changeset 5986 | bab15c34f645 |
parent 5969 | 96bac9fbcfbd |
child 6085 | eb3c11e27709 |
5985:6b195cad32d4 | 5986:bab15c34f645 |
---|---|
1895 -SHLIB_EXPLIBS=-lgssrpc -lgssapi_krb5 -lkrb5 -lk5crypto $(SUPPORT_LIB) -lcom_err $(LIBS) |
1895 -SHLIB_EXPLIBS=-lgssrpc -lgssapi_krb5 -lkrb5 -lk5crypto $(SUPPORT_LIB) -lcom_err $(LIBS) |
1896 +SHLIB_EXPLIBS= -lgssapi_krb5 -lkrb5 -lk5crypto $(SUPPORT_LIB) -lcom_err $(LIBS) |
1896 +SHLIB_EXPLIBS= -lgssapi_krb5 -lkrb5 -lk5crypto $(SUPPORT_LIB) -lcom_err $(LIBS) |
1897 RELDIR=kadm5/clnt |
1897 RELDIR=kadm5/clnt |
1898 |
1898 |
1899 ##DOSBUILDTOP = ..\..\.. |
1899 ##DOSBUILDTOP = ..\..\.. |
1900 diff -pur new/src/lib/kadm5/clnt/client_init.c patched.1/src/lib/kadm5/clnt/client_init.c |
1900 diff -pur old/src/lib/kadm5/clnt/client_init.c new/src/lib/kadm5/clnt/client_init.c |
1901 --- no-028/src/lib/kadm5/clnt/client_init.c 2016-03-28 14:39:09.439503108 -0600 |
1901 --- old/src/lib/kadm5/clnt/client_init.c |
1902 +++ 028/src/lib/kadm5/clnt/client_init.c 2016-03-28 14:40:49.154436988 -0600 |
1902 +++ new/src/lib/kadm5/clnt/client_init.c |
1903 @@ -44,12 +44,12 @@ |
1903 @@ -44,12 +44,12 @@ |
1904 #include <iprop_hdr.h> |
1904 #include <iprop_hdr.h> |
1905 #include "iprop.h" |
1905 #include "iprop.h" |
1906 |
1906 |
1907 -#include <gssrpc/rpc.h> |
1907 -#include <gssrpc/rpc.h> |
1913 #define ADM_CCACHE "/tmp/ovsec_adm.XXXXXX" |
1913 #define ADM_CCACHE "/tmp/ovsec_adm.XXXXXX" |
1914 +#define KADMIND_CONNECT_TIMEOUT 25 |
1914 +#define KADMIND_CONNECT_TIMEOUT 25 |
1915 |
1915 |
1916 enum init_type { INIT_PASS, INIT_SKEY, INIT_CREDS, INIT_ANONYMOUS }; |
1916 enum init_type { INIT_PASS, INIT_SKEY, INIT_CREDS, INIT_ANONYMOUS }; |
1917 |
1917 |
1918 @@ -138,9 +138,385 @@ kadm5_init_with_skey(krb5_context contex |
1918 @@ -138,9 +138,379 @@ kadm5_init_with_skey(krb5_context contex |
1919 server_handle); |
1919 server_handle); |
1920 } |
1920 } |
1921 |
1921 |
1922 +/* |
1922 +/* |
1923 + * Open an fd for the given address and connect asynchronously. Wait |
1923 + * Open an fd for the given address and connect asynchronously. Wait |
2094 + rpc_gss_service_t service = rpc_gss_svc_privacy; |
2094 + rpc_gss_service_t service = rpc_gss_svc_privacy; |
2095 + OM_uint32 gssstat, minor_stat; |
2095 + OM_uint32 gssstat, minor_stat; |
2096 + enum clnt_stat rpc_err_code; |
2096 + enum clnt_stat rpc_err_code; |
2097 + char *server; |
2097 + char *server; |
2098 + int port; |
2098 + int port; |
2099 + struct timeval timeout; |
|
2100 + |
2099 + |
2101 + /* service name is service/host */ |
2100 + /* service name is service/host */ |
2102 + server = strpbrk(service_name, "/"); |
2101 + server = strpbrk(service_name, "/"); |
2103 + if (!server) { |
2102 + if (!server) { |
2104 + code = KADM5_BAD_SERVER_NAME; |
2103 + code = KADM5_BAD_SERVER_NAME; |
2156 + } |
2155 + } |
2157 + |
2156 + |
2158 + if (iprop_svc) |
2157 + if (iprop_svc) |
2159 + free(iprop_svc); |
2158 + free(iprop_svc); |
2160 + |
2159 + |
2161 + /* Set a one-hour timeout. */ |
|
2162 + timeout.tv_sec = 3600; |
|
2163 + timeout.tv_usec = 0; |
|
2164 + (void)clnt_control(handle->clnt, CLSET_TIMEOUT, &timeout); |
|
2165 + |
|
2166 + handle->lhandle->clnt = handle->clnt; |
2160 + handle->lhandle->clnt = handle->clnt; |
2167 + |
2161 + |
2168 + /* now that handle->clnt is set, we can check the handle */ |
2162 + /* now that handle->clnt is set, we can check the handle */ |
2169 + if (code = _kadm5_check_handle((void *) handle)) |
2163 + if (code = _kadm5_check_handle((void *) handle)) |
2170 + goto error; |
2164 + goto error; |
2300 - char *pass, krb5_ccache ccache_in, char *service_name, |
2294 - char *pass, krb5_ccache ccache_in, char *service_name, |
2301 + char *pass, krb5_ccache ccache_in, char *svcname_in, |
2295 + char *pass, krb5_ccache ccache_in, char *svcname_in, |
2302 kadm5_config_params *params_in, krb5_ui_4 struct_version, |
2296 kadm5_config_params *params_in, krb5_ui_4 struct_version, |
2303 krb5_ui_4 api_version, char **db_args, void **server_handle) |
2297 krb5_ui_4 api_version, char **db_args, void **server_handle) |
2304 { |
2298 { |
2305 @@ -152,13 +528,13 @@ init_any(krb5_context context, char *cli |
2299 @@ -158,6 +528,7 @@ init_any(krb5_context context, char *cli |
2306 rpcvers_t rpc_vers; |
|
2307 krb5_ccache ccache; |
|
2308 krb5_principal client = NULL, server = NULL; |
|
2309 - struct timeval timeout; |
|
2310 |
|
2311 kadm5_server_handle_t handle; |
|
2312 kadm5_config_params params_local; |
|
2313 |
2300 |
2314 int code = 0; |
2301 int code = 0; |
2315 generic_ret *r; |
2302 generic_ret *r; |
2316 + char svcname[BUFSIZ]; |
2303 + char svcname[BUFSIZ]; |
2317 |
2304 |
2318 initialize_ovk_error_table(); |
2305 initialize_ovk_error_table(); |
2319 /* initialize_adb_error_table(); */ |
2306 /* initialize_adb_error_table(); */ |
2320 @@ -226,105 +602,27 @@ init_any(krb5_context context, char *cli |
2307 @@ -225,99 +596,27 @@ init_any(krb5_context context, char *cli |
2321 if (code) |
2308 if (code) |
2322 goto error; |
2309 goto error; |
2323 |
2310 |
2324 - /* |
2311 - /* |
2325 - * Get credentials. Also does some fallbacks in case kadmin/fqdn |
2312 - * Get credentials. Also does some fallbacks in case kadmin/fqdn |
2364 -#endif |
2351 -#endif |
2365 - goto error; |
2352 - goto error; |
2366 + strncpy(svcname, svcname_in, sizeof(svcname)); |
2353 + strncpy(svcname, svcname_in, sizeof(svcname)); |
2367 + svcname[sizeof(svcname)-1] = '\0'; |
2354 + svcname[sizeof(svcname)-1] = '\0'; |
2368 } |
2355 } |
2369 |
|
2370 - /* Set a one-hour timeout. */ |
|
2371 - timeout.tv_sec = 3600; |
|
2372 - timeout.tv_usec = 0; |
|
2373 - (void)clnt_control(handle->clnt, CLSET_TIMEOUT, &timeout); |
|
2374 - |
|
2375 - handle->client_socket = fd; |
2356 - handle->client_socket = fd; |
2376 - handle->lhandle->clnt = handle->clnt; |
2357 - handle->lhandle->clnt = handle->clnt; |
2377 - handle->lhandle->client_socket = fd; |
2358 - handle->lhandle->client_socket = fd; |
2378 - |
2359 - |
2379 - /* now that handle->clnt is set, we can check the handle */ |
2360 - /* now that handle->clnt is set, we can check the handle */ |
2380 - if ((code = _kadm5_check_handle((void *) handle))) |
2361 - if ((code = _kadm5_check_handle((void *) handle))) |
2381 - goto error; |
2362 - goto error; |
2382 - |
2363 |
2383 - /* |
2364 - /* |
2384 - * The RPC connection is open; establish the GSS-API |
2365 - * The RPC connection is open; establish the GSS-API |
2385 - * authentication context. |
2366 - * authentication context. |
2386 - */ |
2367 - */ |
2387 - code = setup_gss(handle, params_in, |
2368 - code = setup_gss(handle, params_in, |
2436 + svcname); |
2417 + svcname); |
2437 + if (code != 0) { |
2418 + if (code != 0) { |
2438 goto error; |
2419 goto error; |
2439 } |
2420 } |
2440 |
2421 |
2441 @@ -364,31 +662,17 @@ cleanup: |
2422 @@ -357,31 +656,17 @@ cleanup: |
2442 return code; |
2423 return code; |
2443 } |
2424 } |
2444 |
2425 |
2445 -/* Get initial credentials for authenticating to server. Perform fallback from |
2426 -/* Get initial credentials for authenticating to server. Perform fallback from |
2446 - * kadmin/fqdn to kadmin/admin if svcname_in is NULL. */ |
2427 - * kadmin/fqdn to kadmin/admin if svcname_in is NULL. */ |
2470 - } |
2451 - } |
2471 - |
2452 - |
2472 /* |
2453 /* |
2473 * Acquire a service ticket for svcname@realm for client, using password |
2454 * Acquire a service ticket for svcname@realm for client, using password |
2474 * pass (which could be NULL), and create a ccache to store them in. If |
2455 * pass (which could be NULL), and create a ccache to store them in. If |
2475 @@ -426,12 +710,6 @@ get_init_creds(kadm5_server_handle_t han |
2456 @@ -419,12 +704,6 @@ get_init_creds(kadm5_server_handle_t han |
2476 |
2457 |
2477 code = gic_iter(handle, init_type, ccache, client, pass, svcname, realm, |
2458 code = gic_iter(handle, init_type, ccache, client, pass, svcname, realm, |
2478 server_out); |
2459 server_out); |
2479 - if ((code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN |
2460 - if ((code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN |
2480 - || code == KRB5_CC_NOTFOUND) && svcname_in == NULL) { |
2461 - || code == KRB5_CC_NOTFOUND) && svcname_in == NULL) { |
2483 - KADM5_ADMIN_SERVICE, realm, server_out); |
2464 - KADM5_ADMIN_SERVICE, realm, server_out); |
2484 - } |
2465 - } |
2485 /* Improved error messages */ |
2466 /* Improved error messages */ |
2486 if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) code = KADM5_BAD_PASSWORD; |
2467 if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) code = KADM5_BAD_PASSWORD; |
2487 if (code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) |
2468 if (code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) |
2488 @@ -698,6 +976,26 @@ rpc_auth(kadm5_server_handle_t handle, k |
2469 @@ -691,6 +970,26 @@ rpc_auth(kadm5_server_handle_t handle, k |
2489 gss_cred_id_t gss_client_creds, gss_name_t gss_target) |
2470 gss_cred_id_t gss_client_creds, gss_name_t gss_target) |
2490 { |
2471 { |
2491 OM_uint32 gssstat, minor_stat; |
2472 OM_uint32 gssstat, minor_stat; |
2492 + gss_buffer_desc buf; |
2473 + gss_buffer_desc buf; |
2493 + rpc_gss_options_req_t options_req; |
2474 + rpc_gss_options_req_t options_req; |
2510 + |
2491 + |
2511 +#if 0 |
2492 +#if 0 |
2512 struct rpc_gss_sec sec; |
2493 struct rpc_gss_sec sec; |
2513 |
2494 |
2514 /* Allow unauthenticated option for testing. */ |
2495 /* Allow unauthenticated option for testing. */ |
2515 @@ -732,6 +1030,7 @@ rpc_auth(kadm5_server_handle_t handle, k |
2496 @@ -725,6 +1024,7 @@ rpc_auth(kadm5_server_handle_t handle, k |
2516 GSS_C_MUTUAL_FLAG |
2497 GSS_C_MUTUAL_FLAG |
2517 | GSS_C_REPLAY_FLAG, |
2498 | GSS_C_REPLAY_FLAG, |
2518 0, NULL, NULL, NULL); |
2499 0, NULL, NULL, NULL); |
2519 +#endif |
2500 +#endif |
2520 } |
2501 } |
2521 |
2502 |
2522 kadm5_ret_t |
2503 kadm5_ret_t |
2504 diff -pur old/src/lib/kadm5/clnt/client_principal.c new/src/lib/kadm5/clnt/client_principal.c |
|
2523 --- old/src/lib/kadm5/clnt/client_principal.c |
2505 --- old/src/lib/kadm5/clnt/client_principal.c |
2524 +++ new/src/lib/kadm5/clnt/client_principal.c |
2506 +++ new/src/lib/kadm5/clnt/client_principal.c |
2525 @@ -5,7 +5,7 @@ |
2507 @@ -5,7 +5,7 @@ |
2526 * $Header$ |
2508 * $Header$ |
2527 */ |
2509 */ |
2953 - status = clnt_call(clnt, IPROP_FULL_RESYNC_EXT, (xdrproc_t)xdr_u_int32, |
2935 - status = clnt_call(clnt, IPROP_FULL_RESYNC_EXT, (xdrproc_t)xdr_u_int32, |
2954 + status = clnt_call(clnt, IPROP_FULL_RESYNC_EXT, (xdrproc_t)xdr_u_int, |
2936 + status = clnt_call(clnt, IPROP_FULL_RESYNC_EXT, (xdrproc_t)xdr_u_int, |
2955 (caddr_t)&vers, (xdrproc_t)xdr_kdb_fullresync_result_t, |
2937 (caddr_t)&vers, (xdrproc_t)xdr_kdb_fullresync_result_t, |
2956 (caddr_t)&clnt_res, full_resync_timeout); |
2938 (caddr_t)&clnt_res, full_resync_timeout); |
2957 if (status == RPC_PROCUNAVAIL) { |
2939 if (status == RPC_PROCUNAVAIL) { |
2958 diff -pur new/src/tests/misc/Makefile.in patched.1/src/tests/misc/Makefile.in |
2940 diff -pur old/src/tests/misc/Makefile.in new/src/tests/misc/Makefile.in |
2959 --- new/src/tests/misc/Makefile.in 2016-02-29 11:50:13.000000000 -0800 |
2941 --- old/src/tests/misc/Makefile.in |
2960 +++ patched.1/src/tests/misc/Makefile.in 2016-03-19 08:15:59.222125882 -0700 |
2942 +++ new/src/tests/misc/Makefile.in |
2961 @@ -12,19 +12,17 @@ SRCS=\ |
2943 @@ -12,18 +12,16 @@ SRCS=\ |
2962 $(srcdir)/test_cxx_krb5.cpp \ |
2944 $(srcdir)/test_cxx_krb5.cpp \ |
2963 $(srcdir)/test_cxx_k5int.cpp \ |
2945 $(srcdir)/test_cxx_k5int.cpp \ |
2964 $(srcdir)/test_cxx_gss.cpp \ |
2946 $(srcdir)/test_cxx_gss.cpp \ |
2965 - $(srcdir)/test_cxx_rpc.cpp \ |
2947 - $(srcdir)/test_cxx_rpc.cpp \ |
2966 $(srcdir)/test_cxx_kadm5.cpp |
2948 $(srcdir)/test_cxx_kadm5.cpp |
2967 |
2949 |
2968 all:: test_getpw test_chpw_message |
2950 all:: test_getpw test_chpw_message |
2969 |
2951 |
2970 -check:: test_getpw test_chpw_message test_cxx_krb5 test_cxx_gss test_cxx_rpc test_cxx_k5int test_cxx_kadm5 |
2952 -check:: test_getpw test_chpw_message test_cxx_krb5 test_cxx_gss test_cxx_rpc test_cxx_k5int test_cxx_kadm5 |
2971 +check:: test_getpw test_chpw_message test_cxx_krb5 test_cxx_gss test_cxx_k5int test_cxx_kadm5 |
2953 +check:: test_getpw test_chpw_message test_cxx_krb5 test_cxx_gss test_cxx_k5int test_cxx_kadm5 |
2972 $(RUN_TEST) ./test_getpw |
2954 $(RUN_SETUP) $(VALGRIND) ./test_getpw |
2973 $(RUN_TEST) ./test_chpw_message |
2955 $(RUN_SETUP) $(VALGRIND) ./test_chpw_message |
2974 $(RUN_TEST) ./test_cxx_krb5 |
2956 $(RUN_SETUP) $(VALGRIND) ./test_cxx_krb5 |
2975 $(RUN_TEST) ./test_cxx_k5int |
2957 $(RUN_SETUP) $(VALGRIND) ./test_cxx_k5int |
2976 $(RUN_TEST) ./test_cxx_gss |
2958 $(RUN_SETUP) $(VALGRIND) ./test_cxx_gss |
2977 - $(RUN_TEST) ./test_cxx_rpc |
2959 - $(RUN_SETUP) $(VALGRIND) ./test_cxx_rpc |
2978 $(RUN_TEST) ./test_cxx_kadm5 |
2960 $(RUN_SETUP) $(VALGRIND) ./test_cxx_kadm5 |
2979 |
2961 |
2980 test_getpw: $(OUTPRE)test_getpw.$(OBJEXT) $(SUPPORT_DEPLIB) |
2962 test_getpw: $(OUTPRE)test_getpw.$(OBJEXT) $(SUPPORT_DEPLIB) |
2981 $(CC_LINK) $(ALL_CFLAGS) -o test_getpw $(OUTPRE)test_getpw.$(OBJEXT) $(SUPPORT_LIB) |
|
2982 @@ -41,18 +39,15 @@ test_cxx_k5int: $(OUTPRE)test_cxx_k5int. |
2963 @@ -41,18 +39,15 @@ test_cxx_k5int: $(OUTPRE)test_cxx_k5int. |
2983 $(CXX_LINK) $(ALL_CXXFLAGS) -o test_cxx_k5int $(OUTPRE)test_cxx_k5int.$(OBJEXT) $(KRB5_BASE_LIBS) $(LIBS) |
2964 $(CXX_LINK) $(ALL_CXXFLAGS) -o test_cxx_k5int $(OUTPRE)test_cxx_k5int.$(OBJEXT) $(KRB5_BASE_LIBS) $(LIBS) |
2984 test_cxx_gss: $(OUTPRE)test_cxx_gss.$(OBJEXT) |
2965 test_cxx_gss: $(OUTPRE)test_cxx_gss.$(OBJEXT) |
2985 $(CXX_LINK) $(ALL_CXXFLAGS) -o test_cxx_gss $(OUTPRE)test_cxx_gss.$(OBJEXT) $(LIBS) |
2966 $(CXX_LINK) $(ALL_CXXFLAGS) -o test_cxx_gss $(OUTPRE)test_cxx_gss.$(OBJEXT) $(LIBS) |
2986 -test_cxx_rpc: $(OUTPRE)test_cxx_rpc.$(OBJEXT) $(GSSRPC_DEPLIBS) |
2967 -test_cxx_rpc: $(OUTPRE)test_cxx_rpc.$(OBJEXT) $(GSSRPC_DEPLIBS) |
2998 clean:: |
2979 clean:: |
2999 - $(RM) test_getpw test_chpw_message test_cxx_krb5 test_cxx_gss test_cxx_k5int test_cxx_rpc test_cxx_kadm5 *.o |
2980 - $(RM) test_getpw test_chpw_message test_cxx_krb5 test_cxx_gss test_cxx_k5int test_cxx_rpc test_cxx_kadm5 *.o |
3000 + $(RM) test_getpw test_chpw_message test_cxx_krb5 test_cxx_gss test_cxx_k5int test_cxx_kadm5 *.o |
2981 + $(RM) test_getpw test_chpw_message test_cxx_krb5 test_cxx_gss test_cxx_k5int test_cxx_kadm5 *.o |
3001 |
2982 |
3002 diff -pur old/src/tests/t_iprop.py new/src/tests/t_iprop.py |
2983 diff -pur old/src/tests/t_iprop.py new/src/tests/t_iprop.py |
3003 --- old/src/tests/t_iprop.py 2016-02-29 11:50:13.000000000 -0800 |
2984 --- old/src/tests/t_iprop.py |
3004 +++ new/src/tests/t_iprop.py 2016-04-08 11:08:10.225701596 -0700 |
2985 +++ new/src/tests/t_iprop.py |
3005 @@ -1,44 +1,35 @@ |
2986 @@ -1,50 +1,35 @@ |
3006 #!/usr/bin/python |
2987 #!/usr/bin/python |
3007 |
2988 |
3008 import os |
2989 import os |
3009 -import re |
2990 -import re |
3010 |
2991 |
3014 # full_expected is true and we didn't see a full propagation or vice |
2995 # full_expected is true and we didn't see a full propagation or vice |
3015 # versa. |
2996 # versa. |
3016 -def wait_for_prop(kpropd, full_expected, expected_old, expected_new): |
2997 -def wait_for_prop(kpropd, full_expected, expected_old, expected_new): |
3017 +def wait_for_prop(kpropd, full_expected): |
2998 +def wait_for_prop(kpropd, full_expected): |
3018 output('*** Waiting for sync from kpropd\n') |
2999 output('*** Waiting for sync from kpropd\n') |
3019 - full_seen = sleep_seen = False |
3000 - full_seen = sleep_seen = prodded_after_dump = False |
3020 - old_sno = new_sno = -1 |
3001 - old_sno = new_sno = -1 |
3021 + full_seen = False |
3002 + full_seen = False |
3022 while True: |
3003 while True: |
3023 line = kpropd.stdout.readline() |
3004 line = kpropd.stdout.readline() |
3024 if line == '': |
3005 if line == '': |
3050 - # either order. |
3031 - # either order. |
3051 - if 'Waiting for' in line: |
3032 - if 'Waiting for' in line: |
3052 - sleep_seen = True |
3033 - sleep_seen = True |
3053 if 'load process for full propagation completed' in line: |
3034 if 'load process for full propagation completed' in line: |
3054 full_seen = True |
3035 full_seen = True |
3036 - if sleep_seen and full_seen and not prodded_after_dump: |
|
3037 - # Prod the kpropd parent into getting incrementals after |
|
3038 - # it finishes a DB load. This will be unnecessary if |
|
3039 - # kpropd is simplified to use a single process. |
|
3055 + # kpropd's child process has finished a DB load; make the parent |
3040 + # kpropd's child process has finished a DB load; make the parent |
3056 + # do another iprop request. This will be unnecessary if kpropd |
3041 + # do another iprop request. This will be unnecessary if kpropd |
3057 + # is simplified to use a single process. |
3042 + # is simplified to use a single process. |
3058 + kpropd.send_signal(signal.SIGUSR1) |
3043 kpropd.send_signal(signal.SIGUSR1) |
3044 - prodded_after_dump = True |
|
3059 |
3045 |
3060 # Detect some failure conditions. |
3046 # Detect some failure conditions. |
3061 if 'Still waiting for full resync' in line: |
3047 if 'Still waiting for full resync' in line: |
3062 @@ -54,98 +45,28 @@ def wait_for_prop(kpropd, full_expected, |
3048 @@ -60,92 +45,28 @@ def wait_for_prop(kpropd, full_expected, |
3063 if 'invalid return' in line: |
3049 if 'invalid return' in line: |
3064 fail('kadmind returned invalid result') |
3050 fail('kadmind returned invalid result') |
3065 |
3051 |
3066 - if full_expected and not full_seen: |
3052 - if full_expected and not full_seen: |
3067 - fail('Expected full dump but saw only incremental') |
3053 - fail('Expected full dump but saw only incremental') |
3107 - if m.group(1) != str(ser): |
3093 - if m.group(1) != str(ser): |
3108 - fail('Expected serial number %d in update entry' % ser) |
3094 - fail('Expected serial number %d in update entry' % ser) |
3109 - m = re.match(r'\tUpdate principal : (.*)$', line) |
3095 - m = re.match(r'\tUpdate principal : (.*)$', line) |
3110 - if m: |
3096 - if m: |
3111 - eprinc = entries[ser - first] |
3097 - eprinc = entries[ser - first] |
3112 - if eprinc == None: |
3098 - if m.group(1) != eprinc: |
3113 - fail('Expected dummy update entry %d' % ser) |
|
3114 - elif m.group(1) != eprinc: |
|
3115 - fail('Expected princ %s in update entry %d' % (eprinc, ser)) |
|
3116 - if line == '\tDummy entry': |
|
3117 - eprinc = entries[ser - first] |
|
3118 - if eprinc != None: |
|
3119 - fail('Expected princ %s in update entry %d' % (eprinc, ser)) |
3099 - fail('Expected princ %s in update entry %d' % (eprinc, ser)) |
3120 - |
3100 - |
3121 -# slave1 will receive updates from master, and slave2 will receive |
3101 -# slave1 will receive updates from master, and slave2 will receive |
3122 -# updates from slave1. Because of the awkward way iprop and kprop |
3102 -# updates from slave1. Because of the awkward way iprop and kprop |
3123 -# port configuration currently works, we need separate config files |
3103 -# port configuration currently works, we need separate config files |
3176 +realm = K5Realm(kdc_conf=conf, create_user=False, start_kadmind=True) |
3156 +realm = K5Realm(kdc_conf=conf, create_user=False, start_kadmind=True) |
3177 +slave = realm.special_env('slave', True, kdc_conf=conf_slave) |
3157 +slave = realm.special_env('slave', True, kdc_conf=conf_slave) |
3178 |
3158 |
3179 ulog = os.path.join(realm.testdir, 'db.ulog') |
3159 ulog = os.path.join(realm.testdir, 'db.ulog') |
3180 if not os.path.exists(ulog): |
3160 if not os.path.exists(ulog): |
3181 @@ -155,234 +76,114 @@ if not os.path.exists(ulog): |
3161 @@ -153,209 +74,117 @@ if not os.path.exists(ulog): |
3162 |
|
3163 # Create the principal used to authenticate kpropd to kadmind. |
|
3182 kiprop_princ = 'kiprop/' + hostname |
3164 kiprop_princ = 'kiprop/' + hostname |
3165 +realm.addprinc(kiprop_princ) |
|
3183 realm.extract_keytab(kiprop_princ, realm.keytab) |
3166 realm.extract_keytab(kiprop_princ, realm.keytab) |
3184 |
3167 |
3185 -# Create the initial slave1 and slave2 databases. |
3168 -# Create the initial slave1 and slave2 databases. |
3186 +# Create the slave db. |
3169 +# Create the slave db. |
3187 dumpfile = os.path.join(realm.testdir, 'dump') |
3170 dumpfile = os.path.join(realm.testdir, 'dump') |
3192 +realm.run([kdb5_util, 'stash', '-P', 'master'], slave) |
3175 +realm.run([kdb5_util, 'stash', '-P', 'master'], slave) |
3193 |
3176 |
3194 -# Reinitialize the master ulog so we know exactly what to expect in |
3177 -# Reinitialize the master ulog so we know exactly what to expect in |
3195 -# it. |
3178 -# it. |
3196 -realm.run([kproplog, '-R']) |
3179 -realm.run([kproplog, '-R']) |
3197 -check_ulog(1, 1, 1, [None]) |
3180 -check_ulog(0, 0, 0, []) |
3198 +# Make some changes to the master db. |
3181 +# Make some changes to the master db. |
3199 +realm.addprinc('wakawaka') |
3182 +realm.addprinc('wakawaka') |
3200 +# Add a principal enough to make realloc likely, but not enough to grow |
3183 +# Add a principal enough to make realloc likely, but not enough to grow |
3201 +# basic ulog entry size. |
3184 +# basic ulog entry size. |
3202 +c = 'chocolate-flavored-school-bus' |
3185 +c = 'chocolate-flavored-school-bus' |
3203 +cs = c + '/' |
3186 +cs = c + '/' |
3204 +longname = cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + c |
3187 +longname = cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + c |
3205 +realm.addprinc(longname) |
3188 +realm.addprinc(longname) |
3206 +realm.addprinc('w') |
3189 +realm.addprinc('w') |
3207 +realm.run([kadminl, 'modprinc', '-allow_tix', 'w']) |
3190 +realm.run_kadminl('modprinc -allow_tix w') |
3208 +realm.run([kadminl, 'modprinc', '+allow_tix', 'w']) |
3191 +realm.run_kadminl('modprinc +allow_tix w') |
3209 |
3192 |
3210 -# Make some changes to the master DB. |
3193 -# Make some changes to the master DB. |
3211 -realm.addprinc(pr1) |
3194 -realm.addprinc(pr1) |
3212 -realm.addprinc(pr3) |
3195 -realm.addprinc(pr3) |
3213 -realm.addprinc(pr2) |
3196 -realm.addprinc(pr2) |
3214 -realm.run([kadminl, 'modprinc', '-allow_tix', pr2]) |
3197 -realm.run_kadminl('modprinc -allow_tix ' + pr2) |
3215 -realm.run([kadminl, 'modprinc', '+allow_tix', pr2]) |
3198 -realm.run_kadminl('modprinc +allow_tix ' + pr2) |
3216 -check_ulog(6, 1, 6, [None, pr1, pr3, pr2, pr2, pr2]) |
3199 -check_ulog(5, 1, 5, [pr1, pr3, pr2, pr2, pr2]) |
3217 - |
3200 - |
3218 -# Start kpropd for slave1 and get a full dump from master. |
3201 -# Start kpropd for slave1 and get a full dump from master. |
3219 -kpropd1 = realm.start_kpropd(slave1, ['-d']) |
3202 -kpropd1 = realm.start_kpropd(slave1, ['-d']) |
3220 -wait_for_prop(kpropd1, True, 1, 6) |
3203 -wait_for_prop(kpropd1, True, 0, 5) |
3221 -out = realm.run([kadminl, 'listprincs'], env=slave1) |
3204 -out = realm.run_kadminl('listprincs', slave1) |
3222 -if pr1 not in out or pr2 not in out or pr3 not in out: |
3205 -if pr1 not in out or pr2 not in out or pr3 not in out: |
3223 - fail('slave1 does not have all principals from master') |
3206 - fail('slave1 does not have all principals from master') |
3224 -check_ulog(1, 6, 6, [None], slave1) |
3207 -check_ulog(0, 0, 5, [], slave1) |
3225 +check_serial(realm, '7') |
3208 +check_serial(realm, '7') |
3226 + |
3209 + |
3227 +# Set up the kpropd acl file. |
3210 +# Set up the kpropd acl file. |
3228 +acl_file = os.path.join(realm.testdir, 'kpropd-acl') |
3211 +acl_file = os.path.join(realm.testdir, 'kpropd-acl') |
3229 +acl = open(acl_file, 'w') |
3212 +acl = open(acl_file, 'w') |
3231 +acl.close() |
3214 +acl.close() |
3232 + |
3215 + |
3233 +# Start kpropd and get a full dump from master. |
3216 +# Start kpropd and get a full dump from master. |
3234 +kpropd = realm.start_kpropd(slave, ['-d']) |
3217 +kpropd = realm.start_kpropd(slave, ['-d']) |
3235 +wait_for_prop(kpropd, True) |
3218 +wait_for_prop(kpropd, True) |
3236 +out = realm.run([kadminl, 'listprincs'], env=slave) |
3219 +out = realm.run_kadminl('listprincs', slave) |
3237 +if longname not in out or 'wakawaka' not in out or 'w@' not in out: |
3220 +if longname not in out or 'wakawaka' not in out or 'w@' not in out: |
3238 + fail('Slave does not have all principals from master') |
3221 + fail('Slave does not have all principals from master') |
3239 |
3222 |
3240 # Make a change and check that it propagates incrementally. |
3223 # Make a change and check that it propagates incrementally. |
3241 -realm.run([kadminl, 'modprinc', '-allow_tix', pr2]) |
3224 -realm.run_kadminl('modprinc -allow_tix ' + pr2) |
3242 -check_ulog(7, 1, 7, [None, pr1, pr3, pr2, pr2, pr2, pr2]) |
3225 -check_ulog(6, 1, 6, [pr1, pr3, pr2, pr2, pr2, pr2]) |
3243 -kpropd1.send_signal(signal.SIGUSR1) |
3226 -kpropd1.send_signal(signal.SIGUSR1) |
3244 -wait_for_prop(kpropd1, False, 6, 7) |
3227 -wait_for_prop(kpropd1, False, 5, 6) |
3245 -check_ulog(2, 6, 7, [None, pr2], slave1) |
3228 -check_ulog(1, 6, 6, [pr2], slave1) |
3246 -out = realm.run([kadminl, 'getprinc', pr2], env=slave1) |
3229 -out = realm.run_kadminl('getprinc ' + pr2, slave1) |
3247 +realm.run([kadminl, 'modprinc', '-allow_tix', 'w']) |
3230 +realm.run_kadminl('modprinc -allow_tix w') |
3248 +check_serial(realm, '8') |
3231 +check_serial(realm, '8') |
3249 +kpropd.send_signal(signal.SIGUSR1) |
3232 +kpropd.send_signal(signal.SIGUSR1) |
3250 +wait_for_prop(kpropd, False) |
3233 +wait_for_prop(kpropd, False) |
3251 +check_serial(realm, '8', slave) |
3234 +check_serial(realm, '8', slave) |
3252 +out = realm.run([kadminl, 'getprinc', 'w'], env=slave) |
3235 +out = realm.run_kadminl('getprinc w', slave) |
3253 if 'Attributes: DISALLOW_ALL_TIX' not in out: |
3236 if 'Attributes: DISALLOW_ALL_TIX' not in out: |
3254 - fail('slave1 does not have modification from master') |
3237 - fail('slave1 does not have modification from master') |
3255 + fail('Slave does not have modification from master') |
3238 + fail('Slave does not have modification from master') |
3256 |
3239 |
3257 -# Start kadmind -proponly for slave1. (Use the slave1m environment |
3240 -# Start kadmind -proponly for slave1. (Use the slave1m environment |
3269 -# the code), but slave2 defines iprop_port to $port8 so it will talk |
3252 -# the code), but slave2 defines iprop_port to $port8 so it will talk |
3270 -# to slave1. Get a full dump from slave1. |
3253 -# to slave1. Get a full dump from slave1. |
3271 -kpropd2 = realm.start_server([kpropd, '-d', '-D', '-P', slave2_kprop_port, |
3254 -kpropd2 = realm.start_server([kpropd, '-d', '-D', '-P', slave2_kprop_port, |
3272 - '-f', slave2_in_dump_path, '-p', kdb5_util, |
3255 - '-f', slave2_in_dump_path, '-p', kdb5_util, |
3273 - '-a', acl_file, '-A', hostname], 'ready', slave2) |
3256 - '-a', acl_file, '-A', hostname], 'ready', slave2) |
3274 -wait_for_prop(kpropd2, True, 1, 7) |
3257 -wait_for_prop(kpropd2, True, 0, 6) |
3275 -check_ulog(1, 7, 7, [None], slave2) |
3258 -check_ulog(0, 0, 6, [], slave2) |
3276 -out = realm.run([kadminl, 'listprincs'], env=slave1) |
3259 -out = realm.run_kadminl('listprincs', slave1) |
3277 -if pr1 not in out or pr2 not in out or pr3 not in out: |
3260 -if pr1 not in out or pr2 not in out or pr3 not in out: |
3278 - fail('slave2 does not have all principals from slave1') |
3261 - fail('slave2 does not have all principals from slave1') |
3279 - |
3262 - |
3280 -# Make another change and check that it propagates incrementally to |
3263 -# Make another change and check that it propagates incrementally to |
3281 -# both slaves. |
3264 -# both slaves. |
3282 -realm.run([kadminl, 'modprinc', '-maxrenewlife', '22 hours', pr1]) |
3265 -realm.run_kadminl('modprinc -maxrenewlife "22 hours" ' + pr1) |
3283 -check_ulog(8, 1, 8, [None, pr1, pr3, pr2, pr2, pr2, pr2, pr1]) |
3266 -check_ulog(7, 1, 7, [pr1, pr3, pr2, pr2, pr2, pr2, pr1]) |
3284 -kpropd1.send_signal(signal.SIGUSR1) |
3267 -kpropd1.send_signal(signal.SIGUSR1) |
3285 -wait_for_prop(kpropd1, False, 7, 8) |
3268 -wait_for_prop(kpropd1, False, 6, 7) |
3286 -check_ulog(3, 6, 8, [None, pr2, pr1], slave1) |
3269 -check_ulog(2, 6, 7, [pr2, pr1], slave1) |
3287 -out = realm.run([kadminl, 'getprinc', pr1], env=slave1) |
3270 -out = realm.run_kadminl('getprinc ' + pr1, slave1) |
3288 -if 'Maximum renewable life: 0 days 22:00:00\n' not in out: |
3271 -if 'Maximum renewable life: 0 days 22:00:00\n' not in out: |
3289 - fail('slave1 does not have modification from master') |
3272 - fail('slave1 does not have modification from master') |
3290 -kpropd2.send_signal(signal.SIGUSR1) |
3273 -kpropd2.send_signal(signal.SIGUSR1) |
3291 -wait_for_prop(kpropd2, False, 7, 8) |
3274 -wait_for_prop(kpropd2, False, 6, 7) |
3292 -check_ulog(2, 7, 8, [None, pr1], slave2) |
3275 -check_ulog(1, 7, 7, [pr1], slave2) |
3293 -out = realm.run([kadminl, 'getprinc', pr1], env=slave2) |
3276 -out = realm.run_kadminl('getprinc ' + pr1, slave2) |
3294 -if 'Maximum renewable life: 0 days 22:00:00\n' not in out: |
3277 -if 'Maximum renewable life: 0 days 22:00:00\n' not in out: |
3295 - fail('slave2 does not have modification from slave1') |
3278 - fail('slave2 does not have modification from slave1') |
3296 - |
3279 - |
3297 -# Reset the ulog on slave1 to force a full resync from master. The |
3280 -# Reset the ulog on slave1 to force a full resync from master. The |
3298 -# resync will use the old dump file and then propagate changes. |
3281 -# resync will use the old dump file and then propagate changes. |
3299 -# slave2 should still be in sync with slave1 after the resync, so make |
3282 -# slave2 should still be in sync with slave1 after the resync, so make |
3300 -# sure it doesn't take a full resync. |
3283 -# sure it doesn't take a full resync. |
3301 -realm.run([kproplog, '-R'], slave1) |
3284 -realm.run([kproplog, '-R'], slave1) |
3302 -check_ulog(1, 1, 1, [None], slave1) |
3285 -check_ulog(0, 0, 0, [], slave1) |
3303 -kpropd1.send_signal(signal.SIGUSR1) |
3286 -kpropd1.send_signal(signal.SIGUSR1) |
3304 -wait_for_prop(kpropd1, True, 1, 8) |
3287 -wait_for_prop(kpropd1, True, 0, 7) |
3305 -check_ulog(3, 6, 8, [None, pr2, pr1], slave1) |
3288 -check_ulog(2, 6, 7, [pr2, pr1], slave1) |
3306 -kpropd2.send_signal(signal.SIGUSR1) |
3289 -kpropd2.send_signal(signal.SIGUSR1) |
3307 -wait_for_prop(kpropd2, False, 8, 8) |
3290 -wait_for_prop(kpropd2, False, 7, 7) |
3308 -check_ulog(2, 7, 8, [None, pr1], slave2) |
3291 -check_ulog(1, 7, 7, [pr1], slave2) |
3309 - |
3292 - |
3310 -# Make another change and check that it propagates incrementally to |
3293 -# Make another change and check that it propagates incrementally to |
3311 -# both slaves. |
3294 -# both slaves. |
3312 +# Make another change and check that it propagates incrementally. |
3295 +# Make another change and check that it propagates incrementally. |
3313 realm.run([kadminl, 'modprinc', '+allow_tix', 'w']) |
3296 realm.run_kadminl('modprinc +allow_tix w') |
3314 -check_ulog(9, 1, 9, [None, pr1, pr3, pr2, pr2, pr2, pr2, pr1, pr2]) |
3297 -check_ulog(8, 1, 8, [pr1, pr3, pr2, pr2, pr2, pr2, pr1, pr2]) |
3315 -kpropd1.send_signal(signal.SIGUSR1) |
3298 -kpropd1.send_signal(signal.SIGUSR1) |
3316 -wait_for_prop(kpropd1, False, 8, 9) |
3299 -wait_for_prop(kpropd1, False, 7, 8) |
3317 -check_ulog(4, 6, 9, [None, pr2, pr1, pr2], slave1) |
3300 -check_ulog(3, 6, 8, [pr2, pr1, pr2], slave1) |
3318 -out = realm.run([kadminl, 'getprinc', pr2], env=slave1) |
3301 -out = realm.run_kadminl('getprinc ' + pr2, slave1) |
3319 +check_serial(realm, '9') |
3302 +check_serial(realm, '9') |
3320 +kpropd.send_signal(signal.SIGUSR1) |
3303 +kpropd.send_signal(signal.SIGUSR1) |
3321 +wait_for_prop(kpropd, False) |
3304 +wait_for_prop(kpropd, False) |
3322 +check_serial(realm, '9', slave) |
3305 +check_serial(realm, '9', slave) |
3323 +out = realm.run([kadminl, 'getprinc', 'w'], env=slave) |
3306 +out = realm.run_kadminl('getprinc w', slave) |
3324 if 'Attributes:\n' not in out: |
3307 if 'Attributes:\n' not in out: |
3325 - fail('slave1 does not have modification from master') |
3308 - fail('slave1 does not have modification from master') |
3326 -kpropd2.send_signal(signal.SIGUSR1) |
3309 -kpropd2.send_signal(signal.SIGUSR1) |
3327 -wait_for_prop(kpropd2, False, 8, 9) |
3310 -wait_for_prop(kpropd2, False, 7, 8) |
3328 -check_ulog(3, 7, 9, [None, pr1, pr2], slave2) |
3311 -check_ulog(2, 7, 8, [pr1, pr2], slave2) |
3329 -out = realm.run([kadminl, 'getprinc', pr2], env=slave2) |
3312 -out = realm.run_kadminl('getprinc ' + pr2, slave2) |
3330 + fail('Slave does not have modification from master') |
3313 + fail('Slave does not have modification from master') |
3331 + |
3314 + |
3332 +# Reset the ulog on the slave side to force a full resync to the slave. |
3315 +# Reset the ulog on the slave side to force a full resync to the slave. |
3333 +realm.run([kproplog, '-R'], slave) |
3316 +realm.run([kproplog, '-R'], slave) |
3334 +check_serial(realm, 'None', slave) |
3317 +check_serial(realm, 'None', slave) |
3335 +kpropd.send_signal(signal.SIGUSR1) |
3318 +kpropd.send_signal(signal.SIGUSR1) |
3336 +wait_for_prop(kpropd, True) |
3319 +wait_for_prop(kpropd, True) |
3337 +check_serial(realm, '9', slave) |
3320 +check_serial(realm, '9', slave) |
3338 + |
3321 + |
3339 +# Make another change and check that it propagates incrementally. |
3322 +# Make another change and check that it propagates incrementally. |
3340 +realm.run([kadminl, 'modprinc', '+allow_tix', 'w']) |
3323 +realm.run_kadminl('modprinc +allow_tix w') |
3341 +check_serial(realm, '10') |
3324 +check_serial(realm, '10') |
3342 +kpropd.send_signal(signal.SIGUSR1) |
3325 +kpropd.send_signal(signal.SIGUSR1) |
3343 +wait_for_prop(kpropd, False) |
3326 +wait_for_prop(kpropd, False) |
3344 +check_serial(realm, '10', slave) |
3327 +check_serial(realm, '10', slave) |
3345 +out = realm.run([kadminl, 'getprinc', 'w'], env=slave) |
3328 +out = realm.run_kadminl('getprinc w', slave) |
3346 if 'Attributes:\n' not in out: |
3329 if 'Attributes:\n' not in out: |
3347 - fail('slave2 does not have modification from slave1') |
3330 - fail('slave2 does not have modification from slave1') |
3348 + fail('Slave has different state from master') |
3331 + fail('Slave has different state from master') |
3349 |
3332 |
3350 # Create a policy and check that it propagates via full resync. |
3333 # Create a policy and check that it propagates via full resync. |
3351 realm.run([kadminl, 'addpol', '-minclasses', '2', 'testpol']) |
3334 realm.run_kadminl('addpol -minclasses 2 testpol') |
3352 -check_ulog(1, 1, 1, [None]) |
3335 -check_ulog(0, 0, 0, []) |
3353 -kpropd1.send_signal(signal.SIGUSR1) |
3336 -kpropd1.send_signal(signal.SIGUSR1) |
3354 -wait_for_prop(kpropd1, True, 9, 1) |
3337 -wait_for_prop(kpropd1, True, 8, 0) |
3355 -check_ulog(1, 1, 1, [None], slave1) |
3338 -check_ulog(0, 0, 0, [], slave1) |
3356 -out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1) |
3339 -out = realm.run_kadminl('getpol testpol', slave1) |
3357 +check_serial(realm, 'None') |
3340 +check_serial(realm, 'None') |
3358 +kpropd.send_signal(signal.SIGUSR1) |
3341 +kpropd.send_signal(signal.SIGUSR1) |
3359 +wait_for_prop(kpropd, True) |
3342 +wait_for_prop(kpropd, True) |
3360 +check_serial(realm, 'None', slave) |
3343 +check_serial(realm, 'None', slave) |
3361 +out = realm.run([kadminl, 'getpol', 'testpol'], env=slave) |
3344 +out = realm.run_kadminl('getpol testpol', slave) |
3362 if 'Minimum number of password character classes: 2' not in out: |
3345 if 'Minimum number of password character classes: 2' not in out: |
3363 - fail('slave1 does not have policy from master') |
3346 - fail('slave1 does not have policy from master') |
3364 -kpropd2.send_signal(signal.SIGUSR1) |
3347 -kpropd2.send_signal(signal.SIGUSR1) |
3365 -wait_for_prop(kpropd2, True, 9, 1) |
3348 -wait_for_prop(kpropd2, True, 8, 0) |
3366 -check_ulog(1, 1, 1, [None], slave2) |
3349 -check_ulog(0, 0, 0, [], slave2) |
3367 -out = realm.run([kadminl, 'getpol', 'testpol'], env=slave2) |
3350 -out = realm.run_kadminl('getpol testpol', slave2) |
3368 -if 'Minimum number of password character classes: 2' not in out: |
3351 -if 'Minimum number of password character classes: 2' not in out: |
3369 - fail('slave2 does not have policy from slave1') |
3352 - fail('slave2 does not have policy from slave1') |
3370 + fail('Slave does not have policy from master') |
3353 + fail('Slave does not have policy from master') |
3371 |
3354 |
3372 # Modify the policy and test that it also propagates via full resync. |
3355 # Modify the policy and test that it also propagates via full resync. |
3373 realm.run([kadminl, 'modpol', '-minlength', '17', 'testpol']) |
3356 realm.run_kadminl('modpol -minlength 17 testpol') |
3374 -check_ulog(1, 1, 1, [None]) |
3357 -check_ulog(0, 0, 0, []) |
3375 -kpropd1.send_signal(signal.SIGUSR1) |
3358 -kpropd1.send_signal(signal.SIGUSR1) |
3376 -wait_for_prop(kpropd1, True, 1, 1) |
3359 -wait_for_prop(kpropd1, True, 0, 0) |
3377 -check_ulog(1, 1, 1, [None], slave1) |
3360 -check_ulog(0, 0, 0, [], slave1) |
3378 -out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1) |
3361 -out = realm.run_kadminl('getpol testpol', slave1) |
3379 -if 'Minimum password length: 17' not in out: |
3362 -if 'Minimum password length: 17' not in out: |
3380 - fail('slave1 does not have policy change from master') |
3363 - fail('slave1 does not have policy change from master') |
3381 -kpropd2.send_signal(signal.SIGUSR1) |
3364 -kpropd2.send_signal(signal.SIGUSR1) |
3382 -wait_for_prop(kpropd2, True, 1, 1) |
3365 -wait_for_prop(kpropd2, True, 0, 0) |
3383 -check_ulog(1, 1, 1, [None], slave2) |
3366 -check_ulog(0, 0, 0, [], slave2) |
3384 -out = realm.run([kadminl, 'getpol', 'testpol'], env=slave2) |
3367 -out = realm.run_kadminl('getpol testpol', slave2) |
3385 +check_serial(realm, 'None') |
3368 +check_serial(realm, 'None') |
3386 +kpropd.send_signal(signal.SIGUSR1) |
3369 +kpropd.send_signal(signal.SIGUSR1) |
3387 +wait_for_prop(kpropd, True) |
3370 +wait_for_prop(kpropd, True) |
3388 +check_serial(realm, 'None', slave) |
3371 +check_serial(realm, 'None', slave) |
3389 +out = realm.run([kadminl, 'getpol', 'testpol'], env=slave) |
3372 +out = realm.run_kadminl('getpol testpol', slave) |
3390 if 'Minimum password length: 17' not in out: |
3373 if 'Minimum password length: 17' not in out: |
3391 - fail('slave2 does not have policy change from slave1') |
3374 - fail('slave2 does not have policy change from slave1') |
3392 + fail('Slave does not have policy change from master') |
3375 + fail('Slave does not have policy change from master') |
3393 |
3376 |
3394 # Delete the policy and test that it propagates via full resync. |
3377 # Delete the policy and test that it propagates via full resync. |
3395 -realm.run([kadminl, 'delpol', 'testpol']) |
3378 realm.run_kadminl('delpol -force testpol') |
3396 -check_ulog(1, 1, 1, [None]) |
3379 -check_ulog(0, 0, 0, []) |
3397 -kpropd1.send_signal(signal.SIGUSR1) |
3380 -kpropd1.send_signal(signal.SIGUSR1) |
3398 -wait_for_prop(kpropd1, True, 1, 1) |
3381 -wait_for_prop(kpropd1, True, 0, 0) |
3399 -check_ulog(1, 1, 1, [None], slave1) |
3382 -check_ulog(0, 0, 0, [], slave1) |
3400 -out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1, expected_code=1) |
3383 -out = realm.run_kadminl('getpol testpol', slave1) |
3401 +realm.run([kadminl, 'delpol', '-force', 'testpol']) |
|
3402 +check_serial(realm, 'None') |
3384 +check_serial(realm, 'None') |
3403 +kpropd.send_signal(signal.SIGUSR1) |
3385 +kpropd.send_signal(signal.SIGUSR1) |
3404 +wait_for_prop(kpropd, True) |
3386 +wait_for_prop(kpropd, True) |
3405 +check_serial(realm, 'None', slave) |
3387 +check_serial(realm, 'None', slave) |
3406 +out = realm.run([kadminl, 'getpol', 'testpol'], env=slave, expected_code=1) |
3388 +out = realm.run_kadminl('getpol testpol', slave) |
3407 if 'Policy does not exist' not in out: |
3389 if 'Policy does not exist' not in out: |
3408 - fail('slave1 did not get policy deletion from master') |
3390 - fail('slave1 did not get policy deletion from master') |
3409 -kpropd2.send_signal(signal.SIGUSR1) |
3391 -kpropd2.send_signal(signal.SIGUSR1) |
3410 -wait_for_prop(kpropd2, True, 1, 1) |
3392 -wait_for_prop(kpropd2, True, 0, 0) |
3411 -check_ulog(1, 1, 1, [None], slave2) |
3393 -check_ulog(0, 0, 0, [], slave2) |
3412 -out = realm.run([kadminl, 'getpol', 'testpol'], env=slave2, expected_code=1) |
3394 -out = realm.run_kadminl('getpol testpol', slave2) |
3413 -if 'Policy does not exist' not in out: |
3395 -if 'Policy does not exist' not in out: |
3414 - fail('slave2 did not get policy deletion from slave1') |
3396 - fail('slave2 did not get policy deletion from slave1') |
3415 - |
3397 - |
3416 -# Modify a principal on the master and test that it propagates incrementally. |
3398 -# Modify a principal on the master and test that it propagates via |
3417 -realm.run([kadminl, 'modprinc', '-maxlife', '10 minutes', pr1]) |
3399 -# full resync. (The master's ulog does not remember the timestamp it |
3418 -check_ulog(2, 1, 2, [None, pr1]) |
3400 -# had at serial number 0, so it does not know that an incremental |
3401 -# propagation is possible.) |
|
3402 -realm.run_kadminl('modprinc -maxlife "10 minutes" ' + pr1) |
|
3403 -check_ulog(1, 1, 1, [pr1]) |
|
3419 -kpropd1.send_signal(signal.SIGUSR1) |
3404 -kpropd1.send_signal(signal.SIGUSR1) |
3420 -wait_for_prop(kpropd1, False, 1, 2) |
3405 -wait_for_prop(kpropd1, True, 0, 1) |
3421 -check_ulog(2, 1, 2, [None, pr1], slave1) |
3406 -check_ulog(0, 0, 1, [], slave1) |
3422 -out = realm.run([kadminl, 'getprinc', pr1], env=slave1) |
3407 -out = realm.run_kadminl('getprinc ' + pr1, slave1) |
3423 -if 'Maximum ticket life: 0 days 00:10:00' not in out: |
3408 -if 'Maximum ticket life: 0 days 00:10:00' not in out: |
3424 - fail('slave1 does not have modification from master') |
3409 - fail('slave1 does not have modification from master') |
3425 -kpropd2.send_signal(signal.SIGUSR1) |
3410 -kpropd2.send_signal(signal.SIGUSR1) |
3426 -wait_for_prop(kpropd2, False, 1, 2) |
3411 -wait_for_prop(kpropd2, True, 0, 1) |
3427 -check_ulog(2, 1, 2, [None, pr1], slave2) |
3412 -check_ulog(0, 0, 1, [], slave2) |
3428 -out = realm.run([kadminl, 'getprinc', pr1], env=slave2) |
3413 -out = realm.run_kadminl('getprinc ' + pr1, slave2) |
3429 -if 'Maximum ticket life: 0 days 00:10:00' not in out: |
3414 -if 'Maximum ticket life: 0 days 00:10:00' not in out: |
3430 - fail('slave2 does not have modification from slave1') |
3415 - fail('slave2 does not have modification from slave1') |
3431 - |
3416 - |
3432 -# Delete a principal and test that it propagates incrementally. |
3417 -# Delete a principal and test that it propagates incrementally to |
3433 -realm.run([kadminl, 'delprinc', pr3]) |
3418 -# slave1. slave2 needs another full resync because slave1 no longer |
3434 -check_ulog(3, 1, 3, [None, pr1, pr3]) |
3419 -# has serial number 1 in its ulog after processing its first |
3420 -# incremental update. |
|
3421 -realm.run_kadminl('delprinc -force ' + pr3) |
|
3422 -check_ulog(2, 1, 2, [pr1, pr3]) |
|
3435 -kpropd1.send_signal(signal.SIGUSR1) |
3423 -kpropd1.send_signal(signal.SIGUSR1) |
3436 -wait_for_prop(kpropd1, False, 2, 3) |
3424 -wait_for_prop(kpropd1, False, 1, 2) |
3437 -check_ulog(3, 1, 3, [None, pr1, pr3], slave1) |
3425 -check_ulog(1, 2, 2, [pr3], slave1) |
3438 -out = realm.run([kadminl, 'getprinc', pr3], env=slave1, expected_code=1) |
3426 -out = realm.run_kadminl('getprinc ' + pr3, slave1) |
3439 -if 'Principal does not exist' not in out: |
3427 -if 'Principal does not exist' not in out: |
3440 - fail('slave1 does not have principal deletion from master') |
3428 - fail('slave1 does not have principal deletion from master') |
3441 -kpropd2.send_signal(signal.SIGUSR1) |
3429 -kpropd2.send_signal(signal.SIGUSR1) |
3442 -wait_for_prop(kpropd2, False, 2, 3) |
3430 -wait_for_prop(kpropd2, True, 1, 2) |
3443 -check_ulog(3, 1, 3, [None, pr1, pr3], slave2) |
3431 -check_ulog(0, 0, 2, [], slave2) |
3444 -out = realm.run([kadminl, 'getprinc', pr3], env=slave2, expected_code=1) |
3432 -out = realm.run_kadminl('getprinc ' + pr3, slave2) |
3445 -if 'Principal does not exist' not in out: |
3433 -if 'Principal does not exist' not in out: |
3446 - fail('slave2 does not have principal deletion from slave1') |
3434 - fail('slave2 does not have principal deletion from slave1') |
3447 + fail('Slave did not get policy deletion from master') |
3435 + fail('Slave did not get policy deletion from master') |
3448 |
3436 |
3449 -# Reset the ulog on the master to force a full resync. |
3437 -# Reset the ulog on the master to force a full resync. |
3450 +# Reset the ulog on the master side to force a full resync to all slaves. |
3438 +# Reset the ulog on the master side to force a full resync to all slaves. |
3451 +# XXX Note that we only have one slave in this test, so we can't really |
3439 +# XXX Note that we only have one slave in this test, so we can't really |
3452 +# test this. |
3440 +# test this. |
3453 realm.run([kproplog, '-R']) |
3441 realm.run([kproplog, '-R']) |
3454 -check_ulog(1, 1, 1, [None]) |
3442 -check_ulog(0, 0, 0, []) |
3455 -kpropd1.send_signal(signal.SIGUSR1) |
3443 -kpropd1.send_signal(signal.SIGUSR1) |
3456 -wait_for_prop(kpropd1, True, 3, 1) |
3444 -wait_for_prop(kpropd1, True, 2, 0) |
3457 -check_ulog(1, 1, 1, [None], slave1) |
3445 -check_ulog(0, 0, 0, [], slave1) |
3458 -kpropd2.send_signal(signal.SIGUSR1) |
3446 -kpropd2.send_signal(signal.SIGUSR1) |
3459 -wait_for_prop(kpropd2, True, 3, 1) |
3447 -wait_for_prop(kpropd2, True, 2, 0) |
3460 -check_ulog(1, 1, 1, [None], slave2) |
3448 -check_ulog(0, 0, 0, [], slave2) |
3461 - |
|
3462 -# Stop the kprop daemons so we can test kpropd -t. |
|
3463 -stop_daemon(kpropd1) |
|
3464 -stop_daemon(kpropd2) |
|
3465 - |
|
3466 -# Test the case where no updates are needed. |
|
3467 -out = realm.run_kpropd_once(slave1, ['-d']) |
|
3468 -if 'KDC is synchronized' not in out: |
|
3469 - fail('Expected synchronized from kpropd -t') |
|
3470 -check_ulog(1, 1, 1, [None], slave1) |
|
3471 - |
|
3472 -# Make a change on the master and fetch it incrementally. |
|
3473 -realm.run([kadminl, 'modprinc', '-maxlife', '5 minutes', pr1]) |
|
3474 -check_ulog(2, 1, 2, [None, pr1]) |
|
3475 -out = realm.run_kpropd_once(slave1, ['-d']) |
|
3476 -if 'Got incremental updates (sno=2 ' not in out: |
|
3477 - fail('Expected full dump and synchronized from kpropd -t') |
|
3478 -check_ulog(2, 1, 2, [None, pr1], slave1) |
|
3479 -out = realm.run([kadminl, 'getprinc', pr1], env=slave1) |
|
3480 -if 'Maximum ticket life: 0 days 00:05:00' not in out: |
|
3481 - fail('slave1 does not have modification from master after kpropd -t') |
|
3482 - |
|
3483 -# Propagate a policy change via full resync. |
|
3484 -realm.run([kadminl, 'addpol', '-minclasses', '3', 'testpol']) |
|
3485 -check_ulog(1, 1, 1, [None]) |
|
3486 -out = realm.run_kpropd_once(slave1, ['-d']) |
|
3487 -if ('Full propagation transfer finished' not in out or |
|
3488 - 'KDC is synchronized' not in out): |
|
3489 - fail('Expected full dump and synchronized from kpropd -t') |
|
3490 -check_ulog(1, 1, 1, [None], slave1) |
|
3491 -out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1) |
|
3492 -if 'Minimum number of password character classes: 3' not in out: |
|
3493 - fail('slave1 does not have policy from master after kpropd -t') |
|
3494 +check_serial(realm, 'None') |
3449 +check_serial(realm, 'None') |
3495 +kpropd.send_signal(signal.SIGUSR1) |
3450 +kpropd.send_signal(signal.SIGUSR1) |
3496 +wait_for_prop(kpropd, True) |
3451 +wait_for_prop(kpropd, True) |
3497 +check_serial(realm, 'None', slave) |
3452 +check_serial(realm, 'None', slave) |
3498 |
3453 |
3532 - flags=['-S', 'kadmin/admin', |
3487 - flags=['-S', 'kadmin/admin', |
3533 + flags=['-S', 'kadmin/' + hostname, |
3488 + flags=['-S', 'kadmin/' + hostname, |
3534 '-c', self.kadmin_ccache] + flags) |
3489 '-c', self.kadmin_ccache] + flags) |
3535 |
3490 |
3536 def run_kadmin(self, query, **keywords): |
3491 def run_kadmin(self, query, **keywords): |
3537 /usr/gnu/bin/diff -pur old/src/tests/t_ccache.py new/src/tests/t_ccache.py |
|
3538 --- old/src/tests/t_ccache.py 2016-04-08 09:50:18.104351949 -0700 |
|
3539 +++ new/src/tests/t_ccache.py 2016-04-08 09:48:10.841275532 -0700 |
|
3540 @@ -51,7 +51,7 @@ realm.kinit(realm.user_princ, password(' |
|
3541 realm.run([klist, '-s']) |
|
3542 realm.kinit(realm.user_princ, password('user'), ['-l', '-1s']) |
|
3543 realm.run([klist, '-s'], expected_code=1) |
|
3544 -realm.kinit(realm.user_princ, password('user'), ['-S', 'kadmin/admin']) |
|
3545 +realm.kinit(realm.user_princ, password('user'), ['-S', 'kadmin/changepw']) |
|
3546 realm.run([klist, '-s']) |
|
3547 realm.run([kdestroy]) |
|
3548 realm.run([klist, '-s'], expected_code=1) |