Adcli: adding class and methods for adcli

[shridhargadekar]

Adding adcli class, and methods including info, discovery, join

[jakub-vavra-cz]

There should be probably either domain or domain_controller.
The manual page states that it expects domain so I would go with that.
Getting both None or both populated is a recipe for a disaster.

[pbrezina]

I'd like to bring in Sumit as well.

I don't really know if we have use for this in SSSD, I don't really think so. I'm fine with including the patch though. However, in this case, operation that changes something must be also able to revert that change. In this case join, so this should be MultihostReentrantUtility.

[pbrezina]

Why do you use underscores on the methods name? Those should be all public methods, right?

[pbrezina]

default to None as well?

[shridhargadekar]

modified

[pbrezina]

Use **kwargs or *args to handle additional argument and keep only required arguments here. Otherwise it would be difficult to maintain.

[shridhargadekar]

ack

[sumit-bose]

I'd like to bring in Sumit as well.

I don't really know if we have use for this in SSSD, I don't really think so. I'm fine with including the patch though. However, in this case, operation that changes something must be also able to revert that change. In this case join, so this should be MultihostReentrantUtility.

Hi,

on which level the revert should work. E.g. before calling adcli join we can save the current keytab and restore it afterwards. But since the state on AD/Samba DC will be changed as well they keys from the old keytab won't work anymore. So it might be better to keep the new keytab or do a leave/join cycle with fixed options to get back into a defined state?

bye,
Sumit

[pbrezina]

I'd like to bring in Sumit as well.
I don't really know if we have use for this in SSSD, I don't really think so. I'm fine with including the patch though. However, in this case, operation that changes something must be also able to revert that change. In this case join, so this should be MultihostReentrantUtility.

Hi,

on which level the revert should work. E.g. before calling adcli join we can save the current keytab and restore it afterwards. But since the state on AD/Samba DC will be changed as well they keys from the old keytab won't work anymore. So it might be better to keep the new keytab or do a leave/join cycle with fixed options to get back into a defined state?

bye, Sumit

It's a question of how is it going to be used.

Right now, in sssd-test-framework, we have this: https://github.com/SSSD/sssd-test-framework/blob/master/sssd_test_framework/topology_controllers.py#L74

• pytest_setup -> each host performs a backup (only once at start)
• topology_setup -> run realmd join (only once when entering topology)
• topology teardown -> restore from the host backup (only once when leaving topology)

In adcli, I assume that Shridar is going to call adcli.join() insinde a test. So the logic should be:

MultihostUtility (cannot be used in MultihostHost objects, only in MultihostRole objects inside tests):

• utility.setup: do nothing or backup what is needed
• inside test: adcli.join
• utility.teardown: adcli.leave and clean up possible leftovers

MultihostReentrantUtility (cannot be used in MultihostHost objects and in MultihostRole objects):

• utility.__enter__: enter new setup level, do nothing or backup what is needed
• inside test or topology setup: adcli.join
• utility.__exit__: adcli.leave and clean up possible leftovers

Docs: https://pytest-mh.readthedocs.io/en/latest/articles/extending/multihost-utilities.html

Other way would be to rely on the backup/restore mechanisms to make sure everything is reverted after each test. But in this case, it needs to be thoroughly documented so the expectation is clear. That might be enough.

So it really depends on how is it going to be used.

[jakub-vavra-cz]

@pbrezina, @shridhargadekar : We will probably need a way to either skip topology setup/teardown (no enrolling) so we can join ourselves or create topologies like KnownTopology.UnjoinedAD that will have the machines but not enrolled client. We can use these for example for tests like ldap sasl authid that needs a specific setup (--user-principal=host/name@REALM) to work correctly.

[spoore1]

I think there are still some questions to be addressed but, it looks like a good start for an interface to adcli. My only question currently is about additional join options.

[spoore1]

Could we need to run join with additional options/arguments like computer name, host keytab, user principal or others? If we do, I think we might be able to use something like the arg list used in utils/tools.py in SSHKeyUtils.generate here:

https://github.com/SSSD/sssd-test-framework/blob/master/sssd_test_framework/utils/tools.py#L770

[spoore1]

Does the change work? I'd think you'd need to keep the domain inside the CLIBuilderArgs to do something like:

        if args is None:
            args = []

        bargs: CLIBuilderArgs = {
            "domain": (self.cli.option.POSITIONAL, domain),
        }
        self.host.conn.exec(["adcli", "join"] + self.cli.args(bargs) + [*args])

I haven't tested the above but, I'm just trying to mirror what was done in the SSHKeyUtils.generate(). Also, I'm not sure of the adcli command order. Maybe args should be right after the join?

[pbrezina]

Can be removed.

[pbrezina]

*args

[pbrezina]

Make a note that this utility does not revert changes.

Given the use case, I think it is fine to rely on reverting the AD host in the topology controller, but it needs to be documented.

[pbrezina]

Does this call write any files? Like /etc/krb5.keytab maybe? If yes, you need to call fs.backup(file) to make sure it is restored. For AD state, we can rely on the topology controller, but we should handle any changes done to the host.