sssd_test_framework.roles.kdc

KDC multihost role.

Classes

`KDC`(args, *kwargs)	Kerberos KDC role.
`KDCPrincipal`(role, name)	Kerberos principals management.

class sssd_test_framework.roles.kdc.KDC(*args, **kwargs)

Bases: BaseLinuxRole[KDCHost]

Kerberos KDC role.

Provides unified Python API for managing objects in the Kerberos KDC.

Creating user and group

@pytest.mark.topology(KnownTopology.KDC)
def test_example(kdc: KDC):
    kdc.principal('tuser').add()

Note

The role object is instantiated automatically as a dynamic pytest fixture by the multihost plugin. You should not create the object manually.

realm: str: Default Kerberos realm.

tgt: str: Full name of Ticket Granting Ticket (e.g. krbtgt/REALM@REALM.

qualify(name: str) → str

Create a qualified principal name (princ@REALM).

Parameters:: name (str) – Principal name without the REALM part.
Returns:: Full principal name.
Return type:: str

kadmin(command: str) → ProcessResult

Run kadmin command on the KDC.

Parameters:: command (str) – kadmin command

list_principals() → list[str]

List existing Kerberos principals.

Returns:: List of Kerberos principals.
Return type:: list[str]

principal(name: str) → KDCPrincipal

Get Kerberos principal object.

Example usage

@pytest.mark.topology(KnownTopology.LDAP)
def test_example(client: Client, ldap: LDAP, kdc: KDC):
    ldap.user('tuser').add()
    kdc.principal('tuser').add()

    client.sssd.common.krb5_auth(kdc)
    client.sssd.start()

    with client.ssh('tuser', 'Secret123') as ssh:
        with client.auth.kerberos(ssh) as krb:
            assert krb.has_tgt(kdc.realm)

Parameters:: name (str) – Principal name.
Returns:: New principal object.
Return type:: KDCPrincipal

config() → str

Get krb5.conf contents.

Returns:: Kerberos configuration.
Return type:: str

class sssd_test_framework.roles.kdc.KDCPrincipal(role: KDC, name: str)

Bases: BaseObject[KDCHost, KDC]

Kerberos principals management.

Parameters:

role (KDC) – KDC role object.
name (str) – Principal name.

name: str: Principal name.

add(*, password: str | None = 'Secret123', requires_preauth: bool = False, args: str | None = None) → KDCPrincipal

Add a new Kerberos principal.

Random password is generated if password is None.

Parameters:

password (str | None) – Principal’s password, defaults to ‘Secret123’
requires_preauth (bool, optional) – Add +requires_preauth flag (for clock skew tests), defaults to False
args (str | None, optional) – Extra addprinc options (e.g. ‘+nokey’), defaults to None

Returns:

Self.

Return type:

KDCPrincipal

get() → dict[str, str]

Retrieve principal information.

Returns:: Principal information.
Return type:: dict[str, str]

delete() → None: Delete existing Kerberos principal.

set_string(key: str, value: str) → KDCPrincipal

Set principal’s string attribute.

Parameters:

key (str) – Attribute name.
value (str) – Atribute value.

Returns:

Self.

Return type:

KDCPrincipal

get_strings() → dict[str, str]

Get all principal’s string attributes.

Returns:: String attributes.
Return type:: dict[str, str]

get_string(key: str) → str | None

Get principal’s string attribute.

Parameters:: key (str) – Attribute name.
Returns:: Attribute’s value or None if not found.
Return type:: str | None