3 Usage: test_net.sh DC_SERVER DC_USERNAME DC_PASSWORD PREFIX_ABS
13 HOSTNAME
=`dd if=/dev/urandom bs=1 count=32 2>/dev/null | sha1sum | cut -b 1-10`
17 WORKDIR
=`mktemp -d -p .`
18 WORKDIR
=`basename $WORKDIR`
19 cp -a client
/* $WORKDIR/
20 sed -ri "s@(dir|directory) = (.*)/client/@\1 = \2/$WORKDIR/@" $WORKDIR/client.conf
21 sed -ri "s/netbios name = .*/netbios name = $HOSTNAME/" $WORKDIR/client.conf
22 rm -f $WORKDIR/private
/secrets.tdb
27 net_tool
="$BINDIR/net -s $BASEDIR/$WORKDIR/client.conf --option=security=ads"
30 if [ -x "$BINDIR/ldbsearch" ]; then
31 ldbsearch
="$BINDIR/ldbsearch"
35 .
`dirname $0`/subunit.sh
37 testit
"join" $VALGRIND $net_tool ads
join -U$DC_USERNAME%$DC_PASSWORD || failed
=`expr $failed + 1`
39 testit
"testjoin" $VALGRIND $net_tool ads testjoin
-kP || failed
=`expr $failed + 1`
41 netbios
=$
(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut
-f2 -d= |
awk '{$1=$1};1')
43 testit
"test setspn list $netbios" $VALGRIND $net_tool ads setspn list
$netbios -U$DC_USERNAME%$DC_PASSWORD || failed
=`expr $failed + 1`
45 testit_expect_failure
"test setspn add illegal windows spn ($spn)" $VALGRIND $net_tool ads setspn add
$spn -U$DC_USERNAME%$DC_PASSWORD || failed
=`expr $failed + 1`
47 spn
="foo/somehost.domain.com"
48 testit
"test setspn add ($spn)" $VALGRIND $net_tool ads setspn add
$spn -U$DC_USERNAME%$DC_PASSWORD || failed
=`expr $failed + 1`
50 found
=$
($net_tool ads setspn list
-U$DC_USERNAME%$DC_PASSWORD |
grep $spn |
wc -l)
51 testit
"test setspn list shows the newly added spn ($spn)" test $found -eq 1 || failed
=`expr $failed + 1`
53 up_spn
=$
(echo $spn |
tr '[:lower:]' '[:upper:]')
54 testit_expect_failure
"test setspn add existing (case-insensitive) spn ($spn)" $VALGRIND $net_tool ads setspn add
$up_spn -U$DC_USERNAME%$DC_PASSWORD || failed
=`expr $failed + 1`
56 testit
"test setspn delete existing (case-insensitive) ($spn)" $VALGRIND $net_tool ads setspn delete
$spn -U$DC_USERNAME%$DC_PASSWORD || failed
=`expr $failed + 1`
58 found
=$
($net_tool ads setspn list
-U$DC_USERNAME%$DC_PASSWORD |
grep $spn |
wc -l)
59 testit
"test setspn list shows the newly deleted spn ($spn) is gone" test $found -eq 0 || failed
=`expr $failed + 1`
61 testit
"changetrustpw" $VALGRIND $net_tool ads changetrustpw || failed
=`expr $failed + 1`
63 testit
"leave" $VALGRIND $net_tool ads leave
-U$DC_USERNAME%$DC_PASSWORD || failed
=`expr $failed + 1`
65 # Test with kerberos method = secrets and keytab
66 dedicated_keytab_file
="$PREFIX_ABS/test_net_ads_dedicated_krb5.keytab"
67 testit
"join (dedicated keytab)" $VALGRIND $net_tool ads
join -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed
=`expr $failed + 1`
69 testit
"testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin
-kP || failed
=`expr $failed + 1`
71 netbios
=$
(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut
-f2 -d= |
awk '{$1=$1};1')
72 uc_netbios
=$
(echo $netbios |
tr '[:lower:]' '[:upper:]')
73 lc_realm
=$
(echo $REALM |
tr '[:upper:]' '[:lower:]')
74 fqdns
="$netbios.$lc_realm"
76 krb_princ
="primary/instance@$REALM"
77 testit
"test (dedicated keytab) add a fully qualified krb5 principal" $VALGRIND $net_tool ads keytab add
$krb_princ -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed
=`expr $failed + 1`
79 found
=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $krb_princ | wc -l`
81 testit
"test (dedicated keytab) at least one fully qualified krb5 principal that was added is present in keytab" test $found -gt 1 || failed
=`expr $failed + 1`
83 machinename
="machine123"
84 testit
"test (dedicated keytab) add a kerberos prinicple created from machinename to keytab" $VALGRIND $net_tool ads keytab add
$machinename'$' -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed
=`expr $failed + 1`
85 search_str
="$machinename\$@$REALM"
86 found
=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l`
87 testit
"test (dedicated keytab) at least one krb5 principal created from $machinename added is present in keytab" test $found -gt 1 || failed
=`expr $failed + 1`
90 testit
"test (dedicated keytab) add a $service service to keytab" $VALGRIND $net_tool ads keytab add
$service -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed
=`expr $failed + 1`
92 search_str
="$service/$fqdns@$REALM"
93 found
=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l`
94 testit
"test (dedicated keytab) at least one (long form) krb5 principal created from service added is present in keytab" test $found -gt 1 || failed
=`expr $failed + 1`
96 search_str
="$service/$uc_netbios@$REALM"
97 found
=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l`
98 testit
"test (dedicated keytab) at least one (shorter form) krb5 principal created from service added is present in keytab" test $found -gt 1 || failed
=`expr $failed + 1`
100 spn_service
="random_srv"
101 spn_host
="somehost.subdomain.domain"
104 windows_spn
="$spn_service/$spn_host"
105 testit
"test (dedicated keytab) add a $windows_spn windows style SPN to keytab" $VALGRIND $net_tool ads keytab add
$windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed
=`expr $failed + 1`
107 search_str
="$spn_service/$spn_host@$REALM"
108 found
=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l`
109 testit
"test (dedicated keytab) at least one krb5 principal created from windown SPN added is present in keytab" test $found -gt 1 || failed
=`expr $failed + 1`
111 windows_spn
="$spn_service/$spn_host:$spn_port"
112 testit
"test (dedicated keytab) add a $windows_spn windows style SPN to keytab" $VALGRIND $net_tool ads keytab add
$windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed
=`expr $failed + 1`
114 search_str
="$spn_service/$spn_host@$REALM"
115 found
=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l`
116 testit
"test (dedicated keytab) at least one krb5 principal created from windown SPN (with port) added is present in keytab" test $found -gt 1 || failed
=`expr $failed + 1`
118 # keytab add shouldn't have written spn to AD
119 found
=$
($net_tool ads setspn list
-U$DC_USERNAME%$DC_PASSWORD |
grep $service |
wc -l)
120 testit
"test (dedicated keytab) spn is not written to AD (using keytab add)" test $found -eq 0 || failed
=`expr $failed + 1`
122 ad_service
="writetoad"
123 testit
"test (dedicated keytab) add a $ad_service service to keytab (using add_update_ads" $VALGRIND $net_tool ads keytab add_update_ads
$ad_service -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed
=`expr $failed + 1`
125 found
=$
($net_tool ads setspn list
-U$DC_USERNAME%$DC_PASSWORD |
grep $ad_service |
wc -l)
126 testit
"test (dedicated keytab) spn is written to AD (using keytab add_update_ads)" test $found -eq 2 || failed
=`expr $failed + 1`
129 # test existence in keytab of service (previously added) pulled from SPN post
130 # 'keytab create' is now present in keytab file
131 testit
"test (dedicated keytab) keytab created succeeds" $VALGRIND $net_tool ads keytab create
-U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed
=`expr $failed + 1`
132 found
=$
($net_tool ads keytab list
-U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" |
grep $ad_service |
wc -l)
133 testit
"test (dedicated keytab) spn service that exists in AD (created via add_update_ads) is added to keytab file" test $found -gt 1 || failed
=`expr $failed + 1`
135 found_ad
=$
($net_tool ads setspn list
-U$DC_USERNAME%$DC_PASSWORD |
grep $service |
wc -l)
136 found_keytab
=$
($net_tool ads keytab list
-U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" |
grep $service |
wc -l)
137 # test after create that a spn that exists in the keytab but shouldn't
138 # be written to the AD.
139 testit
"test spn service doensn't exist in AD but is present in keytab file after keytab create" test $found_ad -eq 0 -a $found_keytab -gt 1 || failed
=`expr $failed + 1`
141 # SPN parser is very basic but does detect some illegal combination
143 windows_spn
="$spn_service/$spn_host:"
144 testit_expect_failure
"test (dedicated keytab) fail to parse windows spn with missing port" $VALGRIND $net_tool ads keytab add
$windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed
=`expr $failed + 1
146 windows_spn="$spn_service/$spn_host/"
147 testit_expect_failure "test (dedicated keytab) fail to parse windows spn with missing servicename" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1
149 testit
"changetrustpw (dedicated keytab)" $VALGRIND $net_tool ads changetrustpw || failed
=`expr $failed + 1`
151 testit
"leave (dedicated keytab)" $VALGRIND $net_tool ads leave
-U$DC_USERNAME%$DC_PASSWORD || failed
=`expr $failed + 1`
153 # if there is no keytab, try and create it
154 if [ ! -f $dedicated_keytab_file ]; then
155 if [ $
(command -v ktutil
) >/dev
/null
]; then
156 printf "addent -password -p $DC_USERNAME@$REALM -k 1 -e rc4-hmac\n$DC_PASSWORD\nwkt $dedicated_keytab_file\n" | ktutil
160 if [ -f $dedicated_keytab_file ]; then
161 testit
"keytab list (dedicated keytab)" $VALGRIND $net_tool ads keytab list
--option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed
=`expr $failed + 1`
162 testit
"keytab list keytab specified on cmdline" $VALGRIND $net_tool ads keytab list
$dedicated_keytab_file || failed
=`expr $failed + 1`
165 rm -f $dedicated_keytab_file
167 testit_expect_failure
"testjoin(not joined)" $VALGRIND $net_tool ads testjoin
-kP || failed
=`expr $failed + 1`
169 testit
"join+kerberos" $VALGRIND $net_tool ads
join -kU$DC_USERNAME%$DC_PASSWORD || failed
=`expr $failed + 1`
171 testit
"testjoin" $VALGRIND $net_tool ads testjoin
-kP || failed
=`expr $failed + 1`
173 testit
"leave+kerberos" $VALGRIND $net_tool ads leave
-kU$DC_USERNAME%$DC_PASSWORD || failed
=`expr $failed + 1`
175 testit_expect_failure
"testjoin(not joined)" $VALGRIND $net_tool ads testjoin
-kP || failed
=`expr $failed + 1`
177 testit
"join+server" $VALGRIND $net_tool ads
join -U$DC_USERNAME%$DC_PASSWORD -S$DC_SERVER || failed
=`expr $failed + 1`
179 testit
"leave+server" $VALGRIND $net_tool ads leave
-U$DC_USERNAME%$DC_PASSWORD -S$DC_SERVER || failed
=`expr $failed + 1`
181 testit_expect_failure
"join+invalid_server" $VALGRIND $net_tool ads
join -U$DC_USERNAME%$DC_PASSWORD -SINVALID && failed
=`expr $failed + 1`
183 testit
"join+server" $VALGRIND $net_tool ads
join -U$DC_USERNAME%$DC_PASSWORD || failed
=`expr $failed + 1`
185 testit_expect_failure
"leave+invalid_server" $VALGRIND $net_tool ads leave
-U$DC_USERNAME%$DC_PASSWORD -SINVALID && failed
=`expr $failed + 1`
187 testit
"testjoin user+password" $VALGRIND $net_tool ads testjoin
-U$DC_USERNAME%$DC_PASSWORD || failed
=`expr $failed + 1`
189 testit
"leave+keep_account" $VALGRIND $net_tool ads leave
-U$DC_USERNAME%$DC_PASSWORD --keep-account || failed
=`expr $failed + 1`
191 computers_ldb_ou
="CN=Computers,DC=addom,DC=samba,DC=example,DC=com"
192 testit
"ldb check for existence of machine account" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap
://$SERVER.
$REALM -s base
-b "cn=$HOSTNAME,$computers_ldb_ou" || failed
=`expr $failed + 1`
194 testit
"join" $VALGRIND $net_tool ads
join -U$DC_USERNAME%$DC_PASSWORD || failed
=`expr $failed + 1`
196 testit
"testjoin" $VALGRIND $net_tool ads testjoin || failed
=`expr $failed + 1`
199 testit
"leave" $VALGRIND $net_tool ads leave
-U$DC_USERNAME%$DC_PASSWORD || failed
=`expr $failed + 1`
201 rm -rf $BASEDIR/$WORKDIR