2010-06-24 03:42:40 +04:00
#!/bin/sh
# Blackbox tests for kinit and kerberos integration with smbclient etc
# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org>
if [ $# -lt 5 ] ; then
cat <<EOF
2012-05-30 14:16:49 +04:00
Usage: test_kinit.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX ENCTYPE SMBCLINET
2010-06-24 03:42:40 +04:00
EOF
exit 1;
fi
SERVER = $1
USERNAME = $2
PASSWORD = $3
REALM = $4
DOMAIN = $5
PREFIX = $6
ENCTYPE = $7
2012-05-30 14:16:49 +04:00
smbclient = $8
shift 8
2010-06-24 03:42:40 +04:00
failed = 0
2011-04-15 06:41:22 +04:00
samba4bindir = " $BINDIR "
2011-02-03 09:30:53 +03:00
samba4srcdir = " $SRCDIR /source4 "
2014-05-12 18:56:29 +04:00
samba4kinit = kinit
if test -x $BINDIR /samba4kinit; then
samba4kinit = $BINDIR /samba4kinit
fi
2012-01-26 02:42:27 +04:00
samba_tool = " $samba4bindir /samba-tool "
2016-06-02 19:24:18 +03:00
wbinfo = " $samba4bindir /wbinfo "
2014-05-12 18:56:29 +04:00
samba4kpasswd = kpasswd
if test -x $BINDIR /samba4kpasswd; then
samba4passwd = $BINDIR /samba4kpasswd
fi
2014-02-21 18:55:22 +04:00
ldbmodify = "ldbmodify"
if [ -x " $samba4bindir /ldbmodify " ] ; then
ldbmodify = " $samba4bindir /ldbmodify "
fi
ldbsearch = "ldbsearch"
if [ -x " $samba4bindir /ldbsearch " ] ; then
ldbsearch = " $samba4bindir /ldbsearch "
fi
2010-06-24 03:42:40 +04:00
. ` dirname $0 ` /subunit.sh
2016-04-24 21:09:05 +03:00
. ` dirname $0 ` /common_test_fns.inc
2010-06-24 03:42:40 +04:00
enctype = " -e $ENCTYPE "
2016-04-24 21:09:05 +03:00
unc = " // $SERVER /tmp "
2010-06-24 03:42:40 +04:00
2016-06-03 19:19:40 +03:00
KRB5CCNAME_PATH = " $PREFIX /tmpccache "
KRB5CCNAME = " FILE: $KRB5CCNAME_PATH "
2010-06-24 03:42:40 +04:00
export KRB5CCNAME
2016-06-03 19:19:40 +03:00
rm -f $KRB5CCNAME_PATH
2016-06-02 19:24:18 +03:00
PASSFILE_PATH = " $PREFIX /tmppassfile "
rm -f $PASSFILE_PATH
echo $PASSWORD > $PASSFILE_PATH
USER_PRINCIPAL_NAME = ` echo " ${ USERNAME } @ ${ REALM } " | tr A-Z a-z`
PKUSER = " --pk-user=FILE: $PREFIX /pkinit/USER- ${ USER_PRINCIPAL_NAME } -cert.pem, $PREFIX /pkinit/USER- ${ USER_PRINCIPAL_NAME } -private-key.pem "
# STEP1:
# Now we set the UF_SMARTCARD_REQUIRED bit
# This means we have a normal enabled account *without* a known password
2018-10-10 19:14:39 +03:00
testit " STEP1 samba-tool user create $USERNAME --smartcard-required " $PYTHON ${ samba_tool } user create $USERNAME --smartcard-required || failed = ` expr $failed + 1`
2016-06-02 19:24:18 +03:00
testit_expect_failure "STEP1 kinit with password" $samba4kinit $enctype --password-file= $PASSFILE_PATH --request-pac $USERNAME @$REALM && failed = ` expr $failed + 1`
testit_expect_failure "STEP1 Test login with NTLM" $smbclient " $unc " -c 'ls' -k no -U$USERNAME %$PASSWORD && failed = ` expr $failed + 1`
testit_expect_failure "STEP1 Test wbinfo with password" $wbinfo --authenticate= $DOMAIN /$USERNAME %$PASSWORD && failed = ` expr $failed + 1`
testit "STEP1 kinit with pkinit (name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER $USERNAME @$REALM || failed = ` expr $failed + 1`
testit "STEP1 kinit renew ticket (name specified)" $samba4kinit --request-pac -R || failed = ` expr $failed + 1`
test_smbclient "STEP1 Test login with kerberos ccache (name specified)" 'ls' " $unc " -k yes || failed = ` expr $failed + 1`
2018-10-24 05:41:28 +03:00
testit_expect_failure "STEP1 kinit with pkinit (wrong name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER not$USERNAME @$REALM || failed = ` expr $failed + 1`
testit_expect_failure "STEP1 kinit with pkinit (wrong name specified 2) " $samba4kinit $enctype --request-pac --renewable $PKUSER $SERVER @$REALM || failed = ` expr $failed + 1`
2016-06-02 19:24:18 +03:00
testit "STEP1 kinit with pkinit (enterprise name specified)" $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $USERNAME @$REALM || failed = ` expr $failed + 1`
testit "STEP1 kinit renew ticket (enterprise name specified)" $samba4kinit --request-pac -R || failed = ` expr $failed + 1`
test_smbclient "STEP1 Test login with kerberos ccache (enterprise name specified)" 'ls' " $unc " -k yes || failed = ` expr $failed + 1`
2018-10-24 05:41:28 +03:00
testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise not$USERNAME @$REALM || failed = ` expr $failed + 1`
testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified 2) " $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $SERVER $@ $REALM || failed = ` expr $failed + 1`
2016-06-02 19:24:18 +03:00
testit "STEP1 kinit with pkinit (enterprise name in cert)" $samba4kinit $enctype --request-pac --renewable $PKUSER --pk-enterprise || failed = ` expr $failed + 1`
testit "STEP1 kinit renew ticket (enterprise name in cert)" $samba4kinit --request-pac -R || failed = ` expr $failed + 1`
test_smbclient "STEP1 Test login with kerberos ccache (enterprise name in cert)" 'ls' " $unc " -k yes || failed = ` expr $failed + 1`
# STEP2:
# We still have UF_SMARTCARD_REQUIRED, but with a known password
2018-10-10 19:14:39 +03:00
testit " STEP2 samba-tool user setpassword $USERNAME --newpassword " $PYTHON ${ samba_tool } user setpassword $USERNAME --newpassword= $PASSWORD || failed = ` expr $failed + 1`
2016-06-02 19:24:18 +03:00
testit_expect_failure "STEP2 kinit with password" $samba4kinit $enctype --password-file= $PASSFILE_PATH --request-pac $USERNAME @$REALM && failed = ` expr $failed + 1`
test_smbclient "STEP2 Test login with NTLM" 'ls' " $unc " -k no -U$USERNAME %$PASSWORD || failed = ` expr $failed + 1`
testit_expect_failure "STEP2 Test wbinfo with password" $wbinfo --authenticate= $DOMAIN /$USERNAME %$PASSWORD && failed = ` expr $failed + 1`
testit "STEP2 kinit with pkinit (name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER $USERNAME @$REALM || failed = ` expr $failed + 1`
testit "STEP2 kinit renew ticket (name specified)" $samba4kinit --request-pac -R || failed = ` expr $failed + 1`
test_smbclient "STEP2 Test login with kerberos ccache (name specified)" 'ls' " $unc " -k yes || failed = ` expr $failed + 1`
testit "STEP2 kinit with pkinit (enterprise name specified)" $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $USERNAME @$REALM || failed = ` expr $failed + 1`
testit "STEP2 kinit renew ticket (enterprise name specified)" $samba4kinit --request-pac -R || failed = ` expr $failed + 1`
test_smbclient "STEP2 Test login with kerberos ccache (enterprise name specified)" 'ls' " $unc " -k yes || failed = ` expr $failed + 1`
testit "STEP2 kinit with pkinit (enterprise name in cert)" $samba4kinit $enctype --request-pac --renewable $PKUSER --pk-enterprise || failed = ` expr $failed + 1`
testit "STEP2 kinit renew ticket (enterprise name in cert)" $samba4kinit --request-pac -R || failed = ` expr $failed + 1`
test_smbclient "STEP2 Test login with kerberos ccache (enterprise name in cert)" 'ls' " $unc " -k yes || failed = ` expr $failed + 1`
# STEP3:
# The account is a normal account without the UF_SMARTCARD_REQUIRED bit set
2018-10-10 19:14:39 +03:00
testit " STEP3 samba-tool user setpassword $USERNAME --smartcard-required " $PYTHON ${ samba_tool } user setpassword $USERNAME --newpassword= $PASSWORD --clear-smartcard-required || failed = ` expr $failed + 1`
2016-06-02 19:24:18 +03:00
testit "STEP3 kinit with password" $samba4kinit $enctype --password-file= $PASSFILE_PATH --request-pac $USERNAME @$REALM || failed = ` expr $failed + 1`
test_smbclient "STEP3 Test login with user kerberos ccache" 'ls' " $unc " -k yes || failed = ` expr $failed + 1`
test_smbclient "STEP3 Test login with NTLM" 'ls' " $unc " -k no -U$USERNAME %$PASSWORD || failed = ` expr $failed + 1`
testit "STEP3 Test wbinfo with password" $wbinfo --authenticate= $DOMAIN /$USERNAME %$PASSWORD || failed = ` expr $failed + 1`
testit "STEP3 kinit with pkinit (name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER $USERNAME @$REALM || failed = ` expr $failed + 1`
testit "STEP3 kinit renew ticket (name specified)" $samba4kinit --request-pac -R || failed = ` expr $failed + 1`
test_smbclient "STEP3 Test login with kerberos ccache (name specified)" 'ls' " $unc " -k yes || failed = ` expr $failed + 1`
testit "STEP3 kinit with pkinit (enterprise name specified)" $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $USERNAME @$REALM || failed = ` expr $failed + 1`
testit "STEP3 kinit renew ticket (enterprise name specified)" $samba4kinit --request-pac -R || failed = ` expr $failed + 1`
test_smbclient "STEP3 Test login with kerberos ccache (enterprise name specified)" 'ls' " $unc " -k yes || failed = ` expr $failed + 1`
testit "STEP3 kinit with pkinit (enterprise name in cert)" $samba4kinit $enctype --request-pac --renewable $PKUSER --pk-enterprise || failed = ` expr $failed + 1`
testit "STEP3 kinit renew ticket (enterprise name in cert)" $samba4kinit --request-pac -R || failed = ` expr $failed + 1`
test_smbclient "STEP3 Test login with kerberos ccache (enterprise name in cert)" 'ls' " $unc " -k yes || failed = ` expr $failed + 1`
# STEP4:
# Now we set the UF_SMARTCARD_REQUIRED bit
# This means we have a normal enabled account *without* a known password
2018-10-10 19:14:39 +03:00
testit " STEP4 samba-tool user setpassword $USERNAME --smartcard-required " $PYTHON ${ samba_tool } user setpassword $USERNAME --smartcard-required || failed = ` expr $failed + 1`
2016-06-02 19:24:18 +03:00
testit_expect_failure "STEP4 kinit with password" $samba4kinit $enctype --password-file= $PASSFILE_PATH --request-pac $USERNAME @$REALM && failed = ` expr $failed + 1`
testit_expect_failure "STEP4 Test login with NTLM" $smbclient " $unc " -c 'ls' -k no -U$USERNAME %$PASSWORD && failed = ` expr $failed + 1`
testit_expect_failure "STEP4 Test wbinfo with password" $wbinfo --authenticate= $DOMAIN /$USERNAME %$PASSWORD && failed = ` expr $failed + 1`
testit "STEP4 kinit with pkinit (name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER $USERNAME @$REALM || failed = ` expr $failed + 1`
testit "STEP4 kinit renew ticket (name specified)" $samba4kinit --request-pac -R || failed = ` expr $failed + 1`
test_smbclient "STEP4 Test login with kerberos ccache (name specified)" 'ls' " $unc " -k yes || failed = ` expr $failed + 1`
testit "STEP4 kinit with pkinit (enterprise name specified)" $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $USERNAME @$REALM || failed = ` expr $failed + 1`
testit "STEP4 kinit renew ticket (enterprise name specified)" $samba4kinit --request-pac -R || failed = ` expr $failed + 1`
test_smbclient "STEP4 Test login with kerberos ccache (enterprise name specified)" 'ls' " $unc " -k yes || failed = ` expr $failed + 1`
testit "STEP4 kinit with pkinit (enterprise name in cert)" $samba4kinit $enctype --request-pac --renewable $PKUSER --pk-enterprise || failed = ` expr $failed + 1`
testit "STEP4 kinit renew ticket (enterprise name in cert)" $samba4kinit --request-pac -R || failed = ` expr $failed + 1`
test_smbclient "STEP4 Test login with kerberos ccache (enterprise name in cert)" 'ls' " $unc " -k yes || failed = ` expr $failed + 1`
# STEP5:
# disable the account
2018-10-10 19:14:39 +03:00
testit " STEP5 samba-tool user disable $USERNAME " $PYTHON ${ samba_tool } user disable $USERNAME || failed = ` expr $failed + 1`
2010-06-24 03:42:40 +04:00
2016-06-02 19:24:18 +03:00
testit_expect_failure "STEP5 kinit with password" $samba4kinit $enctype --password-file= $PASSFILE_PATH --request-pac $USERNAME @$REALM && failed = ` expr $failed + 1`
testit_expect_failure "STEP5 Test login with NTLM" $smbclient " $unc " -c 'ls' -k no -U$USERNAME %$PASSWORD && failed = ` expr $failed + 1`
testit_expect_failure "STEP5 Test wbinfo with password" $wbinfo --authenticate= $DOMAIN /$USERNAME %$PASSWORD && failed = ` expr $failed + 1`
2016-06-02 20:23:27 +03:00
2016-06-02 19:24:18 +03:00
testit_expect_failure "STEP5 kinit with pkinit (name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER $USERNAME @$REALM && failed = ` expr $failed + 1`
testit_expect_failure "STEP5 kinit with pkinit (enterprise name specified)" $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $USERNAME @$REALM && failed = ` expr $failed + 1`
testit_expect_failure "STEP5 kinit with pkinit (enterprise name in cert)" $samba4kinit $enctype --request-pac --renewable $PKUSER --pk-enterprise && failed = ` expr $failed + 1`
2010-06-24 03:42:40 +04:00
2016-06-02 19:24:18 +03:00
# STEP6:
# cleanup
2018-10-10 19:14:39 +03:00
testit " STEP6 samba-tool user delete $USERNAME " $PYTHON ${ samba_tool } user delete $USERNAME || failed = ` expr $failed + 2`
2010-06-24 03:42:40 +04:00
2016-06-02 19:24:18 +03:00
rm -f $PASSFILE_PATH
2016-06-03 19:19:40 +03:00
rm -f $KRB5CCNAME_PATH
2010-06-24 03:42:40 +04:00
exit $failed