summaryrefslogtreecommitdiffstats
path: root/testprogs/blackbox/test_kinit.sh
diff options
context:
space:
mode:
Diffstat (limited to 'testprogs/blackbox/test_kinit.sh')
-rwxr-xr-xtestprogs/blackbox/test_kinit.sh555
1 files changed, 555 insertions, 0 deletions
diff --git a/testprogs/blackbox/test_kinit.sh b/testprogs/blackbox/test_kinit.sh
new file mode 100755
index 0000000..d9fb6c4
--- /dev/null
+++ b/testprogs/blackbox/test_kinit.sh
@@ -0,0 +1,555 @@
+#!/bin/sh
+# Blackbox tests for kinit and kerberos integration with smbclient etc
+# Copyright (c) Andreas Schneider <asn@samba.org>
+# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
+# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org>
+
+if [ $# -lt 8 ]; then
+ cat <<EOF
+Usage: test_kinit.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX SMBCLIENT CONFIGURATION
+EOF
+ exit 1
+fi
+
+SERVER=$1
+USERNAME=$2
+PASSWORD=$3
+REALM=$4
+DOMAIN=$5
+PREFIX=$6
+smbclient=$7
+CONFIGURATION="${8}"
+shift 8
+failed=0
+
+. "$(dirname "${0}")/subunit.sh"
+. "$(dirname "${0}")/common_test_fns.inc"
+
+samba_bindir="$BINDIR"
+samba_srcdir="$SRCDIR/source4"
+samba_kinit=$(system_or_builddir_binary kinit "${BINDIR}" samba4kinit)
+samba_kpasswd=$(system_or_builddir_binary kpasswd "${BINDIR}" samba4kpasswd)
+samba_kvno=$(system_or_builddir_binary kvno "${BINDIR}" samba4kvno)
+
+samba_tool="${samba_bindir}/samba-tool"
+samba_texpect="${samba_bindir}/texpect"
+
+samba_enableaccount="${samba_tool} user enable"
+machineaccountccache="${samba_srcdir}/scripting/bin/machineaccountccache"
+
+ldbmodify=$(system_or_builddir_binary ldbmodify "${BINDIR}")
+ldbsearch=$(system_or_builddir_binary ldbsearch "${BINDIR}")
+
+kbase="$(basename "${samba_kinit}")"
+if [ "${kbase}" = "samba4kinit" ]; then
+ # HEIMDAL
+ OPTION_RENEWABLE="--renewable"
+ OPTION_RENEW_TICKET="--renew"
+ OPTION_ENTERPRISE_NAME="--enterprise"
+ OPTION_CANONICALIZATION=""
+ OPTION_WINDOWS="--windows"
+ OPTION_SERVICE="-S"
+else
+ # MIT
+ OPTION_RENEWABLE="-r 1h"
+ OPTION_RENEW_TICKET="-R"
+ OPTION_ENTERPRISE_NAME="-E"
+ OPTION_CANONICALIZATION="-C"
+ OPTION_WINDOWS=""
+ OPTION_SERVICE="-S"
+fi
+
+TEST_USER="$(mktemp -u kinittest-XXXXXX)"
+UNC="//${SERVER}/tmp"
+
+ADMIN_LDBMODIFY_CONFIG="-H ldap://${SERVER} -U${USERNAME}%${PASSWORD}"
+export ADMIN_LDBMODIFY_CONFIG
+
+KRB5CCNAME_PATH="${PREFIX}/tmpccache"
+KRB5CCNAME="FILE:${KRB5CCNAME_PATH}"
+export KRB5CCNAME
+rm -rf "${KRB5CCNAME_PATH}"
+
+testit "reset password policies beside of minimum password age of 0 days" \
+ "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain passwordsettings set \
+ "${ADMIN_LDBMODIFY_CONFIG}" \
+ --complexity=default \
+ --history-length=default \
+ --min-pwd-length=default \
+ --min-pwd-age=0 \
+ --max-pwd-age=default || \
+ failed=$((failed + 1))
+
+###########################################################
+### Test kinit defaults
+###########################################################
+
+testit "kinit with password (initial)" \
+ kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \
+ "${OPTION_RENEWABLE}" || \
+ failed=$((failed + 1))
+test_smbclient "Test login with user kerberos ccache" \
+ "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
+ failed=$((failed + 1))
+
+testit "kinit renew ticket (initial)" \
+ "${samba_kinit}" ${OPTION_RENEW_TICKET} || \
+ failed=$((failed + 1))
+
+test_smbclient "Test login with kerberos ccache (initial)" \
+ "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
+ failed=$((failed + 1))
+
+rm -f "${KRB5CCNAME_PATH}"
+
+###########################################################
+### Test kinit with enterprise principal
+###########################################################
+
+testit "kinit with password (enterprise style)" \
+ kerberos_kinit "${samba_kinit}" \
+ "${USERNAME}@${REALM}" "${PASSWORD}" "${OPTION_ENTERPRISE_NAME}" \
+ "${OPTION_RENEWABLE}" || \
+ failed=$((failed + 1))
+
+test_smbclient "Test login with user kerberos ccache (enterprise style)" \
+ "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
+ failed=$((failed + 1))
+
+testit "kinit renew ticket (enterprise style)" \
+ "${samba_kinit}" ${OPTION_RENEW_TICKET} || \
+ failed=$((failed + 1))
+
+test_smbclient "Test login with kerberos ccache (enterprise style)" \
+ "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
+ failed=$((failed + 1))
+
+rm -f "${KRB5CCNAME_PATH}"
+
+###########################################################
+### Tests with kinit windows
+###########################################################
+
+# HEIMDAL ONLY
+if [ "${kbase}" = "samba4kinit" ]; then
+ testit "kinit with password (windows style)" \
+ kerberos_kinit "${samba_kinit}" \
+ "${USERNAME}@${REALM}" "${PASSWORD}" \
+ "${OPTION_RENEWABLE}" "${OPTION_WINDOWS}" || \
+ failed=$((failed + 1))
+
+ test_smbclient "Test login with kerberos ccache (windows style)" \
+ "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
+ failed=$((failed + 1))
+
+ testit "kinit renew ticket (windows style)" \
+ "${samba_kinit}" ${OPTION_RENEW_TICKET} || \
+ failed=$((failed + 1))
+
+ test_smbclient "Test login with kerberos ccache (windows style)" \
+ "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
+ failed=$((failed + 1))
+
+ rm -f "${KRB5CCNAME_PATH}"
+fi # HEIMDAL ONLY
+
+###########################################################
+### Tests with kinit default again
+###########################################################
+
+testit "kinit with password (default)" \
+ kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" || \
+ failed=$((failed + 1))
+
+testit "check time with kerberos ccache (default)" \
+ "${VALGRIND}" "${PYTHON}" "${samba_tool}" time "${SERVER}" \
+ "${CONFIGURATION}" --use-krb5-ccache="${KRB5CCNAME}" "$@" || \
+ failed=$((failed + 1))
+
+USERPASS="testPass@12%"
+
+testit "add user with kerberos ccache" \
+ "${VALGRIND}" "${PYTHON}" "${samba_tool}" user create \
+ "${TEST_USER}" "${USERPASS}" \
+ "${CONFIGURATION}" --use-krb5-ccache="${KRB5CCNAME}" "$@" || \
+ failed=$((failed + 1))
+
+echo "Getting defaultNamingContext"
+BASEDN=$(${ldbsearch} --basedn='' -H "ldap://${SERVER}" --scope=base \
+ DUMMY=x defaultNamingContext | awk '/defaultNamingContext/ {print $2}')
+
+
+TEST_UPN="$(mktemp -u test-XXXXXX)@${REALM}"
+cat >"${PREFIX}/tmpldbmodify" <<EOF
+dn: cn=${TEST_USER},cn=users,${BASEDN}
+changetype: modify
+add: servicePrincipalName
+servicePrincipalName: host/${TEST_USER}
+replace: userPrincipalName
+userPrincipalName: ${TEST_UPN}
+EOF
+
+testit "modify servicePrincipalName and userPrincpalName" \
+ "${VALGRIND}" "${ldbmodify}" -H "ldap://${SERVER}" "${PREFIX}/tmpldbmodify" \
+ --use-krb5-ccache="${KRB5CCNAME}" "$@" || \
+ failed=$((failed + 1))
+
+testit "set user password with kerberos ccache" \
+ "${VALGRIND}" "${PYTHON}" "${samba_tool}" user setpassword "${TEST_USER}" \
+ --newpassword="${USERPASS}" "${CONFIGURATION}" \
+ --use-krb5-ccache="${KRB5CCNAME}" "$@" || \
+ failed=$((failed + 1))
+
+testit "enable user with kerberos cache" \
+ "${VALGRIND}" "${PYTHON}" "${samba_enableaccount}" "${TEST_USER}" \
+ -H "ldap://$SERVER" --use-krb5-ccache="${KRB5CCNAME}" "$@" || \
+ failed=$((failed + 1))
+
+testit "kinit with new user password" \
+ kerberos_kinit "${samba_kinit}" "${TEST_USER}" "${USERPASS}" || \
+ failed=$((failed + 1))
+
+test_smbclient "Test login with new user kerberos ccache" \
+ "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
+ failed=$((failed + 1))
+
+rm -f "${KRB5CCNAME_PATH}"
+
+###########################################################
+### Test kinit after changing password with samba-tool
+###########################################################
+
+NEW_USERPASS="testPaSS@34%"
+testit "change user password with 'samba-tool user password' (rpc)" \
+ "${VALGRIND}" "${PYTHON}" "${samba_tool}" user password \
+ -W"${DOMAIN}" -U"${TEST_USER}%${USERPASS}" "${CONFIGURATION}" \
+ --newpassword="${NEW_USERPASS}" \
+ --use-kerberos=off "$@" || \
+ failed=$((failed + 1))
+
+testit "kinit with user password (after rpc password change)" \
+ kerberos_kinit "${samba_kinit}" \
+ "${TEST_USER}@${REALM}" "${NEW_USERPASS}" || \
+ failed=$((failed + 1))
+
+test_smbclient "Test login with user kerberos (after rpc password change)" \
+ "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
+ failed=$((failed + 1))
+
+USERPASS="${NEW_USERPASS}"
+
+rm -f "${KRB5CCNAME_PATH}"
+
+###########################################################
+### Test kinit with UPN
+###########################################################
+
+testit "kinit with new (NT-Principal style) using UPN" \
+ kerberos_kinit "${samba_kinit}" "${TEST_UPN}" "${USERPASS}" || \
+ failed=$((failed + 1))
+
+test_smbclient "Test login with user kerberos ccache from NT UPN" \
+ "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
+ failed=$((failed + 1))
+
+rm -f "${KRB5CCNAME_PATH}"
+
+testit "kinit with new (enterprise style) using UPN" \
+ kerberos_kinit "${samba_kinit}" "${TEST_UPN}" "${USERPASS}" \
+ ${OPTION_ENTERPRISE_NAME} || \
+ failed=$((failed + 1))
+
+test_smbclient "Test login with user kerberos ccache from enterprise UPN" \
+ "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
+ failed=$((failed + 1))
+
+rm -f "${KRB5CCNAME_PATH}"
+
+# HEIMDAL ONLY
+if [ "${kbase}" = "samba4kinit" ]; then
+ testit "kinit with new (windows style) using UPN" \
+ kerberos_kinit "${samba_kinit}" "${TEST_UPN}" "${USERPASS}" \
+ ${OPTION_WINDOWS} || \
+ failed=$((failed + 1))
+
+ test_smbclient "Test login with user kerberos ccache with (windows style) UPN" \
+ "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
+ failed=$((failed + 1))
+
+ rm -f "${KRB5CCNAME_PATH}"
+fi # HEIMDAL ONLY
+
+###########################################################
+### Tests with SPN
+###########################################################
+
+DNSDOMAIN=$(echo "${REALM}" | tr '[:upper:]' '[:lower:]')
+testit "kinit with password (SPN)" \
+ kerberos_kinit "${samba_kinit}" \
+ "http/testupnspn.${DNSDOMAIN}" "${PASSWORD}" || \
+ failed=$((failed + 1))
+
+test_smbclient "Test login with kerberos ccache (SPN)" \
+ "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
+ failed=$((failed + 1))
+
+rm -f "${KRB5CCNAME_PATH}"
+
+###########################################################
+### Test kinit with canonicalization
+###########################################################
+
+upperusername=$(echo "${USERNAME}" | tr '[:lower:]' '[:upper:]')
+testit "kinit with canonicalize and service" \
+ kerberos_kinit "${samba_kinit}" "${upperusername}@${REALM}" "${PASSWORD}" \
+ ${OPTION_CANONICALIZATION} \
+ ${OPTION_SERVICE} "kadmin/changepw@${REALM}" || \
+ failed=$((failed + 1))
+
+rm -f "${KRB5CCNAME_PATH}"
+
+###########################################################
+### Test kinit with user credentials and changed realm
+###########################################################
+
+testit "kinit with password (default)" \
+ kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" || \
+ failed=$((failed + 1))
+
+cat >"${PREFIX}/tmpldbmodify" <<EOF
+dn: cn=${TEST_USER},cn=users,$BASEDN
+changetype: modify
+replace: userPrincipalName
+userPrincipalName: ${TEST_UPN}.org
+EOF
+
+testit "modify userPrincipalName to be a different domain" \
+ "${VALGRIND}" "${ldbmodify}" "${ADMIN_LDBMODIFY_CONFIG}" \
+ "${PREFIX}/tmpldbmodify" "${PREFIX}/tmpldbmodify" \
+ --use-krb5-ccache="${KRB5CCNAME}" "$@" || \
+ failed=$((failed + 1))
+
+testit "kinit with new (enterprise style) using UPN" \
+ kerberos_kinit "${samba_kinit}" "${TEST_UPN}.org" "${USERPASS}" \
+ ${OPTION_ENTERPRISE_NAME} || failed=$((failed + 1))
+
+test_smbclient "Test login with user kerberos ccache from enterprise UPN" \
+ "ls" "${UNC}" \
+ --use-krb5-ccache="${KRB5CCNAME}" || \
+ failed=$((failed + 1))
+
+rm -f "${KRB5CCNAME_PATH}"
+
+###########################################################
+### Test password change with kpasswd
+###########################################################
+
+testit "kinit with user password" \
+ kerberos_kinit "${samba_kinit}" "${TEST_USER}@$REALM" "${USERPASS}" || \
+ failed=$((failed + 1))
+
+test_smbclient "Test login with user kerberos ccache" \
+ "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
+ failed=$((failed + 1))
+
+NEWUSERPASS=testPaSS@56%
+
+if [ "${kbase}" = "samba4kinit" ]; then
+ # HEIMDAL
+ cat >"${PREFIX}/tmpkpasswdscript" <<EOF
+expect Password
+password ${USERPASS}\n
+expect New password
+send ${NEWUSERPASS}\n
+expect Verify password
+send ${NEWUSERPASS}\n
+expect Success
+EOF
+
+else
+ # MIT
+ cat >"${PREFIX}/tmpkpasswdscript" <<EOF
+expect Password for
+password ${USERPASS}\n
+expect Enter new password
+send ${NEWUSERPASS}\n
+expect Enter it again
+send ${NEWUSERPASS}\n
+expect Password changed
+EOF
+fi
+
+testit "change user password with kpasswd" \
+ "${samba_texpect}" "${PREFIX}/tmpkpasswdscript" \
+ "${samba_kpasswd}" "${TEST_USER}@$REALM" || \
+ failed=$((failed + 1))
+
+rm -f "${KRB5CCNAME_PATH}"
+
+USERPASS="${NEWUSERPASS}"
+
+testit "kinit with user password (after kpasswd)" \
+ kerberos_kinit "${samba_kinit}" \
+ "${TEST_USER}@${REALM}" "${USERPASS}" || \
+ failed=$((failed + 1))
+
+test_smbclient "Test login with user kerberos ccache (after kpasswd)" \
+ "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
+ failed=$((failed + 1))
+
+rm -f "${KRB5CCNAME_PATH}"
+
+###########################################################
+### TODO Test set password with kpasswd
+###########################################################
+
+# This is not implemented in kpasswd
+
+###########################################################
+### Test password expiry
+###########################################################
+
+ cat >"${PREFIX}/tmpldbmodify" <<EOF
+dn: cn=${TEST_USER},cn=users,${BASEDN}
+changetype: modify
+replace: pwdLastSet
+pwdLastSet: 0
+EOF
+
+ NEWUSERPASS=testPaSS@78%
+
+ testit "modify pwdLastSet" \
+ "${VALGRIND}" "${ldbmodify}" "${ADMIN_LDBMODIFY_CONFIG}" \
+ "${PREFIX}/tmpldbmodify" "${PREFIX}/tmpldbmodify" \
+ --use-krb5-ccache="${KRB5CCNAME}" "$@" || \
+ failed=$((failed + 1))
+
+if [ "${kbase}" = "samba4kinit" ]; then
+ # HEIMDAL branch
+ cat >"${PREFIX}/tmpkinituserpassscript" <<EOF
+expect ${TEST_USER}@$REALM's Password
+send ${USERPASS}\n
+expect Password has expired
+expect New password
+send ${NEWUSERPASS}\n
+expect Repeat new password
+send ${NEWUSERPASS}\n
+EOF
+else
+ # MIT branch
+ cat >"${PREFIX}/tmpkinituserpassscript" <<EOF
+expect Password for
+send ${USERPASS}\n
+expect Password expired. You must change it now.
+expect Enter new password
+send ${NEWUSERPASS}\n
+expect Enter it again
+send ${NEWUSERPASS}\n
+EOF
+
+fi # END MIT ONLY
+
+testit "kinit with user password for expired password" \
+ "${samba_texpect}" "$PREFIX/tmpkinituserpassscript" \
+ "${samba_kinit}" "${TEST_USER}@$REALM" || \
+ failed=$((failed + 1))
+
+test_smbclient "Test login with user kerberos ccache" \
+ "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
+ failed=$((failed + 1))
+
+USERPASS="${NEWUSERPASS}"
+
+testit "kinit with user password" \
+ kerberos_kinit "${samba_kinit}" \
+ "${TEST_USER}@${REALM}" "${USERPASS}" || \
+ failed=$((failed + 1))
+
+test_smbclient "Test login with user kerberos ccache" \
+ "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
+ failed=$((failed + 1))
+
+###########################################################
+### Test login with lowercase realm
+###########################################################
+
+KRB5CCNAME_PATH="$PREFIX/tmpccache"
+KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
+export KRB5CCNAME
+
+rm -rf "${KRB5CCNAME_PATH}"
+
+testit "kinit with user password" \
+ kerberos_kinit "${samba_kinit}" "${TEST_USER}@${REALM}" "${USERPASS}" || \
+ failed=$((failed + 1))
+
+lowerrealm=$(echo "${REALM}" | tr '[:upper:]' '[:lower:]')
+test_smbclient "Test login with user kerberos lowercase realm" \
+ "ls" "${UNC}" --use-kerberos=required \
+ -U"${TEST_USER}@${lowerrealm}%${NEWUSERPASS}" || \
+ failed=$((failed + 1))
+
+test_smbclient "Test login with user kerberos lowercase realm 2" \
+ "ls" "${UNC}" --use-kerberos=required \
+ -U"${TEST_USER}@${REALM}%${NEWUSERPASS}" --realm="${lowerrealm}" || \
+ failed=$((failed + 1))
+
+testit "del user with kerberos ccache" \
+ "${VALGRIND}" "${PYTHON}" "${samba_tool}" user delete \
+ "${TEST_USER}" "${CONFIGURATION}" \
+ --use-krb5-ccache="${KRB5CCNAME}" "$@" || \
+ failed=$((failed + 1))
+
+###########################################################
+### Test login with machine account
+###########################################################
+
+rm -f "${KRB5CCNAME_PATH}"
+
+testit "kinit with machineaccountccache script" \
+ "${PYTHON}" "${machineaccountccache}" "${CONFIGURATION}" \
+ "${KRB5CCNAME}" || \
+ failed=$((failed + 1))
+
+test_smbclient "Test machine account login with kerberos ccache" \
+ "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
+ failed=$((failed + 1))
+
+testit "reset password policies" \
+ "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain passwordsettings set \
+ "${ADMIN_LDBMODIFY_CONFIG}" \
+ --complexity=default \
+ --history-length=default \
+ --min-pwd-length=default \
+ --min-pwd-age=default \
+ --max-pwd-age=default || \
+ failed=$((failed + 1))
+
+###########################################################
+### Test basic s4u2self request
+###########################################################
+
+# MIT ONLY
+if [ "${kbase}" = "kinit" ]; then
+
+# Use previous acquired machine creds to request a ticket for self.
+# We expect it to fail for now.
+MACHINE_ACCOUNT="$(hostname -s | tr '[:lower:]' '[:upper:]')\$@${REALM}"
+
+${samba_kvno} -U"${MACHINE_ACCOUNT}" "${MACHINE_ACCOUNT}"
+
+# But we expect the KDC to be up and running still
+testit "kinit with machineaccountccache after s4u2self" \
+ "${machineaccountccache}" "${CONFIGURATION}" "${KRB5CCNAME}" || \
+ failed=$((failed + 1))
+
+fi # END MIT ONLY
+
+### Cleanup
+
+rm -f "${KRB5CCNAME_PATH}"
+rm -f "${PREFIX}/tmpkinituserpassscript"
+rm -f "${PREFIX}/tmpkinitscript"
+rm -f "${PREFIX}/tmpkpasswdscript"
+
+exit $failed
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-10 11:55:48 +0000