From Fedora Project Wiki

mNo edit summary
(update to related release criteria as roles are gone)
 
(11 intermediate revisions by 5 users not shown)
Line 1: Line 1:
{{Template:Associated_release_criterion|Final|domain-access-control}}
{{QA/Test_Case
{{QA/Test_Case
|description=Check that FreeIPA's HBAC rules are respected after using realmd to join the current machine to a FreeIPA domain.  
|description=This test case checks that a system enrolled in a FreeIPA domain honors the domain controller's host-based access control (HBAC) rules.
|setup=
|setup=
# If you haven't already, run through the [[QA:Testcase_FreeIPA_realmd_join|test case to join the domain]].
{{Domain server setup|ad=0}}
 
{{Domain client setup|ad=0}}
|actions=
# The intent here is to set up an HBAC rule which specifies that all access is prohibited, unless it is initiated by a specific user ("testuser")
# The intent here is to set up an HBAC rule which specifies that all access is prohibited, unless it is initiated by a specific user ("testuser")
# Make sure you have freeipa-admintools installed
#: <pre># yum install freeipa-admintools</pre>
# Create a FreeIPA user (after acquiring admin credentials)
# Create a FreeIPA user (after acquiring admin credentials)
#: <pre>$ kinit admin</pre>
#: <pre>$ kinit admin</pre>
Line 14: Line 16:
# Disable the default rule that allows access to everyone
# Disable the default rule that allows access to everyone
#: <pre>$ ipa hbacrule-disable allow_all</pre>
#: <pre>$ ipa hbacrule-disable allow_all</pre>
# On the system that joined the domain, change the ''testuser'' password for the first time.
#: <pre>$ kinit testuser@IPA.EXAMPLE.ORG</pre>
#: You will be prompted to enter a new password here
|actions=
# On the system that joined the domain, switch to another VT (press <code>Ctrl-Alt-F4</code>).
# Try to log in as the admin user.
#: <pre>host login: admin@ipa.example.org</pre>
# Now try to log in as test user.
#: <pre>host login: testuser@ipa.example.org</pre>


|results=
|results=
# Make sure that admin is not able to ssh into the IPA server (per the HBAC rule)
# Log in as the admin user must fail, and log in as the test user must succeed.
#: <pre>$ ssh admin@server.ipa.example.org</pre>
# Make sure that testuser is able to ssh into the IPA server (per the HBAC rule)
#: <pre>$ ssh testuser@server.ipa.example.org</pre>
}}
}}
== More testing - offline logins ==
# Before the test, make sure that credential caching is enabled on the client
#: open <code>/etc/sssd/sssd.conf</code> in your editor of choice
#: Make sure that <code>cache_credentials=True</code> is present in the <code>[domain]</code> section of sssd.conf
#: Restart the SSSD if you modified the config file: <code>service sssd restart</code>
# Perform one more login online to cache the credentials
#: Disconnect the client from the network. As root, shut down the NM service:
#: <pre># service NetworkManager stop</pre>
#: Log in as the test user again. The login should succeed.
#: Don't forget to start the networking again to make sure you're able to run the cleanup


== Clean-up after the test ==
== Clean-up after the test ==
Enable the ''allow_all'' rule again to avoid interference with other Test cases:
Enable the ''allow_all'' rule again to avoid interference with other tests:


$ kinit admin
  $ ipa hbacrule-enable allow_all
  $ ipa hbacrule-enable allow_all


== Troubleshooting ==
[[Category:FreeIPA_Test_Cases]] [[Category:Realmd_Test_Cases]] [[Category:Server Acceptance Test Cases]]
The selinux profile for realmd isn't yet stable, so you may want turn off enforcement. Please do still file bugs for the SElinux AVC notifications you see.
 
'''Known Issue [[https://bugzilla.redhat.com/show_bug.cgi?id=952830 Selinux]]:''' You need to turn off selinux to complete the join. Please do:
 
<pre>
$ sudo setenforce 0
</pre>
 
Please file all realmd AVC's at this bug: https://bugzilla.redhat.com/show_bug.cgi?id=952830
 
<pre>
$ sudo grep realmd /var/log/audit/audit.log
</pre>
 
[[Category:Active_Directory_Test_Cases]]

Latest revision as of 23:20, 17 July 2018

Associated release criterion
This test case is associated with the Fedora_42_Final_Release_Criteria#domain-access-control release criterion. If you are doing release validation testing, a failure of this test case may be a breach of that release criterion. If so, please file a bug and nominate it as blocking the appropriate milestone, using the blocker bug nomination page.

Description

This test case checks that a system enrolled in a FreeIPA domain honors the domain controller's host-based access control (HBAC) rules.

Setup

  1. Deploy a correctly-configured FreeIPA domain controller. You can follow:
    QA:Testcase_Server_role_deploy with the Domain Controller role to deploy a FreeIPA domain controller on Fedora 28 or earlier
    QA:Testcase_freeipa_trust_server_installation to deploy a FreeIPA domain controller on Fedora 29 or later
  2. Enrol a test system in the domain. There are various ways to do this. You will find several test cases you can follow in the Server release validation test cases, FreeIPA test cases, and Realmd test cases
  3. The intent here is to set up an HBAC rule which specifies that all access is prohibited, unless it is initiated by a specific user ("testuser")
  4. Make sure you have freeipa-admintools installed
    # yum install freeipa-admintools
  5. Create a FreeIPA user (after acquiring admin credentials)
    $ kinit admin
    $ ipa user-add testuser --first test --last user --password
  6. Create an HBAC rule that allows access to the user you just created
    $ ipa hbacrule-add testrule --servicecat=all --hostcat=all
    $ ipa hbacrule-add-user testrule --users=testuser
  7. Disable the default rule that allows access to everyone
    $ ipa hbacrule-disable allow_all
  8. On the system that joined the domain, change the testuser password for the first time.
    $ kinit testuser@IPA.EXAMPLE.ORG
    You will be prompted to enter a new password here

How to test

  1. On the system that joined the domain, switch to another VT (press Ctrl-Alt-F4).
  2. Try to log in as the admin user.
    host login: admin@ipa.example.org
  3. Now try to log in as test user.
    host login: testuser@ipa.example.org

Expected Results

  1. Log in as the admin user must fail, and log in as the test user must succeed.



More testing - offline logins

  1. Before the test, make sure that credential caching is enabled on the client
    open /etc/sssd/sssd.conf in your editor of choice
    Make sure that cache_credentials=True is present in the [domain] section of sssd.conf
    Restart the SSSD if you modified the config file: service sssd restart
  2. Perform one more login online to cache the credentials
    Disconnect the client from the network. As root, shut down the NM service:
    # service NetworkManager stop
    Log in as the test user again. The login should succeed.
    Don't forget to start the networking again to make sure you're able to run the cleanup

Clean-up after the test

Enable the allow_all rule again to avoid interference with other tests:

$ kinit admin
$ ipa hbacrule-enable allow_all