mirror of
https://github.com/samba-team/samba.git
synced 2025-01-11 05:18:09 +03:00
testprogs: A PKINIT test which runs against Heimdal and MIT Kerberos
There is no need to specify the enctype and it isn't supported with MIT Kerberos. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
c27f17df37
commit
6a125b0ac9
1
selftest/skip_mit_kdc_pre_1_20
Normal file
1
selftest/skip_mit_kdc_pre_1_20
Normal file
@ -0,0 +1 @@
|
|||||||
|
^samba4.blackbox.pkinit_simple
|
@ -258,6 +258,9 @@ def cmd_testonly(opt):
|
|||||||
|
|
||||||
if CONFIG_GET(opt, 'USING_SYSTEM_KRB5') and CONFIG_GET(opt, 'MIT_KDC_PATH'):
|
if CONFIG_GET(opt, 'USING_SYSTEM_KRB5') and CONFIG_GET(opt, 'MIT_KDC_PATH'):
|
||||||
env.OPTIONS += " --mitkrb5 --exclude=${srcdir}/selftest/skip_mit_kdc"
|
env.OPTIONS += " --mitkrb5 --exclude=${srcdir}/selftest/skip_mit_kdc"
|
||||||
|
if CONFIG_GET(opt, 'HAVE_MIT_KRB5_PRE_1_20'):
|
||||||
|
env.OPTIONS += " --mitkrb5 --exclude=${srcdir}/selftest/skip_mit_kdc_pre_1_20"
|
||||||
|
|
||||||
env.FILTER_XFAIL += " --expected-failures=${srcdir}/selftest/"\
|
env.FILTER_XFAIL += " --expected-failures=${srcdir}/selftest/"\
|
||||||
"knownfail_mit_kdc"
|
"knownfail_mit_kdc"
|
||||||
|
|
||||||
|
@ -555,17 +555,6 @@ plantestsuite("samba4.blackbox.test_primary_group", "ad_dc:local", [os.path.join
|
|||||||
plantestsuite("samba4.blackbox.test_old_enctypes", "fl2003dc:local", [os.path.join(bbdir, "test_old_enctypes.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$NETBIOSNAME', '$PREFIX_ABS'])
|
plantestsuite("samba4.blackbox.test_old_enctypes", "fl2003dc:local", [os.path.join(bbdir, "test_old_enctypes.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$NETBIOSNAME', '$PREFIX_ABS'])
|
||||||
|
|
||||||
if have_heimdal_support:
|
if have_heimdal_support:
|
||||||
plantestsuite("samba4.blackbox.pkinit",
|
|
||||||
"ad_dc:local",
|
|
||||||
[os.path.join(bbdir, "test_pkinit_simple.sh"),
|
|
||||||
'$SERVER',
|
|
||||||
'pkinit',
|
|
||||||
'$PASSWORD',
|
|
||||||
'$REALM',
|
|
||||||
'$DOMAIN',
|
|
||||||
'$PREFIX/ad_dc',
|
|
||||||
"aes256-cts-hmac-sha1-96",
|
|
||||||
smbclient3, configuration])
|
|
||||||
plantestsuite("samba4.blackbox.pkinit_pac",
|
plantestsuite("samba4.blackbox.pkinit_pac",
|
||||||
"ad_dc:local",
|
"ad_dc:local",
|
||||||
[os.path.join(bbdir, "test_pkinit_pac_heimdal.sh"),
|
[os.path.join(bbdir, "test_pkinit_pac_heimdal.sh"),
|
||||||
@ -596,6 +585,18 @@ else:
|
|||||||
plantestsuite("samba4.blackbox.export.keytab", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_export_keytab_mit.sh"), '$SERVER', '$USERNAME', '$REALM', '$DOMAIN', "$PREFIX", smbclient4])
|
plantestsuite("samba4.blackbox.export.keytab", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_export_keytab_mit.sh"), '$SERVER', '$USERNAME', '$REALM', '$DOMAIN', "$PREFIX", smbclient4])
|
||||||
plantestsuite("samba4.blackbox.kpasswd", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_kpasswd_mit.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_ntvfs"])
|
plantestsuite("samba4.blackbox.kpasswd", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_kpasswd_mit.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_ntvfs"])
|
||||||
|
|
||||||
|
plantestsuite("samba4.blackbox.pkinit_simple",
|
||||||
|
"ad_dc:local",
|
||||||
|
[os.path.join(bbdir, "test_pkinit_simple.sh"),
|
||||||
|
'$SERVER',
|
||||||
|
'pkinit',
|
||||||
|
'$PASSWORD',
|
||||||
|
'$REALM',
|
||||||
|
'$DOMAIN',
|
||||||
|
'$PREFIX/ad_dc',
|
||||||
|
smbclient3,
|
||||||
|
configuration])
|
||||||
|
|
||||||
plantestsuite("samba.blackbox.client_kerberos", "ad_dc", [os.path.join(bbdir, "test_client_kerberos.sh"), '$DOMAIN', '$REALM', '$USERNAME', '$PASSWORD', '$SERVER', '$PREFIX_ABS', '$SMB_CONF_PATH'])
|
plantestsuite("samba.blackbox.client_kerberos", "ad_dc", [os.path.join(bbdir, "test_client_kerberos.sh"), '$DOMAIN', '$REALM', '$USERNAME', '$PASSWORD', '$SERVER', '$PREFIX_ABS', '$SMB_CONF_PATH'])
|
||||||
|
|
||||||
env="ad_member:local"
|
env="ad_member:local"
|
||||||
|
@ -1,11 +1,13 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
# Blackbox tests for kinit and kerberos integration with smbclient etc
|
# Blackbox tests for kinit and kerberos integration with smbclient etc
|
||||||
|
#
|
||||||
# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
|
# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
|
||||||
# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org>
|
# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org>
|
||||||
|
# Copyright (C) 2022 Andreas Schneider <asn@samba.org>
|
||||||
|
|
||||||
if [ $# -lt 5 ]; then
|
if [ $# -lt 7 ]; then
|
||||||
cat <<EOF
|
cat <<EOF
|
||||||
Usage: test_pkinit_simple.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX ENCTYPE SMBCLINET
|
Usage: test_pkinit_mit.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX SMBCLINET
|
||||||
EOF
|
EOF
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
@ -16,60 +18,57 @@ PASSWORD="${3}"
|
|||||||
REALM="${4}"
|
REALM="${4}"
|
||||||
DOMAIN="${5}"
|
DOMAIN="${5}"
|
||||||
PREFIX="${6}"
|
PREFIX="${6}"
|
||||||
smbclient="${8}"
|
smbclient="${7}"
|
||||||
shift 8
|
shift 7
|
||||||
failed=0
|
failed=0
|
||||||
|
|
||||||
samba4bindir="$BINDIR"
|
samba_bindir="${BINDIR}"
|
||||||
samba4srcdir="$SRCDIR/source4"
|
|
||||||
samba4kinit_binary=kinit
|
samba_kinit="$(command -v kinit)"
|
||||||
if test -x $BINDIR/samba4kinit; then
|
if [ -x "${samba_bindir}/samba4kinit" ]; then
|
||||||
samba4kinit_binary=$BINDIR/samba4kinit
|
samba_kinit="${samba_bindir}/samba4kinit"
|
||||||
fi
|
fi
|
||||||
|
samba_tool="${PYTHON} ${samba_bindir}/samba-tool"
|
||||||
|
wbinfo="${samba_bindir}/wbinfo"
|
||||||
|
|
||||||
samba_tool="$samba4bindir/samba-tool"
|
. "$(dirname "$0")"/subunit.sh
|
||||||
wbinfo="$samba4bindir/wbinfo"
|
. "$(dirname "$0")"/common_test_fns.inc
|
||||||
samba4kpasswd=kpasswd
|
|
||||||
if test -x $BINDIR/samba4kpasswd; then
|
|
||||||
samba4passwd=$BINDIR/samba4kpasswd
|
|
||||||
fi
|
|
||||||
|
|
||||||
ldbmodify="ldbmodify"
|
unc="//${SERVER}/tmp"
|
||||||
if [ -x "$samba4bindir/ldbmodify" ]; then
|
|
||||||
ldbmodify="$samba4bindir/ldbmodify"
|
|
||||||
fi
|
|
||||||
|
|
||||||
ldbsearch="ldbsearch"
|
|
||||||
if [ -x "$samba4bindir/ldbsearch" ]; then
|
|
||||||
ldbsearch="$samba4bindir/ldbsearch"
|
|
||||||
fi
|
|
||||||
|
|
||||||
. $(dirname $0)/subunit.sh
|
|
||||||
. $(dirname $0)/common_test_fns.inc
|
|
||||||
|
|
||||||
unc="//$SERVER/tmp"
|
|
||||||
|
|
||||||
KRB5CCNAME_PATH="$PREFIX/tmpccache"
|
KRB5CCNAME_PATH="$PREFIX/tmpccache"
|
||||||
|
rm -f "${KRB5CCNAME_PATH}"
|
||||||
KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
|
KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
|
||||||
samba4kinit="$samba4kinit_binary -c $KRB5CCNAME"
|
|
||||||
export KRB5CCNAME
|
export KRB5CCNAME
|
||||||
rm -f $KRB5CCNAME_PATH
|
|
||||||
PASSFILE_PATH="$PREFIX/tmppassfile"
|
|
||||||
rm -f $PASSFILE_PATH
|
|
||||||
echo $PASSWORD >$PASSFILE_PATH
|
|
||||||
|
|
||||||
USER_PRINCIPAL_NAME=$(echo "${USERNAME}@${REALM}" | tr A-Z a-z)
|
USER_PRINCIPAL_NAME="$(echo "${USERNAME}@${REALM}" | tr "[:upper:]" "[:lower:]")"
|
||||||
PKUSER="--pk-user=FILE:$PREFIX/pkinit/USER-${USER_PRINCIPAL_NAME}-cert.pem,$PREFIX/pkinit/USER-${USER_PRINCIPAL_NAME}-private-key.pem"
|
|
||||||
|
|
||||||
# STEP1:
|
kbase="$(basename "${samba_kinit}")"
|
||||||
|
if [ "${kbase}" = "samba4kinit" ]; then
|
||||||
|
# HEIMDAL
|
||||||
|
X509_USER_IDENTITY="--pk-user=FILE:${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-cert.pem,${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-private-key.pem"
|
||||||
|
OPTION_RENEWABLE="--renewable"
|
||||||
|
OPTION_RENEW_TICKET="--renew"
|
||||||
|
OPTION_ENTERPRISE_NAME="--enterprise"
|
||||||
|
else
|
||||||
|
# MIT
|
||||||
|
X509_USER_IDENTITY="-X X509_user_identity=FILE:${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-cert.pem,${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-private-key.pem"
|
||||||
|
OPTION_RENEWABLE="-r 1h"
|
||||||
|
OPTION_RENEW_TICKET="-R"
|
||||||
|
OPTION_ENTERPRISE_NAME="-E"
|
||||||
|
fi
|
||||||
|
OPTION_REQUEST_PAC="--request-pac"
|
||||||
|
|
||||||
|
# STEP0:
|
||||||
# Now we set the UF_SMARTCARD_REQUIRED bit
|
# Now we set the UF_SMARTCARD_REQUIRED bit
|
||||||
# This means we have a normal enabled account *without* a known password
|
# This means we have a normal enabled account *without* a known password
|
||||||
testit "STEP1 samba-tool user create $USERNAME --smartcard-required" \
|
testit "STEP0 samba-tool user create ${USERNAME} --smartcard-required" \
|
||||||
$PYTHON ${samba_tool} user create $USERNAME --smartcard-required ||
|
"${samba_tool}" user create "${USERNAME}" --smartcard-required ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
|
|
||||||
testit_expect_failure "STEP1 kinit with password" \
|
testit_expect_failure "STEP1 kinit with password" \
|
||||||
$samba4kinit --password-file=$PASSFILE_PATH --request-pac $USERNAME@$REALM ||
|
kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \
|
||||||
|
"${OPTION_REQUEST_PAC}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
testit_expect_failure "STEP1 Test login with NTLM" \
|
testit_expect_failure "STEP1 Test login with NTLM" \
|
||||||
"${smbclient}" "${unc}" -c 'ls' "-U${USERNAME}%${PASSWORD}" ||
|
"${smbclient}" "${unc}" -c 'ls' "-U${USERNAME}%${PASSWORD}" ||
|
||||||
@ -78,60 +77,72 @@ testit_expect_failure "STEP1 Test wbinfo with password" \
|
|||||||
"${wbinfo}" "--authenticate=$DOMAIN/$USERNAME%$PASSWORD" ||
|
"${wbinfo}" "--authenticate=$DOMAIN/$USERNAME%$PASSWORD" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
|
|
||||||
testit "STEP1 kinit with pkinit (name specified) " \
|
testit "STEP1 kinit with pkinit (name specified: ${USERNAME})" \
|
||||||
$samba4kinit --request-pac --renewable $PKUSER $USERNAME@$REALM ||
|
"${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
|
||||||
|
"${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
|
|
||||||
testit "STEP1 kinit renew ticket (name specified)" \
|
testit "STEP1 kinit renew ticket (name specified)" \
|
||||||
$samba4kinit --request-pac -R ||
|
"${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
test_smbclient "STEP1 Test login with kerberos ccache (name specified)" \
|
test_smbclient "STEP1 Test login with kerberos ccache (name specified)" \
|
||||||
'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" ||
|
'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
|
|
||||||
testit_expect_failure "STEP1 kinit with pkinit (wrong name specified) " \
|
# OK
|
||||||
$samba4kinit --request-pac --renewable $PKUSER not$USERNAME@$REALM ||
|
testit_expect_failure "STEP1 kinit with pkinit (wrong name specified)" \
|
||||||
|
"${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
|
||||||
|
"${X509_USER_IDENTITY}" "not${USERNAME}@${REALM}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
|
|
||||||
testit_expect_failure "STEP1 kinit with pkinit (wrong name specified 2) " \
|
testit_expect_failure "STEP1 kinit with pkinit (wrong name specified 2)" \
|
||||||
$samba4kinit --request-pac --renewable $PKUSER $SERVER@$REALM ||
|
"${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
|
||||||
|
"${X509_USER_IDENTITY}" "${SERVER}@${REALM}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
|
|
||||||
testit "STEP1 kinit with pkinit (enterprise name specified)" \
|
testit "STEP1 kinit with pkinit (enterprise name specified)" \
|
||||||
$samba4kinit --request-pac --renewable $PKUSER --enterprise $USERNAME@$REALM ||
|
"${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
|
||||||
|
"${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \
|
||||||
|
"${USERNAME}@${REALM}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
testit "STEP1 kinit renew ticket (enterprise name specified)" \
|
testit "STEP1 kinit renew ticket (enterprise name specified)" \
|
||||||
$samba4kinit --request-pac -R ||
|
"${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
test_smbclient "STEP1 Test login with kerberos ccache (enterprise name specified)" \
|
test_smbclient "STEP1 Test login with kerberos ccache (enterprise name specified)" \
|
||||||
'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" ||
|
'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
|
testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified)" \
|
||||||
testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified) " \
|
"${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
|
||||||
$samba4kinit --request-pac --renewable $PKUSER --enterprise not$USERNAME@$REALM ||
|
"${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \
|
||||||
|
"not${USERNAME}@${REALM}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
|
testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified 2)" \
|
||||||
testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified 2) " \
|
"${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
|
||||||
$samba4kinit --request-pac --renewable $PKUSER --enterprise $SERVER$@$REALM ||
|
"${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \
|
||||||
|
"${SERVER}@${REALM}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
|
|
||||||
testit "STEP1 kinit with pkinit (enterprise name in cert)" \
|
testit "STEP1 kinit with pkinit (enterprise name in cert)" \
|
||||||
$samba4kinit --request-pac --renewable $PKUSER --pk-enterprise ||
|
"${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
|
||||||
|
"${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
testit "STEP1 kinit renew ticket (enterprise name in cert)" \
|
testit "STEP1 kinit renew ticket (enterprise name in cert)" \
|
||||||
$samba4kinit --request-pac -R ||
|
"${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
test_smbclient "STEP1 Test login with kerberos ccache (enterprise name in cert)" \
|
test_smbclient "STEP1 Test login with kerberos ccache (enterprise name in cert)" \
|
||||||
'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME ||
|
'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
|
|
||||||
# STEP2:
|
# STEP2:
|
||||||
# We still have UF_SMARTCARD_REQUIRED, but with a known password
|
# We still have UF_SMARTCARD_REQUIRED, but with a known password
|
||||||
testit "STEP2 samba-tool user setpassword $USERNAME --newpassword" \
|
testit "STEP2 samba-tool user setpassword ${USERNAME} --newpassword" \
|
||||||
$PYTHON ${samba_tool} user setpassword $USERNAME --newpassword=$PASSWORD ||
|
"${samba_tool}" user setpassword "${USERNAME}" \
|
||||||
|
--newpassword="${PASSWORD}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
|
|
||||||
testit_expect_failure "STEP2 kinit with password" \
|
testit_expect_failure "STEP2 kinit with password" \
|
||||||
$samba4kinit --password-file=$PASSFILE_PATH --request-pac $USERNAME@$REALM ||
|
kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \
|
||||||
|
"${OPTION_REQUEST_PAC}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
test_smbclient "STEP2 Test login with NTLM" \
|
test_smbclient "STEP2 Test login with NTLM" \
|
||||||
'ls' "$unc" -U"${USERNAME}%${PASSWORD}" ||
|
'ls' "$unc" -U"${USERNAME}%${PASSWORD}" ||
|
||||||
@ -141,43 +152,49 @@ testit_expect_failure "STEP2 Test wbinfo with password" \
|
|||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
|
|
||||||
testit "STEP2 kinit with pkinit (name specified) " \
|
testit "STEP2 kinit with pkinit (name specified) " \
|
||||||
$samba4kinit --request-pac --renewable $PKUSER $USERNAME@$REALM ||
|
"${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
|
||||||
|
"${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
testit "STEP2 kinit renew ticket (name specified)" \
|
testit "STEP2 kinit renew ticket (name specified)" \
|
||||||
$samba4kinit --request-pac -R ||
|
"${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
test_smbclient "STEP2 Test login with kerberos ccache (name specified)" \
|
test_smbclient "STEP2 Test login with kerberos ccache (name specified)" \
|
||||||
'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" ||
|
'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
|
|
||||||
testit "STEP2 kinit with pkinit (enterprise name specified)" \
|
testit "STEP2 kinit with pkinit (enterprise name specified)" \
|
||||||
$samba4kinit --request-pac --renewable $PKUSER --enterprise $USERNAME@$REALM ||
|
"${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
|
||||||
|
"${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \
|
||||||
|
"${USERNAME}@${REALM}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
testit "STEP2 kinit renew ticket (enterprise name specified)" \
|
testit "STEP2 kinit renew ticket (enterprise name specified)" \
|
||||||
$samba4kinit --request-pac -R ||
|
"${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
test_smbclient "STEP2 Test login with kerberos ccache (enterprise name specified)" \
|
test_smbclient "STEP2 Test login with kerberos ccache (enterprise name specified)" \
|
||||||
'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" ||
|
'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
|
|
||||||
testit "STEP2 kinit with pkinit (enterprise name in cert)" \
|
testit "STEP2 kinit with pkinit (enterprise name in cert)" \
|
||||||
$samba4kinit --request-pac --renewable $PKUSER --pk-enterprise ||
|
"${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
|
||||||
|
"${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
testit "STEP2 kinit renew ticket (enterprise name in cert)" \
|
testit "STEP2 kinit renew ticket (enterprise name in cert)" \
|
||||||
$samba4kinit --request-pac -R ||
|
"${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
test_smbclient "STEP2 Test login with kerberos ccache (enterprise name in cert)" \
|
test_smbclient "STEP2 Test login with kerberos ccache (enterprise name in cert)" \
|
||||||
'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME ||
|
'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
|
|
||||||
# STEP3:
|
# STEP3:
|
||||||
# The account is a normal account without the UF_SMARTCARD_REQUIRED bit set
|
# The account is a normal account without the UF_SMARTCARD_REQUIRED bit set
|
||||||
testit "STEP3 samba-tool user setpassword $USERNAME --smartcard-required" \
|
testit "STEP3 samba-tool user setpassword ${USERNAME} --clear-smartcard-required" \
|
||||||
$PYTHON ${samba_tool} user setpassword $USERNAME --newpassword=$PASSWORD --clear-smartcard-required ||
|
"${samba_tool}" user setpassword "${USERNAME}" \
|
||||||
|
--newpassword="${PASSWORD}" --clear-smartcard-required ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
|
|
||||||
testit "STEP3 kinit with password" \
|
testit "STEP3 kinit with password" \
|
||||||
$samba4kinit --password-file=$PASSFILE_PATH --request-pac $USERNAME@$REALM ||
|
kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \
|
||||||
|
"${OPTION_REQUEST_PAC}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
test_smbclient "STEP3 Test login with user kerberos ccache" \
|
test_smbclient "STEP3 Test login with user kerberos ccache" \
|
||||||
'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" ||
|
'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" ||
|
||||||
@ -190,44 +207,49 @@ testit "STEP3 Test wbinfo with password" \
|
|||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
|
|
||||||
testit "STEP3 kinit with pkinit (name specified) " \
|
testit "STEP3 kinit with pkinit (name specified) " \
|
||||||
$samba4kinit --request-pac --renewable $PKUSER $USERNAME@$REALM ||
|
"${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
|
||||||
|
"${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
testit "STEP3 kinit renew ticket (name specified)" \
|
testit "STEP3 kinit renew ticket (name specified)" \
|
||||||
$samba4kinit --request-pac -R ||
|
"${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
test_smbclient "STEP3 Test login with kerberos ccache (name specified)" \
|
test_smbclient "STEP3 Test login with kerberos ccache (name specified)" \
|
||||||
'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" ||
|
'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
|
|
||||||
testit "STEP3 kinit with pkinit (enterprise name specified)" \
|
testit "STEP3 kinit with pkinit (enterprise name specified)" \
|
||||||
$samba4kinit --request-pac --renewable $PKUSER --enterprise $USERNAME@$REALM ||
|
"${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
|
||||||
|
"${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \
|
||||||
|
"${USERNAME}@${REALM}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
testit "STEP3 kinit renew ticket (enterprise name specified)" \
|
testit "STEP3 kinit renew ticket (enterprise name specified)" \
|
||||||
$samba4kinit --request-pac -R ||
|
"${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
test_smbclient "STEP3 Test login with kerberos ccache (enterprise name specified)" \
|
test_smbclient "STEP3 Test login with kerberos ccache (enterprise name specified)" \
|
||||||
'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME ||
|
'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
|
|
||||||
testit "STEP3 kinit with pkinit (enterprise name in cert)" \
|
testit "STEP3 kinit with pkinit (enterprise name in cert)" \
|
||||||
$samba4kinit --request-pac --renewable $PKUSER --pk-enterprise ||
|
"${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
|
||||||
|
"${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
testit "STEP3 kinit renew ticket (enterprise name in cert)" \
|
testit "STEP3 kinit renew ticket (enterprise name in cert)" \
|
||||||
$samba4kinit --request-pac -R ||
|
"${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
test_smbclient "STEP3 Test login with kerberos ccache (enterprise name in cert)" \
|
test_smbclient "STEP3 Test login with kerberos ccache (enterprise name in cert)" \
|
||||||
'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME ||
|
'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
|
|
||||||
# STEP4:
|
# STEP4:
|
||||||
# Now we set the UF_SMARTCARD_REQUIRED bit
|
# Now we set the UF_SMARTCARD_REQUIRED bit
|
||||||
# This means we have a normal enabled account *without* a known password
|
# This means we have a normal enabled account *without* a known password
|
||||||
testit "STEP4 samba-tool user setpassword $USERNAME --smartcard-required" \
|
testit "STEP4 samba-tool user setpassword $USERNAME --smartcard-required" \
|
||||||
$PYTHON ${samba_tool} user setpassword $USERNAME --smartcard-required ||
|
"${samba_tool}" user setpassword "${USERNAME}" --smartcard-required ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
|
|
||||||
testit_expect_failure "STEP4 kinit with password" \
|
testit_expect_failure "STEP4 kinit with password" \
|
||||||
$samba4kinit --password-file=$PASSFILE_PATH --request-pac $USERNAME@$REALM ||
|
kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \
|
||||||
|
"${OPTION_REQUEST_PAC}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
testit_expect_failure "STEP4 Test login with NTLM" \
|
testit_expect_failure "STEP4 Test login with NTLM" \
|
||||||
"${smbclient}" "${unc}" -c 'ls' -U"${USERNAME}%${PASSWORD}" ||
|
"${smbclient}" "${unc}" -c 'ls' -U"${USERNAME}%${PASSWORD}" ||
|
||||||
@ -236,44 +258,49 @@ testit_expect_failure "STEP4 Test wbinfo with password" \
|
|||||||
"${wbinfo}" --authenticate="${DOMAIN}/${USERNAME}%${PASSWORD}" ||
|
"${wbinfo}" --authenticate="${DOMAIN}/${USERNAME}%${PASSWORD}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
|
|
||||||
testit "STEP4 kinit with pkinit (name specified) " \
|
testit "STEP4 kinit with pkinit (name specified)" \
|
||||||
$samba4kinit --request-pac --renewable $PKUSER $USERNAME@$REALM ||
|
"${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
|
||||||
|
"${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
testit "STEP4 kinit renew ticket (name specified)" \
|
testit "STEP4 kinit renew ticket (name specified)" \
|
||||||
$samba4kinit --request-pac -R ||
|
"${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
test_smbclient "STEP4 Test login with kerberos ccache (name specified)" \
|
test_smbclient "STEP4 Test login with kerberos ccache (name specified)" \
|
||||||
'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" ||
|
'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
|
|
||||||
testit "STEP4 kinit with pkinit (enterprise name specified)" \
|
testit "STEP4 kinit with pkinit (enterprise name specified)" \
|
||||||
$samba4kinit --request-pac --renewable $PKUSER --enterprise $USERNAME@$REALM ||
|
"${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
|
||||||
|
"${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \
|
||||||
|
"${USERNAME}@${REALM}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
testit "STEP4 kinit renew ticket (enterprise name specified)" \
|
testit "STEP4 kinit renew ticket (enterprise name specified)" \
|
||||||
$samba4kinit --request-pac -R ||
|
"${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
test_smbclient "STEP4 Test login with kerberos ccache (enterprise name specified)" \
|
test_smbclient "STEP4 Test login with kerberos ccache (enterprise name specified)" \
|
||||||
'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" ||
|
'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
|
|
||||||
testit "STEP4 kinit with pkinit (enterprise name in cert)" \
|
testit "STEP4 kinit with pkinit (enterprise name in cert)" \
|
||||||
$samba4kinit --request-pac --renewable $PKUSER --pk-enterprise ||
|
"${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
|
||||||
|
"${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
testit "STEP4 kinit renew ticket (enterprise name in cert)" \
|
testit "STEP4 kinit renew ticket (enterprise name in cert)" \
|
||||||
$samba4kinit --request-pac -R ||
|
"${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
test_smbclient "STEP4 Test login with kerberos ccache (enterprise name in cert)" \
|
test_smbclient "STEP4 Test login with kerberos ccache (enterprise name in cert)" \
|
||||||
'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME ||
|
'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
|
|
||||||
# STEP5:
|
# STEP5:
|
||||||
# disable the account
|
# disable the account
|
||||||
testit "STEP5 samba-tool user disable $USERNAME" \
|
testit "STEP5 samba-tool user disable $USERNAME" \
|
||||||
$PYTHON ${samba_tool} user disable $USERNAME ||
|
"${samba_tool}" user disable "${USERNAME}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
|
|
||||||
testit_expect_failure "STEP5 kinit with password" \
|
testit_expect_failure "STEP5 kinit with password" \
|
||||||
$samba4kinit --password-file=$PASSFILE_PATH --request-pac $USERNAME@$REALM ||
|
kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \
|
||||||
|
"${OPTION_REQUEST_PAC}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
testit_expect_failure "STEP5 Test login with NTLM" \
|
testit_expect_failure "STEP5 Test login with NTLM" \
|
||||||
"${smbclient}" "${unc}" -c 'ls' -U"${USERNAME}%${PASSWORD}" ||
|
"${smbclient}" "${unc}" -c 'ls' -U"${USERNAME}%${PASSWORD}" ||
|
||||||
@ -282,22 +309,25 @@ testit_expect_failure "STEP5 Test wbinfo with password" \
|
|||||||
"${wbinfo}" --authenticate="${DOMAIN}/${USERNAME}%${PASSWORD}" ||
|
"${wbinfo}" --authenticate="${DOMAIN}/${USERNAME}%${PASSWORD}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
|
|
||||||
testit_expect_failure "STEP5 kinit with pkinit (name specified) " \
|
testit_expect_failure "STEP5 kinit with pkinit (name specified)" \
|
||||||
$samba4kinit --request-pac --renewable $PKUSER $USERNAME@$REALM ||
|
"${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
|
||||||
|
"${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
testit_expect_failure "STEP5 kinit with pkinit (enterprise name specified)" \
|
testit_expect_failure "STEP5 kinit with pkinit (enterprise name specified)" \
|
||||||
$samba4kinit --request-pac --renewable $PKUSER --enterprise $USERNAME@$REALM ||
|
"${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
|
||||||
|
"${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \
|
||||||
|
"${USERNAME}@${REALM}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
testit_expect_failure "STEP5 kinit with pkinit (enterprise name in cert)" \
|
testit_expect_failure "STEP5 kinit with pkinit (enterprise name in cert)" \
|
||||||
$samba4kinit --request-pac --renewable $PKUSER --pk-enterprise ||
|
"${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
|
||||||
|
"${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
|
|
||||||
# STEP6:
|
# STEP6:
|
||||||
# cleanup
|
# cleanup
|
||||||
testit "STEP6 samba-tool user delete $USERNAME " \
|
testit "STEP6 samba-tool user delete ${USERNAME}" \
|
||||||
$PYTHON ${samba_tool} user delete $USERNAME ||
|
"${samba_tool}" user delete "${USERNAME}" ||
|
||||||
failed=$((failed + 1))
|
failed=$((failed + 1))
|
||||||
|
|
||||||
rm -f $PASSFILE_PATH
|
rm -f "${KRB5CCNAME_PATH}"
|
||||||
rm -f $KRB5CCNAME_PATH
|
exit ${failed}
|
||||||
exit $failed
|
|
||||||
|
Loading…
Reference in New Issue
Block a user