From: Anoop C S Date: Sun, 7 Jun 2026 11:46:33 +0000 (+0530) Subject: qa/smb: Test SID resolution in AD joined containers X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=31e1c7bd5e461dca0a07b6c631f738272360c549;p=ceph.git qa/smb: Test SID resolution in AD joined containers Verify that rpcclient lookupsids resolves domain user SIDs correctly inside the smbd container, preventing regressions on /run bind mount permissions that break smbd to winbindd communication. Fixes: https://tracker.ceph.com/issues/77120 Signed-off-by: Anoop C S --- diff --git a/qa/suites/orch/cephadm/smb/tasks/deploy_smb_mgr_domain.yaml b/qa/suites/orch/cephadm/smb/tasks/deploy_smb_mgr_domain.yaml index 3e03c04613e..d35caff6ad5 100644 --- a/qa/suites/orch/cephadm/smb/tasks/deploy_smb_mgr_domain.yaml +++ b/qa/suites/orch/cephadm/smb/tasks/deploy_smb_mgr_domain.yaml @@ -62,7 +62,7 @@ tasks: timeout: 1h clients: client.0: - - [default, hosts_access] + - [default, hosts_access, domain] - cephadm.shell: host.a: diff --git a/qa/workunits/smb/tests/cephutil.py b/qa/workunits/smb/tests/cephutil.py index 350b9db092c..3da118db4d5 100644 --- a/qa/workunits/smb/tests/cephutil.py +++ b/qa/workunits/smb/tests/cephutil.py @@ -1,5 +1,6 @@ import enum import json +import shlex import subprocess @@ -66,3 +67,27 @@ def cephadm_shell_cmd( elif load is LoadJSON.ERROR: return JSONResult(proc.returncode, None, proc.stderr.decode()) return proc + + +def cephadm_enter_cmd(smb_cfg, cluster_id, args, **kwargs): + """Run a command inside the primary smbd container for the given + cluster_id on the cluster's admin node (derived via smb_cfg). + All kwargs are treated as arguments to subprocess.run. + """ + remote_cmd = [ + 'sudo', + f'/home/{smb_cfg.ssh_user}/cephtest/cephadm', + 'enter', + '-i', + f'smb.{cluster_id}', + ] + list(args) + cmd = [ + 'ssh', + '-oBatchMode=yes', + '-oUserKnownHostsFile=/dev/null', + '-oStrictHostKeyChecking=no', + '-q', + f'{smb_cfg.ssh_user}@{smb_cfg.ssh_admin_host}', + shlex.join(remote_cmd), + ] + return subprocess.run(cmd, **kwargs) diff --git a/qa/workunits/smb/tests/pytest.ini b/qa/workunits/smb/tests/pytest.ini index abba05e6cb8..982770c13c4 100644 --- a/qa/workunits/smb/tests/pytest.ini +++ b/qa/workunits/smb/tests/pytest.ini @@ -6,3 +6,4 @@ markers = hosts_access: Host access tests rate_limiting: Rate limit tests ceph_smb_ctl_local: Local/container test of ceph-smb-ctl tool + domain: Domain integration tests diff --git a/qa/workunits/smb/tests/test_sid_resolution.py b/qa/workunits/smb/tests/test_sid_resolution.py new file mode 100644 index 00000000000..b7ec0477b38 --- /dev/null +++ b/qa/workunits/smb/tests/test_sid_resolution.py @@ -0,0 +1,46 @@ +import pytest + +import cephutil +import smbutil + + +@pytest.mark.domain +def test_sid_resolution(smb_cfg): + """Verify that rpcclient lookupsids resolves domain user SIDs correctly + inside the smbd container, preventing regressions on /run bind mount + permissions that break smbd to winbindd communication (tracker#77120). + """ + cluster_id = smbutil.get_shares(smb_cfg)[0]['cluster_id'] + username = smb_cfg.username + password = smb_cfg.password + + result = cephutil.cephadm_enter_cmd( + smb_cfg, + cluster_id, + ['wbinfo', '-n', username], + capture_output=True, + check=True, + ) + user_sid = result.stdout.decode().split()[0] + assert user_sid.startswith('S-'), f'unexpected SID format: {user_sid}' + + auth = f'{username}%{password}' + result = cephutil.cephadm_enter_cmd( + smb_cfg, + cluster_id, + [ + 'rpcclient', + 'localhost', + '-U', + auth, + '-c', + f'lookupsids {user_sid}', + ], + capture_output=True, + check=True, + ) + output = result.stdout.decode() + short_name = username.split('\\')[-1] + assert short_name in output, ( + f'SID resolution failed: {short_name!r} not found in: {output}' + )