2025-08-02 00:22:11 +03:00 · 2025-07-20 17:59:37 +02:00
parent 7900f319db
commit 18d0574a0f
3 changed files with 173 additions and 0 deletions
--- a/selftest/knownfail
+++ b/selftest/knownfail
@ -339,3 +339,6 @@
 # We currently don't send referrals for LDAP modify of non-replicated attrs
 ^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.*

+# net ads kerberos
+samba3.blackbox.net_ads_kerberos.*net_ads_kerberos_kinit.*
+samba3.blackbox.net_ads_kerberos.*net_ads_kerberos_renew.*
--- a/source3/script/tests/test_net_ads_kerberos.sh
+++ b/source3/script/tests/test_net_ads_kerberos.sh
@ -0,0 +1,158 @@
+#!/bin/sh
+
+if [ $# -lt 5 ]; then
+	cat <<EOF
+Usage: test_net_ads_kerberos.sh USERNAME REALM PASSWORD PREFIX
+EOF
+	exit 1
+fi
+
+USERNAME="$1"
+REALM="$2"
+PASSWORD="$3"
+PREFIX="$4"
+shift 4
+ADDARGS="$*"
+
+incdir=$(dirname "$0")/../../../testprogs/blackbox
+. "$incdir"/subunit.sh
+
+mkdir -p "$PREFIX"/private
+PACFILE=$PREFIX/private/pacsave.$$
+
+KRB5CCNAME_PATH="$PREFIX/net_ads_kerberos_krb5ccache"
+rm -f "$KRB5CCNAME_PATH"
+
+KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
+
+
+#################################################
+## Test "net ads kerberos kinit" variants
+#################################################
+
+testit "net_ads_kerberos_kinit" \
+	"$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+	-U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+	|| failed=$((failed + 1))
+
+export KRB5CCNAME="$KRB5CCNAME_PATH"
+testit "net_ads_kerberos_kinit (KRB5CCNAME env set)" \
+	"$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+	-U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+	|| failed=$((failed + 1))
+unset KRB5CCNAME
+rm -f "$KRB5CCNAME_PATH"
+
+# --use-krb5-ccache is not working
+#testit "net_ads_kerberos_kinit (with --use-krb5-ccache)" \
+#	$VALGRIND $BINDIR/net ads kerberos kinit \
+#	-U$USERNAME%$PASSWORD $ADDARGS \
+#	--use-krb5-ccache=${KRB5CCNAME} \
+#	|| failed=$((failed + 1))
+
+testit "net_ads_kerberos_kinit (-P)" \
+	"$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+	-P "$ADDARGS" \
+	|| failed=$((failed + 1))
+
+export KRB5CCNAME="$KRB5CCNAME_PATH"
+testit "net_ads_kerberos_kinit (-P and KRB5CCNAME env set)" \
+	"$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+	-P "$ADDARGS" \
+	|| failed=$((failed + 1))
+unset KRB5CCNAME
+rm -f "$KRB5CCNAME_PATH"
+
+# --use-krb5-ccache is not working
+#testit "net_ads_kerberos_kinit (-P with --use-krb5-ccache)" \
+#	$VALGRIND $BINDIR/net ads kerberos kinit \
+#	-P $ADDARGS \
+#	--use-krb5-ccache=${KRB5CCNAME} \
+#	|| failed=$((failed + 1))
+
+
+#################################################
+## Test "net ads kerberos renew" variants
+#################################################
+
+#testit "net_ads_kerberos_renew" \
+#	$VALGRIND $BINDIR/net ads kerberos renew \
+#	-U$USERNAME%$PASSWORD $ADDARGS \
+#	|| failed=$((failed + 1))
+#
+#export KRB5CCNAME=$KRB5CCNAME_PATH
+#testit "net_ads_kerberos_renew (KRB5CCNAME env)" \
+#	$VALGRIND $BINDIR/net ads kerberos renew \
+#	-U$USERNAME%$PASSWORD $ADDARGS \
+#	|| failed=$((failed + 1))
+#unset KRB5CCNAME
+#rm -f $KRB5CCNAME_PATH
+#
+# renew only succeeds with pre-kinit
+export KRB5CCNAME="$KRB5CCNAME_PATH"
+testit "net_ads_kerberos_kinit (KRB5CCNAME env set)" \
+	"$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+	-U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+	|| failed=$((failed + 1))
+
+testit "net_ads_kerberos_renew" \
+	"$VALGRIND" "$BINDIR"/net ads kerberos renew \
+	-U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+	|| failed=$((failed + 1))
+unset KRB5CCNAME
+rm -f "$KRB5CCNAME_PATH"
+
+
+#################################################
+## Test "net ads kerberos pac" variants
+#################################################
+
+testit "net_ads_kerberos_pac_dump" \
+	"$VALGRIND" "$BINDIR"/net ads kerberos pac dump \
+	-U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+	|| failed=$((failed + 1))
+
+testit "net_ads_kerberos_pac_dump (-P)" \
+	"$VALGRIND" "$BINDIR"/net ads kerberos pac dump \
+	-P "$ADDARGS" \
+	|| failed=$((failed + 1))
+
+IMPERSONATE_PRINC="alice@$REALM"
+
+#testit "net_ads_kerberos_pac_dump (impersonate)" \
+#	$VALGRIND $BINDIR/net ads kerberos pac dump \
+#	-U$USERNAME%$PASSWORD \
+#	impersonate=$IMPERSONATE_PRINC $ADDARGS \
+#	|| failed=$((failed + 1))
+
+testit "net_ads_kerberos_pac_dump (impersonate and -P)" \
+	"$VALGRIND" "$BINDIR"/net ads kerberos pac dump \
+	-P \
+	impersonate="$IMPERSONATE_PRINC" "$ADDARGS" \
+	|| failed=$((failed + 1))
+
+# no clue why this doesn't work...
+#
+#testit_expect_failure "net_ads_kerberos_pac_save (without filename)"
+#	$VALGRIND $BINDIR/net ads kerberos pac save \
+#	-U$USERNAME%$PASSWORD $ADDARGS \
+#	|| failed=$((failed + 1))
+
+testit "net_ads_kerberos_pac_save" \
+	"$VALGRIND" "$BINDIR"/net ads kerberos pac save \
+	-U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+	filename="$PACFILE" \
+	|| failed=$((failed + 1))
+
+rm -f "$PACFILE"
+
+testit "net_ads_kerberos_pac_save (-P)" \
+	"$VALGRIND" "$BINDIR"/net ads kerberos pac save \
+	-P "$ADDARGS" \
+	filename="$PACFILE" \
+	|| failed=$((failed + 1))
+
+rm -f "$PACFILE"
+rm -f "$KRB5CCNAME_PATH"
+
+testok "$0" "$failed"
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@ -1954,6 +1954,18 @@ plantestsuite(
     "bin/samba-tool",
     '$DNSNAME'])

+for auth in ["$DC_USERNAME", "$DOMAIN\\\\$DC_USERNAME", "$DC_USERNAME@$REALM" ]:
+    plantestsuite(
+        "samba3.blackbox.net_ads_kerberos (%s)" % auth,
+        "ad_member:local",
+        [os.path.join(samba3srcdir,
+                      "script/tests/test_net_ads_kerberos.sh"),
+         auth,
+         '$REALM',
+         '$DC_PASSWORD',
+         '$PREFIX',
+         configuration])
+
 plantestsuite("samba3.blackbox.force-user-unlink",
              "maptoguest:local",
              [os.path.join(samba3srcdir,