QA:Testcase freeipav2 authentication

{{QA/Test_Case
 * description=Authentication testing.
 * setup=
 * 1) Make sure you have a working FreeIPA server (see QA:Testcase_freeipav2_installation)
 * 2) Make sure the CLI works as expected (see QA:Testcase_freeipav2_cli)
 * actions=

Prerequisities
To test authentication, we need to create a user first.

To create a user, kinit (or log in) as the admin user and run:

-- Added user "user1" --  User login: user1 First name: User Last name: One Full name: User One Display name: User One Initials: UO  Home directory: /home/user1 GECOS field: user1 Login shell: /bin/sh Kerberos principal: user1@IPA.EXAMPLE.COM UID: 197600003
 * 1) ipa user-add --first=User --last=One user1

Then assign the initial password to the user.

Password: Enter Password again to verify: -- Changed password for "user1@IPA.EXAMPLE.COM" --
 * 1) ipa passwd user1

A user1 will now be available, although its password must be changed at the first login.

NOTE: ipa user-add does not create a home directory, so you may need to create it to test a user login later. pam_mkhomedir can also be configured to aid in automatic creation of local home directories.

Password
Password Change Required - First kinit:

When a user is created, or when an administrator resets a user password, a password change is required for security reasons. The user can change its password by running kinit. If a password needs to be changed, kinit will automatically invoke kpasswd to perform a password change on the fly.

In the shell run:

Password for user1@IPA.EXAMPLE.COM: Password expired. You must change it now. Enter new password: Enter it again:
 * 1) kinit user1

The passwords will not be shown, the terminal will not output any character. You should use a password that meets the password policies or the password change may fail. A valid test password is 'Test1234'

NOTE: Now you have a TGT for user1, if you need to perform administration tasks you will need to kinit as admin again.

Password Doesn't Meet Policy Criteria:

Check password policies by trying to change the password for user1 and use a very short password like 'pwd':

Password for user1@IPA.EXAMPLE.COM: Enter new password: Enter it again: Password change rejected: Password change failed Err6: Password too short.
 * 1) kpasswd user1

Verify that you get the error above.

Password Meets Policy Criteria:

Try again to change your password and use a password like 'freeipa1' to verify that it allows you to change the password if it is longer than 8 chars.

Password for user1@IPA.EXAMPLE.COM: Enter new password: Enter it again: Password changed.
 * 1) kpasswd user1

SSH Login
Password based:

Once you have a valid user with a valid password, test it can login using ssh.

Password: Could not chdir to home directory /home/user1: No such file or directory
 * 1) ssh user1@localhost

NOTE: You will get the home directory warning if you have not created a home directory for the user. But the user will still be logged in.

SSO Login:

Now log out and try again after a kinit:

Password for user1@IPA.EXAMPLE.COM:
 * 1) kinit user1

You should be logged in without being asked for a password by ssh. Last login: Tue Feb 8 12:59:44 2011 from server.ipa.example.com >
 * 1) ssh user1@server.ipa.example.com

Additional authentication tests
Invalid Password:

Test that the system properly behaves wrt wrong passwords.

Remove any cached credentials


 * 1) kdestroy

Try to login via ssh and use the wrong password:

Password: Password: Password: user1@server.ipa.example.com's password: Permission denied, please try again. user1@server.ipa.example.com's password: Permission denied, please try again. user1@server.ipa.example.com's password: Received disconnect from 192.168.122.22: 2: Too many authentication failures for user1
 * 1) ssh user1@server.ipa.example.com

Account lockout:

By default a user can fail to authenticate only a few times. If a user fails to authenticate more times than the policy allows then the account is temporarily locked. (defaults should be 10 attempts and lock time 10min.)

Run kinit and provide a wrong password until the KDC refuses to give you a try:

Password for user1@IPA.EXAMPLE.COM: kinit: Password incorrect while getting initial credentials . . . kinit: Clients credentials have been revoked while getting initial credentials
 * 1) kinit user1
 * 1) kinit user1

Once this happens, try again with the right password and make sure you are still denied a ticket. Then wait for the lock timeout and try again with the right password. Make sure you get credentials now.

If you want to see details about the lockout you can show the user details with the --all switch (with admin user credentials).

The attribute krbloginfailedcount will show the number of failed attempts. The attribute krblastfailedauth containes the date (in UTC) of the last failed account. The account will be unlocked 10 minutes after this date.

dn: uid=user1,cn=users,cn=accounts,dc=ipa,dc=example,dc=com User login: user1 First name: User Last name: One Full name: User One Display name: User One Initials: UO  Home directory: /home/user1 GECOS field: user1 Login shell: /bin/sh Kerberos principal: user1@IPA.EXAMPLE.COM UID: 197600003 GID: 197600003 Account disabled: False Member of groups: ipausers ipauniqueid: f52859a6-339f-11e0-896a-5254009ccfc2 krblastfailedauth: 20110208202243Z krblastpwdchange: 20110208175427Z krblastsuccessfulauth: 20110208193126Z krbloginfailedcount: 10 krbpasswordexpiration: 20110509175427Z krbpwdpolicyreference: cn=global_policy,cn=IPA.EXAMPLE.COM,cn=kerberos,dc=ipa,dc=example,dc=com mepmanagedentry: cn=user1,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, mepOriginEntry
 * 1) ipa user-show user1 --all

After you successfully logged in the krbloginfailedcount attribute should be 0, and krblastsuccessfulauth should be greater than krblastfailedauth

Graphical Login
Let's test a GDM login.

Test on the server or on a client. To make sure GDM is properly set up to accept freeipa login I suggest running


 * 1) init 3; sleep 2; init 5

In a root shell after ipa-client-install (or ipa-server-install) completes sucessfully.

When using freeipa logins for the first time, you may have to select "other.." from the user selection list in GDM in order to enter a Freeipa user name.

Enter your password and you should get into the Gnome Shell.

Password Doesn't Meet Policy Criteria:

If the user is brand new or after an administrative password reset, at login the user should be asked to change the password.

Let's reset a user's password to test this scenario.


 * 1) ipa passwd psmith

set something simple like freeipa123

Now go back to the GDM login screen an try to login. After the password is entered the user is asked to provide a new password, claiming the password is expired.

The GDM prompt may ask you to re-enter your valid password as the first thing, so check carefully what it is asking before entering new passwords.

Try to change to a simple password like 'password'.

GDM should show messages that the password is not strong enough and refuse your attempts, ultimately bringing you back to the main login screen.

Password Meets Policy Criteria:

Now try again using a good password.

To make sure the password change is accepted use a password like: 'T3s7Pwd1'

No Password Change Required:

Now logout from the gnome session, and log back in with the new password to make sure everything has worked successfully during the password change.

Screen Lock and Unlock - KRB Ticket Exists:

When you are logged into the desktop, a kerberos credential cache is generated for you.

Run klist to show it:

$ klist Ticket cache: FILE:/tmp/krb5cc_197600003_HSvKtw Default principal: user1@IPA.EXAMPLE.COM

Valid starting    Expires            Service principal 02/10/11 09:49:34 02/11/11 09:49:34  krbtgt/IPA.EXAMPLE.COM@IPA.EXAMPLE.COM renew until 02/11/11 09:49:37

Now, lock the screen with CTRL+ALT+L

And unlock the screensaver using the user password.

Run klist again:

$ klist Ticket cache: FILE:/tmp/krb5cc_197600003_HSvKtw Default principal: user1@IPA.EXAMPLE.COM

Valid starting    Expires            Service principal 02/10/11 10:00:02 02/11/11 10:00:02  krbtgt/IPA.EXAMPLE.COM@IPA.EXAMPLE.COM renew until 02/11/11 10:00:05

Verify that the Dates have changed meaning the krb TGT has been refreshed when the password was provided.

All the test steps should end with the specified results. }}
 * results=