = smbclient.get_file_contents(
+                    paths.KRB5_CONF, encoding='utf-8')
+                krb5_conf = krb5_conf.replace(
+                    'dns_lookup_kdc = false', 'dns_lookup_kdc = true')
+                smbclient.put_file_contents(paths.KRB5_CONF, krb5_conf)
+                yield
+        return _enable_for
 
     @pytest.fixture
     def samba_share_public(self):
@@ -313,14 +317,15 @@ def test_smb_access_for_ipa_user_at_ipa_client(self):
 
     def test_smb_access_for_ad_user_at_ipa_client(
             self, enable_smb_client_dns_lookup_kdc):
-        samba_share = {
-            'name': 'homes',
-            'server_path': '/home/{}/{}'.format(self.ad.domain.name,
-                                                self.ad_user_login),
-            'unc': '//{}/homes'.format(self.smbserver.hostname)
-        }
-        self.check_smb_access_at_ipa_client(
-            self.ad_user, self.ad_user_password, samba_share)
+        with enable_smb_client_dns_lookup_kdc(self.smbclient):
+            samba_share = {
+                'name': 'homes',
+                'server_path': '/home/{}/{}'.format(self.ad.domain.name,
+                                                    self.ad_user_login),
+                'unc': '//{}/homes'.format(self.smbserver.hostname)
+            }
+            self.check_smb_access_at_ipa_client(
+                self.ad_user, self.ad_user_password, samba_share)
 
     def test_smb_mount_and_access_by_different_users(self, samba_share_public):
         user1 = self.ipa_user1
@@ -340,6 +345,39 @@ def test_smb_mount_and_access_by_different_users(self, samba_share_public):
         finally:
             self.cleanup_mount(mount_point)
 
+    def test_smb_service_s4u2self(
+            self, enable_smb_client_dns_lookup_kdc):
+        """Test S4U2Self operation by IPA service
+           against both AD and IPA users
+        """
+        script = textwrap.dedent("""export KRB5_TRACE=/dev/stderr
+        kdestroy -A
+        kinit -kt /etc/samba/samba.keytab {principal}
+        klist -f
+        {print_pac} -k /etc/samba/samba.keytab -E impersonate {user_princ}
+        klist -f
+        """)
+        with enable_smb_client_dns_lookup_kdc(self.smbserver):
+            principal = 'cifs/{hostname}'.format(
+                hostname=self.smbserver.hostname)
+            # Copy ipa-print-pac to SMB server
+            # We can do so because Samba and GSSAPI libraries
+            # are present there
+            print_pac = self.master.get_file_contents(
+                os.path.join(paths.LIBEXEC_IPA_DIR, "ipa-print-pac"))
+            result = self.smbserver.run_command(['mktemp'])
+            tmpname = result.stdout_text.strip()
+            self.smbserver.put_file_contents(tmpname, print_pac)
+            self.smbserver.run_command(['chmod', 'a+x', tmpname])
+            for user in (self.ad_user, self.ipa_user1,):
+                shell_script = script.format(principal=principal,
+                                             user_princ=user,
+                                             print_pac=tmpname)
+                self.smbserver.run_command(['/bin/bash', '-s', '-e'],
+                                           stdin_text=shell_script)
+            self.smbserver.run_command(['rm', '-f', tmpname])
+        tasks.kdestroy_all(self.smbserver)
+
     def test_smb_mount_fails_without_kerberos_ticket(self, samba_share_public):
         mountpoint = '/mnt/smb'
         try: