mirror of
https://github.com/samba-team/samba.git
synced 2025-01-06 13:18:07 +03:00
3ea605d8af
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
595 lines
18 KiB
Bash
Executable File
595 lines
18 KiB
Bash
Executable File
#!/bin/sh
|
|
# Blackbox tests for kinit and kerberos integration with smbclient etc
|
|
# Copyright (c) Andreas Schneider <asn@samba.org>
|
|
# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
|
|
# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org>
|
|
|
|
if [ $# -lt 8 ]; then
|
|
cat <<EOF
|
|
Usage: test_kinit.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX SMBCLIENT CONFIGURATION
|
|
EOF
|
|
exit 1
|
|
fi
|
|
|
|
SERVER=$1
|
|
USERNAME=$2
|
|
PASSWORD=$3
|
|
REALM=$4
|
|
DOMAIN=$5
|
|
PREFIX=$6
|
|
smbclient=$7
|
|
CONFIGURATION="${8}"
|
|
shift 8
|
|
failed=0
|
|
|
|
. "$(dirname "${0}")/subunit.sh"
|
|
. "$(dirname "${0}")/common_test_fns.inc"
|
|
|
|
samba_bindir="$BINDIR"
|
|
samba_srcdir="$SRCDIR/source4"
|
|
samba_kinit=$(system_or_builddir_binary kinit "${BINDIR}" samba4kinit)
|
|
samba_kpasswd=$(system_or_builddir_binary kpasswd "${BINDIR}" samba4kpasswd)
|
|
samba_kvno=$(system_or_builddir_binary kvno "${BINDIR}" samba4kvno)
|
|
|
|
samba_tool="${samba_bindir}/samba-tool"
|
|
samba_texpect="${samba_bindir}/texpect"
|
|
|
|
samba_enableaccount="${samba_tool} user enable"
|
|
machineaccountccache="${samba_srcdir}/scripting/bin/machineaccountccache"
|
|
|
|
ldbmodify=$(system_or_builddir_binary ldbmodify "${BINDIR}")
|
|
ldbsearch=$(system_or_builddir_binary ldbsearch "${BINDIR}")
|
|
|
|
kbase="$(basename "${samba_kinit}")"
|
|
if [ "${kbase}" = "samba4kinit" ]; then
|
|
# HEIMDAL
|
|
OPTION_RENEWABLE="--renewable"
|
|
OPTION_RENEW_TICKET="--renew"
|
|
OPTION_ENTERPRISE_NAME="--enterprise"
|
|
OPTION_CANONICALIZATION=""
|
|
OPTION_WINDOWS="--windows"
|
|
OPTION_SERVICE="-S"
|
|
else
|
|
# MIT
|
|
OPTION_RENEWABLE="-r 1h"
|
|
OPTION_RENEW_TICKET="-R"
|
|
OPTION_ENTERPRISE_NAME="-E"
|
|
OPTION_CANONICALIZATION="-C"
|
|
OPTION_WINDOWS=""
|
|
OPTION_SERVICE="-S"
|
|
fi
|
|
|
|
TEST_USER="$(mktemp -u kinittest-XXXXXX)"
|
|
UNC="//${SERVER}/tmp"
|
|
|
|
ADMIN_LDBMODIFY_CONFIG="-H ldap://${SERVER} -U${USERNAME}%${PASSWORD}"
|
|
export ADMIN_LDBMODIFY_CONFIG
|
|
|
|
KRB5CCNAME_PATH="${PREFIX}/tmpccache"
|
|
EXPLICIT_KRB5CCNAME="FILE:${KRB5CCNAME_PATH}"
|
|
|
|
INVALID_KRB5CCNAME_PATH="${KRB5CCNAME_PATH}.invalid"
|
|
INVALID_KRB5CCNAME="FILE:${INVALID_KRB5CCNAME_PATH}"
|
|
rm -rf "${INVALID_KRB5CCNAME_PATH}"
|
|
|
|
KRB5CCNAME=${EXPLICIT_KRB5CCNAME}
|
|
export KRB5CCNAME
|
|
rm -rf "${KRB5CCNAME_PATH}"
|
|
|
|
testit "reset password policies beside of minimum password age of 0 days" \
|
|
"${VALGRIND}" "${PYTHON}" "${samba_tool}" domain passwordsettings set \
|
|
"${ADMIN_LDBMODIFY_CONFIG}" \
|
|
--complexity=default \
|
|
--history-length=default \
|
|
--min-pwd-length=default \
|
|
--min-pwd-age=0 \
|
|
--max-pwd-age=default || \
|
|
failed=$((failed + 1))
|
|
|
|
###########################################################
|
|
### Test kinit defaults
|
|
###########################################################
|
|
|
|
KRB5CCNAME=${EXPLICIT_KRB5CCNAME}
|
|
export KRB5CCNAME
|
|
rm -rf "${KRB5CCNAME_PATH}"
|
|
|
|
testit "kinit with password (initial)" \
|
|
kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \
|
|
"${OPTION_RENEWABLE}" || \
|
|
failed=$((failed + 1))
|
|
|
|
KRB5CCNAME=${INVALID_KRB5CCNAME}
|
|
export KRB5CCNAME
|
|
|
|
test_smbclient "Test login with user kerberos ccache" \
|
|
"ls" "${UNC}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" || \
|
|
failed=$((failed + 1))
|
|
|
|
KRB5CCNAME=${EXPLICIT_KRB5CCNAME}
|
|
export KRB5CCNAME
|
|
|
|
testit "kinit renew ticket (initial)" \
|
|
"${samba_kinit}" ${OPTION_RENEW_TICKET} || \
|
|
failed=$((failed + 1))
|
|
|
|
KRB5CCNAME=${INVALID_KRB5CCNAME}
|
|
export KRB5CCNAME
|
|
|
|
test_smbclient "Test login with kerberos ccache (initial)" \
|
|
"ls" "${UNC}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" || \
|
|
failed=$((failed + 1))
|
|
|
|
rm -f "${KRB5CCNAME_PATH}"
|
|
|
|
###########################################################
|
|
### Test kinit with enterprise principal
|
|
###########################################################
|
|
|
|
KRB5CCNAME=${EXPLICIT_KRB5CCNAME}
|
|
export KRB5CCNAME
|
|
rm -rf "${KRB5CCNAME_PATH}"
|
|
|
|
testit "kinit with password (enterprise style)" \
|
|
kerberos_kinit "${samba_kinit}" \
|
|
"${USERNAME}@${REALM}" "${PASSWORD}" "${OPTION_ENTERPRISE_NAME}" \
|
|
"${OPTION_RENEWABLE}" || \
|
|
failed=$((failed + 1))
|
|
|
|
test_smbclient "Test login with user kerberos ccache (enterprise style)" \
|
|
"ls" "${UNC}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" || \
|
|
failed=$((failed + 1))
|
|
|
|
testit "kinit renew ticket (enterprise style)" \
|
|
"${samba_kinit}" ${OPTION_RENEW_TICKET} || \
|
|
failed=$((failed + 1))
|
|
|
|
test_smbclient "Test login with kerberos ccache (enterprise style)" \
|
|
"ls" "${UNC}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" || \
|
|
failed=$((failed + 1))
|
|
|
|
rm -f "${KRB5CCNAME_PATH}"
|
|
|
|
###########################################################
|
|
### Tests with kinit windows
|
|
###########################################################
|
|
|
|
# HEIMDAL ONLY
|
|
if [ "${kbase}" = "samba4kinit" ]; then
|
|
testit "kinit with password (windows style)" \
|
|
kerberos_kinit "${samba_kinit}" \
|
|
"${USERNAME}@${REALM}" "${PASSWORD}" \
|
|
"${OPTION_RENEWABLE}" "${OPTION_WINDOWS}" || \
|
|
failed=$((failed + 1))
|
|
|
|
test_smbclient "Test login with kerberos ccache (windows style)" \
|
|
"ls" "${UNC}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" || \
|
|
failed=$((failed + 1))
|
|
|
|
testit "kinit renew ticket (windows style)" \
|
|
"${samba_kinit}" ${OPTION_RENEW_TICKET} || \
|
|
failed=$((failed + 1))
|
|
|
|
test_smbclient "Test login with kerberos ccache (windows style)" \
|
|
"ls" "${UNC}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" || \
|
|
failed=$((failed + 1))
|
|
|
|
rm -f "${KRB5CCNAME_PATH}"
|
|
fi # HEIMDAL ONLY
|
|
|
|
###########################################################
|
|
### Tests with kinit default again
|
|
###########################################################
|
|
|
|
KRB5CCNAME=${EXPLICIT_KRB5CCNAME}
|
|
export KRB5CCNAME
|
|
rm -rf "${KRB5CCNAME_PATH}"
|
|
|
|
testit "kinit with password (default)" \
|
|
kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" || \
|
|
failed=$((failed + 1))
|
|
|
|
KRB5CCNAME=${INVALID_KRB5CCNAME}
|
|
export KRB5CCNAME
|
|
|
|
testit "check time with kerberos ccache (default)" \
|
|
"${VALGRIND}" "${PYTHON}" "${samba_tool}" time "${SERVER}" \
|
|
"${CONFIGURATION}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" "$@" || \
|
|
failed=$((failed + 1))
|
|
|
|
USERPASS="testPass@12%"
|
|
|
|
testit "add user with kerberos ccache" \
|
|
"${VALGRIND}" "${PYTHON}" "${samba_tool}" user create \
|
|
"${TEST_USER}" "${USERPASS}" \
|
|
"${CONFIGURATION}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" "$@" || \
|
|
failed=$((failed + 1))
|
|
|
|
echo "Getting defaultNamingContext"
|
|
BASEDN=$(${ldbsearch} --basedn='' -H "ldap://${SERVER}" --scope=base \
|
|
DUMMY=x defaultNamingContext | awk '/defaultNamingContext/ {print $2}')
|
|
|
|
|
|
TEST_UPN="$(mktemp -u test-XXXXXX)@${REALM}"
|
|
cat >"${PREFIX}/tmpldbmodify" <<EOF
|
|
dn: cn=${TEST_USER},cn=users,${BASEDN}
|
|
changetype: modify
|
|
add: servicePrincipalName
|
|
servicePrincipalName: host/${TEST_USER}
|
|
replace: userPrincipalName
|
|
userPrincipalName: ${TEST_UPN}
|
|
EOF
|
|
|
|
testit "modify servicePrincipalName and userPrincpalName" \
|
|
"${VALGRIND}" "${ldbmodify}" -H "ldap://${SERVER}" "${PREFIX}/tmpldbmodify" \
|
|
--use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" "$@" || \
|
|
failed=$((failed + 1))
|
|
|
|
testit "set user password with kerberos ccache" \
|
|
"${VALGRIND}" "${PYTHON}" "${samba_tool}" user setpassword "${TEST_USER}" \
|
|
--newpassword="${USERPASS}" "${CONFIGURATION}" \
|
|
--use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" "$@" || \
|
|
failed=$((failed + 1))
|
|
|
|
testit "enable user with kerberos cache" \
|
|
"${VALGRIND}" "${PYTHON}" "${samba_enableaccount}" "${TEST_USER}" \
|
|
-H "ldap://$SERVER" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" "$@" || \
|
|
failed=$((failed + 1))
|
|
|
|
KRB5CCNAME=${EXPLICIT_KRB5CCNAME}
|
|
export KRB5CCNAME
|
|
rm -rf "${KRB5CCNAME_PATH}"
|
|
|
|
testit "kinit with new user password" \
|
|
kerberos_kinit "${samba_kinit}" "${TEST_USER}" "${USERPASS}" || \
|
|
failed=$((failed + 1))
|
|
|
|
test_smbclient "Test login with new user kerberos ccache" \
|
|
"ls" "${UNC}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" || \
|
|
failed=$((failed + 1))
|
|
|
|
rm -f "${KRB5CCNAME_PATH}"
|
|
|
|
###########################################################
|
|
### Test kinit after changing password with samba-tool
|
|
###########################################################
|
|
|
|
NEW_USERPASS="testPaSS@34%"
|
|
testit "change user password with 'samba-tool user password' (rpc)" \
|
|
"${VALGRIND}" "${PYTHON}" "${samba_tool}" user password \
|
|
-W"${DOMAIN}" -U"${TEST_USER}%${USERPASS}" "${CONFIGURATION}" \
|
|
--newpassword="${NEW_USERPASS}" \
|
|
--use-kerberos=off "$@" || \
|
|
failed=$((failed + 1))
|
|
|
|
testit "kinit with user password (after rpc password change)" \
|
|
kerberos_kinit "${samba_kinit}" \
|
|
"${TEST_USER}@${REALM}" "${NEW_USERPASS}" || \
|
|
failed=$((failed + 1))
|
|
|
|
test_smbclient "Test login with user kerberos (after rpc password change)" \
|
|
"ls" "${UNC}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" || \
|
|
failed=$((failed + 1))
|
|
|
|
USERPASS="${NEW_USERPASS}"
|
|
|
|
rm -f "${KRB5CCNAME_PATH}"
|
|
|
|
###########################################################
|
|
### Test kinit with UPN
|
|
###########################################################
|
|
|
|
testit "kinit with new (NT-Principal style) using UPN" \
|
|
kerberos_kinit "${samba_kinit}" "${TEST_UPN}" "${USERPASS}" || \
|
|
failed=$((failed + 1))
|
|
|
|
test_smbclient "Test login with user kerberos ccache from NT UPN" \
|
|
"ls" "${UNC}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" || \
|
|
failed=$((failed + 1))
|
|
|
|
rm -f "${KRB5CCNAME_PATH}"
|
|
|
|
testit "kinit with new (enterprise style) using UPN" \
|
|
kerberos_kinit "${samba_kinit}" "${TEST_UPN}" "${USERPASS}" \
|
|
${OPTION_ENTERPRISE_NAME} || \
|
|
failed=$((failed + 1))
|
|
|
|
test_smbclient "Test login with user kerberos ccache from enterprise UPN" \
|
|
"ls" "${UNC}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" || \
|
|
failed=$((failed + 1))
|
|
|
|
rm -f "${KRB5CCNAME_PATH}"
|
|
|
|
# HEIMDAL ONLY
|
|
if [ "${kbase}" = "samba4kinit" ]; then
|
|
testit "kinit with new (windows style) using UPN" \
|
|
kerberos_kinit "${samba_kinit}" "${TEST_UPN}" "${USERPASS}" \
|
|
${OPTION_WINDOWS} || \
|
|
failed=$((failed + 1))
|
|
|
|
test_smbclient "Test login with user kerberos ccache with (windows style) UPN" \
|
|
"ls" "${UNC}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" || \
|
|
failed=$((failed + 1))
|
|
|
|
rm -f "${KRB5CCNAME_PATH}"
|
|
fi # HEIMDAL ONLY
|
|
|
|
###########################################################
|
|
### Tests with SPN
|
|
###########################################################
|
|
|
|
DNSDOMAIN=$(echo "${REALM}" | tr '[:upper:]' '[:lower:]')
|
|
testit "kinit with password (SPN)" \
|
|
kerberos_kinit "${samba_kinit}" \
|
|
"http/testupnspn.${DNSDOMAIN}" "${PASSWORD}" || \
|
|
failed=$((failed + 1))
|
|
|
|
test_smbclient "Test login with kerberos ccache (SPN)" \
|
|
"ls" "${UNC}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" || \
|
|
failed=$((failed + 1))
|
|
|
|
rm -f "${KRB5CCNAME_PATH}"
|
|
|
|
###########################################################
|
|
### Test kinit with canonicalization
|
|
###########################################################
|
|
|
|
upperusername=$(echo "${USERNAME}" | tr '[:lower:]' '[:upper:]')
|
|
testit "kinit with canonicalize and service" \
|
|
kerberos_kinit "${samba_kinit}" "${upperusername}@${REALM}" "${PASSWORD}" \
|
|
${OPTION_CANONICALIZATION} \
|
|
${OPTION_SERVICE} "kadmin/changepw@${REALM}" || \
|
|
failed=$((failed + 1))
|
|
|
|
rm -f "${KRB5CCNAME_PATH}"
|
|
|
|
###########################################################
|
|
### Test kinit with user credentials and changed realm
|
|
###########################################################
|
|
|
|
testit "kinit with password (default)" \
|
|
kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" || \
|
|
failed=$((failed + 1))
|
|
|
|
cat >"${PREFIX}/tmpldbmodify" <<EOF
|
|
dn: cn=${TEST_USER},cn=users,$BASEDN
|
|
changetype: modify
|
|
replace: userPrincipalName
|
|
userPrincipalName: ${TEST_UPN}.org
|
|
EOF
|
|
|
|
testit "modify userPrincipalName to be a different domain" \
|
|
"${VALGRIND}" "${ldbmodify}" "${ADMIN_LDBMODIFY_CONFIG}" \
|
|
"${PREFIX}/tmpldbmodify" "${PREFIX}/tmpldbmodify" \
|
|
--use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" "$@" || \
|
|
failed=$((failed + 1))
|
|
|
|
testit "kinit with new (enterprise style) using UPN" \
|
|
kerberos_kinit "${samba_kinit}" "${TEST_UPN}.org" "${USERPASS}" \
|
|
${OPTION_ENTERPRISE_NAME} || failed=$((failed + 1))
|
|
|
|
test_smbclient "Test login with user kerberos ccache from enterprise UPN" \
|
|
"ls" "${UNC}" \
|
|
--use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" || \
|
|
failed=$((failed + 1))
|
|
|
|
rm -f "${KRB5CCNAME_PATH}"
|
|
|
|
###########################################################
|
|
### Test password change with kpasswd
|
|
###########################################################
|
|
|
|
testit "kinit with user password" \
|
|
kerberos_kinit "${samba_kinit}" "${TEST_USER}@$REALM" "${USERPASS}" || \
|
|
failed=$((failed + 1))
|
|
|
|
test_smbclient "Test login with user kerberos ccache" \
|
|
"ls" "${UNC}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" || \
|
|
failed=$((failed + 1))
|
|
|
|
NEWUSERPASS=testPaSS@56%
|
|
|
|
if [ "${kbase}" = "samba4kinit" ]; then
|
|
# HEIMDAL
|
|
cat >"${PREFIX}/tmpkpasswdscript" <<EOF
|
|
expect Password
|
|
password ${USERPASS}\n
|
|
expect New password
|
|
send ${NEWUSERPASS}\n
|
|
expect Verify password
|
|
send ${NEWUSERPASS}\n
|
|
expect Success
|
|
EOF
|
|
|
|
else
|
|
# MIT
|
|
cat >"${PREFIX}/tmpkpasswdscript" <<EOF
|
|
expect Password for
|
|
password ${USERPASS}\n
|
|
expect Enter new password
|
|
send ${NEWUSERPASS}\n
|
|
expect Enter it again
|
|
send ${NEWUSERPASS}\n
|
|
expect Password changed
|
|
EOF
|
|
fi
|
|
|
|
testit "change user password with kpasswd" \
|
|
"${samba_texpect}" "${PREFIX}/tmpkpasswdscript" \
|
|
"${samba_kpasswd}" "${TEST_USER}@$REALM" || \
|
|
failed=$((failed + 1))
|
|
|
|
rm -f "${KRB5CCNAME_PATH}"
|
|
|
|
USERPASS="${NEWUSERPASS}"
|
|
|
|
testit "kinit with user password (after kpasswd)" \
|
|
kerberos_kinit "${samba_kinit}" \
|
|
"${TEST_USER}@${REALM}" "${USERPASS}" || \
|
|
failed=$((failed + 1))
|
|
|
|
test_smbclient "Test login with user kerberos ccache (after kpasswd)" \
|
|
"ls" "${UNC}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" || \
|
|
failed=$((failed + 1))
|
|
|
|
rm -f "${KRB5CCNAME_PATH}"
|
|
|
|
###########################################################
|
|
### TODO Test set password with kpasswd
|
|
###########################################################
|
|
|
|
# This is not implemented in kpasswd
|
|
|
|
###########################################################
|
|
### Test password expiry
|
|
###########################################################
|
|
|
|
cat >"${PREFIX}/tmpldbmodify" <<EOF
|
|
dn: cn=${TEST_USER},cn=users,${BASEDN}
|
|
changetype: modify
|
|
replace: pwdLastSet
|
|
pwdLastSet: 0
|
|
EOF
|
|
|
|
NEWUSERPASS=testPaSS@78%
|
|
|
|
testit "modify pwdLastSet" \
|
|
"${VALGRIND}" "${ldbmodify}" "${ADMIN_LDBMODIFY_CONFIG}" \
|
|
"${PREFIX}/tmpldbmodify" "${PREFIX}/tmpldbmodify" \
|
|
--use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" "$@" || \
|
|
failed=$((failed + 1))
|
|
|
|
if [ "${kbase}" = "samba4kinit" ]; then
|
|
# HEIMDAL branch
|
|
cat >"${PREFIX}/tmpkinituserpassscript" <<EOF
|
|
expect ${TEST_USER}@$REALM's Password
|
|
send ${USERPASS}\n
|
|
expect Password has expired
|
|
expect New password
|
|
send ${NEWUSERPASS}\n
|
|
expect Repeat new password
|
|
send ${NEWUSERPASS}\n
|
|
EOF
|
|
else
|
|
# MIT branch
|
|
cat >"${PREFIX}/tmpkinituserpassscript" <<EOF
|
|
expect Password for
|
|
send ${USERPASS}\n
|
|
expect Password expired. You must change it now.
|
|
expect Enter new password
|
|
send ${NEWUSERPASS}\n
|
|
expect Enter it again
|
|
send ${NEWUSERPASS}\n
|
|
EOF
|
|
|
|
fi # END MIT ONLY
|
|
|
|
testit "kinit with user password for expired password" \
|
|
"${samba_texpect}" "$PREFIX/tmpkinituserpassscript" \
|
|
"${samba_kinit}" "${TEST_USER}@$REALM" || \
|
|
failed=$((failed + 1))
|
|
|
|
test_smbclient "Test login with user kerberos ccache" \
|
|
"ls" "${UNC}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" || \
|
|
failed=$((failed + 1))
|
|
|
|
USERPASS="${NEWUSERPASS}"
|
|
|
|
testit "kinit with user password" \
|
|
kerberos_kinit "${samba_kinit}" \
|
|
"${TEST_USER}@${REALM}" "${USERPASS}" || \
|
|
failed=$((failed + 1))
|
|
|
|
test_smbclient "Test login with user kerberos ccache" \
|
|
"ls" "${UNC}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" || \
|
|
failed=$((failed + 1))
|
|
|
|
###########################################################
|
|
### Test login with lowercase realm
|
|
###########################################################
|
|
|
|
KRB5CCNAME="${EXPLICIT_KRB5CCNAME}"
|
|
export KRB5CCNAME
|
|
|
|
rm -rf "${KRB5CCNAME_PATH}"
|
|
|
|
testit "kinit with user password" \
|
|
kerberos_kinit "${samba_kinit}" "${TEST_USER}@${REALM}" "${USERPASS}" || \
|
|
failed=$((failed + 1))
|
|
|
|
lowerrealm=$(echo "${REALM}" | tr '[:upper:]' '[:lower:]')
|
|
test_smbclient "Test login with user kerberos lowercase realm" \
|
|
"ls" "${UNC}" --use-kerberos=required \
|
|
-U"${TEST_USER}@${lowerrealm}%${NEWUSERPASS}" || \
|
|
failed=$((failed + 1))
|
|
|
|
test_smbclient "Test login with user kerberos lowercase realm 2" \
|
|
"ls" "${UNC}" --use-kerberos=required \
|
|
-U"${TEST_USER}@${REALM}%${NEWUSERPASS}" --realm="${lowerrealm}" || \
|
|
failed=$((failed + 1))
|
|
|
|
testit "del user with kerberos ccache" \
|
|
"${VALGRIND}" "${PYTHON}" "${samba_tool}" user delete \
|
|
"${TEST_USER}" "${CONFIGURATION}" \
|
|
--use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" "$@" || \
|
|
failed=$((failed + 1))
|
|
|
|
###########################################################
|
|
### Test login with machine account
|
|
###########################################################
|
|
|
|
rm -f "${KRB5CCNAME_PATH}"
|
|
|
|
testit "kinit with machineaccountccache script" \
|
|
"${PYTHON}" "${machineaccountccache}" "${CONFIGURATION}" \
|
|
"${EXPLICIT_KRB5CCNAME}" || \
|
|
failed=$((failed + 1))
|
|
|
|
test_smbclient "Test machine account login with kerberos ccache" \
|
|
"ls" "${UNC}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" || \
|
|
failed=$((failed + 1))
|
|
|
|
testit "reset password policies" \
|
|
"${VALGRIND}" "${PYTHON}" "${samba_tool}" domain passwordsettings set \
|
|
"${ADMIN_LDBMODIFY_CONFIG}" \
|
|
--complexity=default \
|
|
--history-length=default \
|
|
--min-pwd-length=default \
|
|
--min-pwd-age=default \
|
|
--max-pwd-age=default || \
|
|
failed=$((failed + 1))
|
|
|
|
###########################################################
|
|
### Test basic s4u2self request
|
|
###########################################################
|
|
|
|
# MIT ONLY
|
|
if [ "${kbase}" = "kinit" ]; then
|
|
|
|
# Use previous acquired machine creds to request a ticket for self.
|
|
# We expect it to fail for now.
|
|
MACHINE_ACCOUNT="$(hostname -s | tr '[:lower:]' '[:upper:]')\$@${REALM}"
|
|
|
|
${samba_kvno} -U"${MACHINE_ACCOUNT}" "${MACHINE_ACCOUNT}"
|
|
|
|
# But we expect the KDC to be up and running still
|
|
testit "kinit with machineaccountccache after s4u2self" \
|
|
"${machineaccountccache}" "${CONFIGURATION}" "${EXPLICIT_KRB5CCNAME}" || \
|
|
failed=$((failed + 1))
|
|
|
|
fi # END MIT ONLY
|
|
|
|
testit_expect_failure \
|
|
"Check INVALID_KRB5CCNAME_PATH[${INVALID_KRB5CCNAME_PATH}] was not created" \
|
|
test -e "${INVALID_KRB5CCNAME_PATH}" || \
|
|
failed=$((failed + 1))
|
|
|
|
### Cleanup
|
|
|
|
rm -f "${KRB5CCNAME_PATH}"
|
|
rm -f "${PREFIX}/tmpkinituserpassscript"
|
|
rm -f "${PREFIX}/tmpkinitscript"
|
|
rm -f "${PREFIX}/tmpkpasswdscript"
|
|
|
|
exit $failed
|