2016-09-05 18:01:57 +02:00
#!/bin/sh
# Blackbox tests for chainging passwords with kinit and kpasswd
#
# Copyright (c) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
# Copyright (c) 2006-2008 Andrew Bartlett <abartlet@samba.org>
# Copyright (c) 2016 Andreas Schneider <asn@samba.org>
2023-03-13 12:23:26 +01:00
if [ $# -lt 7 ] ; then
2022-04-22 15:46:05 +02:00
cat <<EOF
2023-03-13 12:23:26 +01:00
Usage: test_kpasswd_mit.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX CONFIGURATION
2016-09-05 18:01:57 +02:00
EOF
2022-04-22 15:46:05 +02:00
exit 1
2016-09-05 18:01:57 +02:00
fi
SERVER = $1
USERNAME = $2
PASSWORD = $3
REALM = $4
DOMAIN = $5
PREFIX = $6
2023-03-13 12:23:26 +01:00
CONFIGURATION = ${ 7 }
shift 7
2016-09-05 18:01:57 +02:00
failed = 0
samba_bindir = " $BINDIR "
samba_kinit = kinit
samba_kpasswd = kpasswd
smbclient = " $samba_bindir /smbclient "
samba_tool = " $samba_bindir /samba-tool "
2023-03-13 12:23:26 +01:00
net_tool = " $samba_bindir /net ${ CONFIGURATION } "
2016-09-05 18:01:57 +02:00
texpect = " $samba_bindir /texpect "
2023-03-13 12:23:26 +01:00
newuser = " $samba_tool user create ${ CONFIGURATION } "
2016-09-05 18:01:57 +02:00
SMB_UNC = " // $SERVER /tmp "
2022-04-22 15:46:05 +02:00
. $( dirname $0 ) /subunit.sh
. $( dirname $0 ) /common_test_fns.inc
2016-09-05 18:01:57 +02:00
2022-04-22 15:46:05 +02:00
do_kinit( )
{
2016-09-05 18:01:57 +02:00
principal = " $1 "
password = " $2 "
shift
shift
echo $password | $samba_kinit $principal
}
testit "reset password policies beside of minimum password age of 0 days" \
2023-03-13 12:23:26 +01:00
$VALGRIND $PYTHON $samba_tool domain passwordsettings set " ${ CONFIGURATION } " --complexity= default --history-length= default --min-pwd-length= default --min-pwd-age= 0 --max-pwd-age= default || failed = $( expr $failed + 1)
2016-09-05 18:01:57 +02:00
2023-02-08 08:30:56 +01:00
TEST_USERNAME = " $( mktemp -u samson-XXXXXX) "
2016-09-05 18:01:57 +02:00
TEST_PASSWORD = "testPaSS@00%"
TEST_PASSWORD_NEW = "testPaSS@01%"
TEST_PASSWORD_SHORT = "secret"
TEST_PASSWORD_WEAK = "Supersecret"
TEST_PRINCIPAL = " $TEST_USERNAME @ $REALM "
testit "create user locally" \
2023-03-13 12:23:26 +01:00
$VALGRIND $PYTHON $newuser " ${ CONFIGURATION } " $TEST_USERNAME $TEST_PASSWORD || failed = $( expr $failed + 1)
2016-09-05 18:01:57 +02:00
KRB5CCNAME = " $PREFIX /tmpuserccache "
export KRB5CCNAME
testit "kinit with user password" \
2022-04-22 15:46:05 +02:00
do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed = $( expr $failed + 1)
2016-09-05 18:01:57 +02:00
test_smbclient "Test login with user kerberos ccache" \
2022-04-22 15:46:05 +02:00
"ls" " $SMB_UNC " --use-krb5-ccache= $KRB5CCNAME || failed = $( expr $failed + 1)
2016-09-05 18:01:57 +02:00
testit "change user password with 'samba-tool user password' (unforced)" \
2022-04-22 15:46:05 +02:00
$VALGRIND $PYTHON $samba_tool user password -W$DOMAIN -U$TEST_USERNAME %$TEST_PASSWORD --use-kerberos= off --newpassword= $TEST_PASSWORD_NEW || failed = $( expr $failed + 1)
2016-09-05 18:01:57 +02:00
TEST_PASSWORD_OLD = $TEST_PASSWORD
TEST_PASSWORD = $TEST_PASSWORD_NEW
TEST_PASSWORD_NEW = "testPaSS@02%"
testit "kinit with user password" \
2022-04-22 15:46:05 +02:00
do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed = $( expr $failed + 1)
2016-09-05 18:01:57 +02:00
test_smbclient "Test login with user kerberos ccache" \
2022-04-22 15:46:05 +02:00
"ls" " $SMB_UNC " --use-krb5-ccache= $KRB5CCNAME || failed = $( expr $failed + 1)
2016-09-05 18:01:57 +02:00
###########################################################
### check that a password mismatch is detected
###########################################################
2022-04-22 15:46:05 +02:00
cat >$PREFIX /tmpkpasswdscript <<EOF
2016-09-05 18:01:57 +02:00
expect Password for $TEST_PRINCIPAL
password ${ TEST_PASSWORD } \n
expect Enter new password
send ${ TEST_PASSWORD_WEAK } \n
expect Enter it again
send ${ TEST_PASSWORD_NEW } \n
expect kpasswd: Password mismatch while reading password
EOF
testit_expect_failure "kpasswd check password mismatch" \
2023-04-11 14:04:59 +12:00
$texpect $PREFIX /tmpkpasswdscript $samba_kpasswd $TEST_PRINCIPAL || failed = $( expr $failed + 1)
2016-09-05 18:01:57 +02:00
###########################################################
### check that a short password is rejected
###########################################################
2022-04-22 15:46:05 +02:00
cat >$PREFIX /tmpkpasswdscript <<EOF
2016-09-05 18:01:57 +02:00
expect Password for $TEST_PRINCIPAL
password ${ TEST_PASSWORD } \n
expect Enter new password
send ${ TEST_PASSWORD_SHORT } \n
expect Enter it again
send ${ TEST_PASSWORD_SHORT } \n
expect Password change rejected: Password too short, password must be at least 7 characters long
EOF
testit_expect_failure "kpasswd check short user password" \
2023-04-11 14:04:59 +12:00
$texpect $PREFIX /tmpkpasswdscript $samba_kpasswd $TEST_PRINCIPAL || failed = $( expr $failed + 1)
2016-09-05 18:01:57 +02:00
###########################################################
### check that a weak password is rejected
###########################################################
2022-04-22 15:46:05 +02:00
cat >$PREFIX /tmpkpasswdscript <<EOF
2016-09-05 18:01:57 +02:00
expect Password for $TEST_PRINCIPAL
password ${ TEST_PASSWORD } \n
expect Enter new password
send ${ TEST_PASSWORD_WEAK } \n
expect Enter it again
send ${ TEST_PASSWORD_WEAK } \n
expect Password change rejected: Password does not meet complexity requirement
EOF
testit_expect_failure "kpasswd check weak user password" \
2023-04-11 14:04:59 +12:00
$texpect $PREFIX /tmpkpasswdscript $samba_kpasswd $TEST_PRINCIPAL || failed = $( expr $failed + 1)
2016-09-05 18:01:57 +02:00
###########################################################
### check that a strong password is accepted
###########################################################
2022-04-22 15:46:05 +02:00
cat >$PREFIX /tmpkpasswdscript <<EOF
2016-09-05 18:01:57 +02:00
expect Password for $TEST_PRINCIPAL
password ${ TEST_PASSWORD } \n
expect Enter new password
send ${ TEST_PASSWORD_NEW } \n
expect Enter it again
send ${ TEST_PASSWORD_NEW } \n
expect Password changed.
EOF
testit "kpasswd change user password" \
2022-04-22 15:46:05 +02:00
$texpect $PREFIX /tmpkpasswdscript $samba_kpasswd $TEST_PRINCIPAL || failed = $( expr $failed + 1)
2016-09-05 18:01:57 +02:00
TEST_PASSWORD = $TEST_PASSWORD_NEW
TEST_PASSWORD_NEW = "testPaSS@03%"
2022-04-22 15:46:05 +02:00
test_smbclient "Test login with user kerberos" 'ls' " $SMB_UNC " --use-kerberos= required -U$TEST_PRINCIPAL %$TEST_PASSWORD || failed = $( expr $failed + 1)
2016-09-05 18:01:57 +02:00
###########################################################
### Force password change at login
###########################################################
testit "set password on user locally" \
2023-03-13 12:23:26 +01:00
$VALGRIND $PYTHON $samba_tool user setpassword $TEST_USERNAME " ${ CONFIGURATION } " --newpassword= $TEST_PASSWORD_NEW --must-change-at-next-login || failed = $( expr $failed + 1)
2016-09-05 18:01:57 +02:00
TEST_PASSWORD = $TEST_PASSWORD_NEW
TEST_PASSWORD_NEW = "testPaSS@04%"
2022-04-22 15:46:05 +02:00
cat >$PREFIX /tmpkinitscript <<EOF
2016-09-05 18:01:57 +02:00
expect Password for $TEST_PRINCIPAL
password ${ TEST_PASSWORD } \n
expect Password expired
expect Enter new password
send ${ TEST_PASSWORD_NEW } \n
expect Enter it again
send ${ TEST_PASSWORD_NEW } \n
EOF
testit "kinit and change user password" \
2022-04-22 15:46:05 +02:00
$texpect $PREFIX /tmpkinitscript $samba_kinit $TEST_PRINCIPAL || failed = $( expr $failed + 1)
2016-09-05 18:01:57 +02:00
TEST_PASSWORD = $TEST_PASSWORD_NEW
TEST_PASSWORD_NEW = "testPaSS@05%"
test_smbclient "Test login with user kerberos" \
2022-04-22 15:46:05 +02:00
"ls" " $SMB_UNC " --use-kerberos= required -U$TEST_PRINCIPAL %$TEST_PASSWORD || failed = $( expr $failed + 1)
2016-09-05 18:01:57 +02:00
###########################################################
### Test kpasswd service via 'net ads password'
###########################################################
2017-10-20 08:58:21 +02:00
testit " change user password with 'net ads password', admin: $DOMAIN / $TEST_USERNAME , target: $TEST_PRINCIPAL " \
2022-04-22 15:46:05 +02:00
$VALGRIND $net_tool ads password -W$DOMAIN -U$TEST_PRINCIPAL %$TEST_PASSWORD $TEST_PRINCIPAL " $TEST_PASSWORD_NEW " || failed = $( expr $failed + 1)
2016-09-05 18:01:57 +02:00
#TEST_PASSWORD=$TEST_PASSWORD_NEW
#TEST_PASSWORD_NEW="testPaSS@06%"
#test_smbclient "Test login with smbclient (ntlm)" \
2020-11-19 17:43:58 +01:00
# "ls" "$SMB_UNC" --use-kerberos=disabled -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=`expr $failed + 1`
2016-09-05 18:01:57 +02:00
###########################################################
### Test kpasswd service via 'net ads password' as admin
###########################################################
testit " set user password with 'net ads password', admin: $DOMAIN / $USERNAME , target: $TEST_PRINCIPAL " \
2022-04-22 15:46:05 +02:00
$VALGRIND $net_tool ads password -W$DOMAIN -U$USERNAME @$REALM %$PASSWORD $TEST_PRINCIPAL " $TEST_PASSWORD_NEW " || failed = $( expr $failed + 1)
2016-09-05 18:01:57 +02:00
TEST_PASSWORD = $TEST_PASSWORD_NEW
TEST_PASSWORD_NEW = "testPaSS@07%"
test_smbclient "Test login with smbclient (ntlm)" \
2022-04-22 15:46:05 +02:00
"ls" " $SMB_UNC " --use-kerberos= disabled -U$TEST_PRINCIPAL %$TEST_PASSWORD || failed = $( expr $failed + 1)
2016-09-05 18:01:57 +02:00
###########################################################
### Cleanup
###########################################################
testit "reset password policies" \
2023-03-13 12:23:26 +01:00
$VALGRIND $PYTHON $samba_tool domain passwordsettings set " ${ CONFIGURATION } " --complexity= default --history-length= default --min-pwd-length= default --min-pwd-age= default --max-pwd-age= default || failed = $( expr $failed + 1)
2016-09-05 18:01:57 +02:00
testit "delete user" \
2023-03-13 12:23:26 +01:00
$VALGRIND $PYTHON $samba_tool user delete $TEST_USERNAME -U" $USERNAME % $PASSWORD " " ${ CONFIGURATION } " --use-kerberos= off || failed = $( expr $failed + 1)
2016-09-05 18:01:57 +02:00
rm -f $PREFIX /tmpuserccache $PREFIX /tmpkpasswdscript $PREFIX /tmpkinitscript
exit $failed