mirror of
https://github.com/samba-team/samba.git
synced 2025-01-11 05:18:09 +03:00
testprogs: Merge export keytab tests into a single script for MIT and Heimdal
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
deb9d1f656
commit
d9a9cb0396
@ -568,18 +568,6 @@ plantestsuite("samba4.blackbox.test_primary_group", "ad_dc:local", [os.path.join
|
||||
plantestsuite("samba4.blackbox.test_old_enctypes", "fl2003dc:local", [os.path.join(bbdir, "test_old_enctypes.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$NETBIOSNAME', '$PREFIX_ABS'])
|
||||
|
||||
if have_heimdal_support:
|
||||
plantestsuite("samba4.blackbox.export.keytab",
|
||||
"ad_dc:local",
|
||||
[
|
||||
os.path.join(bbdir, "test_export_keytab_heimdal.sh"),
|
||||
'$SERVER',
|
||||
'$USERNAME',
|
||||
'$REALM',
|
||||
'$DOMAIN',
|
||||
"$PREFIX",
|
||||
smbclient3,
|
||||
configuration
|
||||
])
|
||||
plantestsuite("samba4.blackbox.kpasswd",
|
||||
"ad_dc:local",
|
||||
[
|
||||
@ -610,18 +598,6 @@ if have_heimdal_support:
|
||||
configuration
|
||||
])
|
||||
else:
|
||||
plantestsuite("samba4.blackbox.export.keytab",
|
||||
"ad_dc:local",
|
||||
[
|
||||
os.path.join(bbdir, "test_export_keytab_mit.sh"),
|
||||
'$SERVER',
|
||||
'$USERNAME',
|
||||
'$REALM',
|
||||
'$DOMAIN',
|
||||
"$PREFIX",
|
||||
smbclient3,
|
||||
configuration
|
||||
])
|
||||
plantestsuite("samba4.blackbox.kpasswd",
|
||||
"ad_dc:local",
|
||||
[
|
||||
@ -731,6 +707,19 @@ plantestsuite("samba4.blackbox.kinit_trust",
|
||||
configuration
|
||||
])
|
||||
|
||||
plantestsuite("samba4.blackbox.kinit.export.keytab",
|
||||
"ad_dc:local",
|
||||
[
|
||||
os.path.join(bbdir, "test_kinit_export_keytab.sh"),
|
||||
'$SERVER',
|
||||
'$USERNAME',
|
||||
'$REALM',
|
||||
'$DOMAIN',
|
||||
"$PREFIX",
|
||||
smbclient3,
|
||||
configuration
|
||||
])
|
||||
|
||||
plantestsuite("samba4.blackbox.pkinit_simple",
|
||||
"ad_dc:local",
|
||||
[os.path.join(bbdir, "test_pkinit_simple.sh"),
|
||||
|
263
testprogs/blackbox/test_kinit_export_keytab.sh
Executable file
263
testprogs/blackbox/test_kinit_export_keytab.sh
Executable file
@ -0,0 +1,263 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Blackbox tests for an exported keytab with kinit
|
||||
#
|
||||
# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
|
||||
# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org>
|
||||
# Copyright (C) Andreas Schneider <asn@cryptomilk.org>
|
||||
|
||||
if [ $# -lt 7 ]; then
|
||||
cat <<EOF
|
||||
Usage: test_extract_keytab.sh SERVER USERNAME REALM DOMAIN PREFIX SMBCLIENT CONFIGURATION
|
||||
EOF
|
||||
exit 1
|
||||
fi
|
||||
|
||||
SERVER=$1
|
||||
USERNAME=$2
|
||||
REALM=$3
|
||||
DOMAIN=$4
|
||||
PREFIX=$5
|
||||
smbclient=$6
|
||||
CONFIGURATION=${7}
|
||||
shift 7
|
||||
failed=0
|
||||
|
||||
. "$(dirname "${0}")/subunit.sh"
|
||||
. "$(dirname "${0}")/common_test_fns.inc"
|
||||
|
||||
samba_bindir="${BINDIR}"
|
||||
samba_tool="$samba_bindir/samba-tool"
|
||||
samba_newuser="$samba_tool user create"
|
||||
samba_ktutil="${BINDIR}/samba4ktutil"
|
||||
|
||||
samba_kinit=$(system_or_builddir_binary kinit "${BINDIR}" samba4kinit)
|
||||
|
||||
DNSDOMAIN=$(echo "${REALM}" | tr '[:upper:]' '[:lower:]')
|
||||
SERVER_FQDN="${SERVER}.$(echo "${REALM}" | tr '[:upper:]' '[:lower:]')"
|
||||
SMBCLIENT_UNC="//${SERVER}/tmp"
|
||||
|
||||
TEST_USER="$(mktemp -u keytabtest-XXXXXX)"
|
||||
TEST_PASSWORD=testPaSS@01%
|
||||
|
||||
EXPECTED_NKEYS=3
|
||||
# MIT
|
||||
kbase="$(basename "${samba_kinit}")"
|
||||
if [ "${kbase}" != "samba4kinit" ]; then
|
||||
krb5_version="$(krb5-config --version | cut -d ' ' -f 4)"
|
||||
krb5_major_version="$(echo "${krb5_version}" | awk -F. '{ print $1; }')"
|
||||
krb5_minor_version="$(echo "${krb5_version}" | awk -F. '{ print $2; }')"
|
||||
|
||||
# MIT Kerberos < 1.18 has support for DES keys
|
||||
if [ "${krb5_major_version}" -eq 1 ] && [ "${krb5_minor_version}" -lt 18 ]; then
|
||||
EXPECTED_NKEYS=5
|
||||
fi
|
||||
fi # MIT
|
||||
|
||||
if [ "${kbase}" = "samba4kinit" ]; then
|
||||
# HEIMDAL
|
||||
OPTION_RENEWABLE="--renewable"
|
||||
OPTION_RENEW_TICKET="--renew"
|
||||
OPTION_ENTERPRISE_NAME="--enterprise"
|
||||
OPTION_CANONICALIZATION=""
|
||||
OPTION_WINDOWS="--windows"
|
||||
OPTION_SERVICE="-S"
|
||||
OPTION_USE_KEYTAB="-k"
|
||||
OPTION_KEYTAB_FILENAME="-t"
|
||||
|
||||
KEYTAB_GREP="[aes|arcfour]"
|
||||
else
|
||||
# MIT
|
||||
OPTION_RENEWABLE="-r 1h"
|
||||
OPTION_RENEW_TICKET="-R"
|
||||
OPTION_ENTERPRISE_NAME="-E"
|
||||
OPTION_CANONICALIZATION="-C"
|
||||
OPTION_WINDOWS=""
|
||||
OPTION_SERVICE="-S"
|
||||
OPTION_USE_KEYTAB="-k"
|
||||
OPTION_KEYTAB_FILENAME="-t"
|
||||
|
||||
KEYTAB_GREP="[DES|AES|ArcFour]"
|
||||
fi
|
||||
|
||||
test_keytab()
|
||||
{
|
||||
testname="$1"
|
||||
keytab="$2"
|
||||
principal="$3"
|
||||
expected_nkeys="$4"
|
||||
|
||||
subunit_start_test "$testname"
|
||||
|
||||
if [ ! -r "${keytab}" ]; then
|
||||
echo "Could not read keytab: ${keytab}" | \
|
||||
subunit_fail_test "${testname}"
|
||||
return 1
|
||||
fi
|
||||
|
||||
output=$($VALGRIND "${samba_ktutil}" "${keytab}" 2>&1)
|
||||
status=$?
|
||||
if [ ${status} -ne 0 ]; then
|
||||
echo "${output}" | subunit_fail_test "${testname}"
|
||||
return $status
|
||||
fi
|
||||
|
||||
NKEYS=$(echo "${output}" | grep -i "${principal}" | \
|
||||
grep -c -e "${KEYTAB_GREP}")
|
||||
if [ "${NKEYS}" -ne "${expected_nkeys}" ]; then
|
||||
echo "Unexpected number of keys passed ${NKEYS} != ${expected_nkeys}" | \
|
||||
subunit_fail_test "${testname}"
|
||||
return 1
|
||||
fi
|
||||
|
||||
subunit_pass_test "${testname}"
|
||||
return 0
|
||||
}
|
||||
|
||||
testit "create local user ${TEST_USER}" \
|
||||
"${VALGRIND}" "${PYTHON}" "${samba_newuser}" "${TEST_USER}" "${TEST_PASSWORD}" \
|
||||
"${CONFIGURATION}" "$@" || \
|
||||
failed=$((failed + 1))
|
||||
|
||||
testit "dump keytab from domain" \
|
||||
"${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \
|
||||
"${PREFIX}/tmpkeytab-all" \
|
||||
"${CONFIGURATION}" "$@" || \
|
||||
failed=$((failed + 1))
|
||||
|
||||
test_keytab "read keytab from domain" \
|
||||
"${PREFIX}/tmpkeytab-all" "${SERVER}\\\$" "${EXPECTED_NKEYS}" || \
|
||||
failed=$((failed + 1))
|
||||
|
||||
testit "dump keytab from domain (2nd time)" \
|
||||
"${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \
|
||||
"${PREFIX}/tmpkeytab-all" "${CONFIGURATION}" "$@" || \
|
||||
failed=$((failed + 1))
|
||||
|
||||
test_keytab "read keytab from domain (2nd time)" \
|
||||
"${PREFIX}/tmpkeytab-all" "${SERVER}\\\$" "${EXPECTED_NKEYS}" || \
|
||||
failed=$((failed + 1))
|
||||
|
||||
testit "dump keytab from domain for cifs service principal" \
|
||||
"${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \
|
||||
"${PREFIX}/tmpkeytab-server" --principal="cifs/$SERVER_FQDN" \
|
||||
"${CONFIGURATION}" "$@" || \
|
||||
failed=$((failed + 1))
|
||||
|
||||
test_keytab "read keytab from domain for cifs service principal" \
|
||||
"${PREFIX}/tmpkeytab-server" "cifs/${SERVER_FQDN}" \
|
||||
"${EXPECTED_NKEYS}" || \
|
||||
failed=$((failed + 1))
|
||||
|
||||
testit "dump keytab from domain for cifs service principal (2nd time)" \
|
||||
"${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \
|
||||
"$PREFIX/tmpkeytab-server" --principal="cifs/$SERVER_FQDN" \
|
||||
"${CONFIGURATION}" "$@" || \
|
||||
failed=$((failed + 1))
|
||||
|
||||
test_keytab "read keytab from domain for cifs service principal (2nd time)" \
|
||||
"${PREFIX}/tmpkeytab-server" "cifs/${SERVER_FQDN}" \
|
||||
"${EXPECTED_NKEYS}" || \
|
||||
failed=$((failed + 1))
|
||||
|
||||
testit "dump keytab from domain for user principal" \
|
||||
"${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \
|
||||
"${PREFIX}/tmpkeytab-user-princ" --principal="${TEST_USER}" \
|
||||
"${CONFIGURATION}" "$@" || \
|
||||
failed=$((failed + 1))
|
||||
|
||||
test_keytab "read keytab from domain for user principal" \
|
||||
"${PREFIX}/tmpkeytab-user-princ" "${TEST_USER}@${REALM}" \
|
||||
"${EXPECTED_NKEYS}" || \
|
||||
failed=$((failed + 1))
|
||||
|
||||
testit "dump keytab from domain for user principal (2nd time)" \
|
||||
"${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \
|
||||
"${PREFIX}/tmpkeytab-user-princ-2" --principal="${TEST_USER}@${REALM}" \
|
||||
"${CONFIGURATION}" "$@" || \
|
||||
failed=$((failed + 1))
|
||||
|
||||
test_keytab "read keytab from domain for user principal (2nd time)" \
|
||||
"${PREFIX}/tmpkeytab-user-princ-2" "${TEST_USER}@${REALM}" \
|
||||
"${EXPECTED_NKEYS}" || \
|
||||
failed=$((failed + 1))
|
||||
|
||||
testit "dump keytab from domain for user principal with SPN as UPN" \
|
||||
"${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \
|
||||
"${PREFIX}/tmpkeytab-spn-upn" \
|
||||
--principal="http/testupnspn.${DNSDOMAIN}" "${CONFIGURATION}" "$@" || \
|
||||
failed=$((failed + 1))
|
||||
|
||||
test_keytab "read keytab from domain for user principal with SPN as UPN" \
|
||||
"${PREFIX}/tmpkeytab-spn-upn" "http/testupnspn.${DNSDOMAIN}@${REALM}" \
|
||||
"${EXPECTED_NKEYS}"
|
||||
|
||||
KRB5CCNAME_PATH="${PREFIX}/tmpuserccache"
|
||||
KRB5CCNAME="FILE:${PREFIX}/tmpuserccache"
|
||||
export KRB5CCNAME
|
||||
|
||||
testit "kinit with keytab as user" \
|
||||
"${VALGRIND}" "${samba_kinit}" \
|
||||
"${OPTION_USE_KEYTAB}" \
|
||||
"${OPTION_KEYTAB_FILENAME}" "${PREFIX}/tmpkeytab-all" \
|
||||
"${TEST_USER}@${REALM}" || \
|
||||
failed=$((failed + 1))
|
||||
|
||||
test_smbclient "Test login with user kerberos ccache" \
|
||||
"ls" "${SMBCLIENT_UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
|
||||
failed=$((failed + 1))
|
||||
|
||||
testit "kinit with keytab as user (one princ)" \
|
||||
"${VALGRIND}" "$samba_kinit" \
|
||||
"${OPTION_USE_KEYTAB}" \
|
||||
"${OPTION_KEYTAB_FILENAME}" "${PREFIX}/tmpkeytab-user-princ" \
|
||||
"${TEST_USER}@$REALM" || \
|
||||
failed=$((failed + 1))
|
||||
|
||||
test_smbclient "Test login with user kerberos ccache (one princ)" \
|
||||
"ls" "${SMBCLIENT_UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
|
||||
failed=$((failed + 1))
|
||||
|
||||
rm -f "${KRB5CCNAME_PATH}"
|
||||
|
||||
KRB5CCNAME_PATH="${PREFIX}/tmpadminccache"
|
||||
KRB5CCNAME="FILE:${PREFIX}/tmpadminccache"
|
||||
export KRB5CCNAME
|
||||
|
||||
testit "kinit with keytab as ${USERNAME}" \
|
||||
"${VALGRIND}" "${samba_kinit}" \
|
||||
"${OPTION_USE_KEYTAB}" \
|
||||
"${OPTION_KEYTAB_FILENAME}" "${PREFIX}/tmpkeytab-all" \
|
||||
"${USERNAME}@${REALM}" || \
|
||||
failed=$((failed + 1))
|
||||
|
||||
rm -f "${KRB5CCNAME_PATH}"
|
||||
|
||||
KRB5CCNAME_PATH="${PREFIX}/tmpserverccache"
|
||||
KRB5CCNAME="FILE:${PREFIX}/tmpserverccache"
|
||||
export KRB5CCNAME
|
||||
|
||||
testit "kinit with SPN from keytab" \
|
||||
"${VALGRIND}" "${samba_kinit}" \
|
||||
"${OPTION_USE_KEYTAB}" \
|
||||
"${OPTION_KEYTAB_FILENAME}" "${PREFIX}/tmpkeytab-spn-upn" \
|
||||
"http/testupnspn.${DNSDOMAIN}" || \
|
||||
failed=$((failed + 1))
|
||||
|
||||
# cleanup
|
||||
testit "delete user ${TEST_USER}" \
|
||||
"${VALGRIND}" "${PYTHON}" "${samba_tool}" user delete "${TEST_USER}" \
|
||||
--use-krb5-ccache="${KRB5CCNAME}" "${CONFIGURATION}" "$@" || \
|
||||
failed=$((failed + 1))
|
||||
|
||||
rm -f "${KRB5CCNAME_PATH}"
|
||||
rm -f "${PREFIX}/tmpadminccache" \
|
||||
"${PREFIX}/tmpuserccache" \
|
||||
"${PREFIX}/tmpkeytab" \
|
||||
"${PREFIX}/tmpkeytab-user-princ" \
|
||||
"${PREFIX}/tmpkeytab-user-princ-2" \
|
||||
"${PREFIX}/tmpkeytab-server" \
|
||||
"${PREFIX}/tmpkeytab-spn-upn" \
|
||||
"${PREFIX}/tmpkeytab-all"
|
||||
|
||||
exit $failed
|
Loading…
Reference in New Issue
Block a user