search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
tests/krb5: Add PK-INIT testing framework
[Samba.git] / testprogs / blackbox / test_kinit_export_keytab.sh
blob25cdeed67ad9d9736f4e9b8777df348311299a85
1 #!/bin/sh
2 #
3 # Blackbox tests for an exported keytab with kinit
4 #
5 # Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
6 # Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org>
7 # Copyright (C) Andreas Schneider <asn@cryptomilk.org>
8
9 if [ $# -lt 7 ]; then
10 cat <<EOF
11 Usage: test_extract_keytab.sh SERVER USERNAME REALM DOMAIN PREFIX SMBCLIENT CONFIGURATION
12 EOF
13 exit 1
14 fi
15
16 SERVER=$1
17 USERNAME=$2
18 REALM=$3
19 DOMAIN=$4
20 PREFIX=$5
21 smbclient=$6
22 CONFIGURATION=${7}
23 shift 7
24 failed=0
25
26 . "$(dirname "${0}")/subunit.sh"
27 . "$(dirname "${0}")/common_test_fns.inc"
28
29 samba_bindir="${BINDIR}"
30 samba_tool="$samba_bindir/samba-tool"
31 samba_newuser="$samba_tool user create"
32 samba_ktutil="${BINDIR}/samba4ktutil"
33
34 samba_kinit=$(system_or_builddir_binary kinit "${BINDIR}" samba4kinit)
35
36 DNSDOMAIN=$(echo "${REALM}" | tr '[:upper:]' '[:lower:]')
37 SERVER_FQDN="${SERVER}.$(echo "${REALM}" | tr '[:upper:]' '[:lower:]')"
38 SMBCLIENT_UNC="//${SERVER}/tmp"
39
40 TEST_USER="$(mktemp -u keytabtest-XXXXXX)"
41 TEST_PASSWORD=testPaSS@01%
42
43 EXPECTED_NKEYS=3
44 # MIT
45 kbase="$(basename "${samba_kinit}")"
46 if [ "${kbase}" != "samba4kinit" ]; then
47 krb5_version="$(krb5-config --version | cut -d ' ' -f 4)"
48 krb5_major_version="$(echo "${krb5_version}" | awk -F. '{ print $1; }')"
49 krb5_minor_version="$(echo "${krb5_version}" | awk -F. '{ print $2; }')"
50
51 # MIT Kerberos < 1.18 has support for DES keys
52 if [ "${krb5_major_version}" -eq 1 ] && [ "${krb5_minor_version}" -lt 18 ]; then
53 EXPECTED_NKEYS=5
54 fi
55 fi # MIT
56
57 if [ "${kbase}" = "samba4kinit" ]; then
58 # HEIMDAL
59 OPTION_RENEWABLE="--renewable"
60 OPTION_RENEW_TICKET="--renew"
61 OPTION_ENTERPRISE_NAME="--enterprise"
62 OPTION_CANONICALIZATION=""
63 OPTION_WINDOWS="--windows"
64 OPTION_SERVICE="-S"
65 OPTION_USE_KEYTAB="-k"
66 OPTION_KEYTAB_FILENAME="-t"
67
68 KEYTAB_GREP="[aes|arcfour]"
69 else
70 # MIT
71 OPTION_RENEWABLE="-r 1h"
72 OPTION_RENEW_TICKET="-R"
73 OPTION_ENTERPRISE_NAME="-E"
74 OPTION_CANONICALIZATION="-C"
75 OPTION_WINDOWS=""
76 OPTION_SERVICE="-S"
77 OPTION_USE_KEYTAB="-k"
78 OPTION_KEYTAB_FILENAME="-t"
79
80 KEYTAB_GREP="[DES|AES|ArcFour]"
81 fi
82
83 test_keytab()
84 {
85 testname="$1"
86 keytab="$2"
87 principal="$3"
88 expected_nkeys="$4"
89
90 subunit_start_test "$testname"
91
92 if [ ! -r "${keytab}" ]; then
93 echo "Could not read keytab: ${keytab}" | \
94 subunit_fail_test "${testname}"
95 return 1
96 fi
97
98 output=$($VALGRIND "${samba_ktutil}" "${keytab}" 2>&1)
99 status=$?
100 if [ ${status} -ne 0 ]; then
101 echo "${output}" | subunit_fail_test "${testname}"
102 return $status
103 fi
104
105 NKEYS=$(echo "${output}" | grep -i "${principal}" | \
106 grep -c -e "${KEYTAB_GREP}")
107 if [ "${NKEYS}" -ne "${expected_nkeys}" ]; then
108 echo "Unexpected number of keys passed ${NKEYS} != ${expected_nkeys}" | \
109 subunit_fail_test "${testname}"
110 return 1
111 fi
112
113 subunit_pass_test "${testname}"
114 return 0
115 }
116
117 testit "create local user ${TEST_USER}" \
118 "${VALGRIND}" "${PYTHON}" "${samba_newuser}" "${TEST_USER}" "${TEST_PASSWORD}" \
119 "${CONFIGURATION}" "$@" || \
120 failed=$((failed + 1))
121
122 testit "dump keytab from domain" \
123 "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \
124 "${PREFIX}/tmpkeytab-all" \
125 "${CONFIGURATION}" "$@" || \
126 failed=$((failed + 1))
127
128 test_keytab "read keytab from domain" \
129 "${PREFIX}/tmpkeytab-all" "${SERVER}\\\$" "${EXPECTED_NKEYS}" || \
130 failed=$((failed + 1))
131
132 testit "dump keytab from domain (2nd time)" \
133 "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \
134 "${PREFIX}/tmpkeytab-all" "${CONFIGURATION}" "$@" || \
135 failed=$((failed + 1))
136
137 test_keytab "read keytab from domain (2nd time)" \
138 "${PREFIX}/tmpkeytab-all" "${SERVER}\\\$" "${EXPECTED_NKEYS}" || \
139 failed=$((failed + 1))
140
141 testit "dump keytab from domain for cifs service principal" \
142 "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \
143 "${PREFIX}/tmpkeytab-server" --principal="cifs/$SERVER_FQDN" \
144 "${CONFIGURATION}" "$@" || \
145 failed=$((failed + 1))
146
147 test_keytab "read keytab from domain for cifs service principal" \
148 "${PREFIX}/tmpkeytab-server" "cifs/${SERVER_FQDN}" \
149 "${EXPECTED_NKEYS}" || \
150 failed=$((failed + 1))
151
152 testit "dump keytab from domain for cifs service principal (2nd time)" \
153 "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \
154 "$PREFIX/tmpkeytab-server" --principal="cifs/$SERVER_FQDN" \
155 "${CONFIGURATION}" "$@" || \
156 failed=$((failed + 1))
157
158 test_keytab "read keytab from domain for cifs service principal (2nd time)" \
159 "${PREFIX}/tmpkeytab-server" "cifs/${SERVER_FQDN}" \
160 "${EXPECTED_NKEYS}" || \
161 failed=$((failed + 1))
162
163 testit "dump keytab from domain for user principal" \
164 "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \
165 "${PREFIX}/tmpkeytab-user-princ" --principal="${TEST_USER}" \
166 "${CONFIGURATION}" "$@" || \
167 failed=$((failed + 1))
168
169 test_keytab "read keytab from domain for user principal" \
170 "${PREFIX}/tmpkeytab-user-princ" "${TEST_USER}@${REALM}" \
171 "${EXPECTED_NKEYS}" || \
172 failed=$((failed + 1))
173
174 testit "dump keytab from domain for user principal (2nd time)" \
175 "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \
176 "${PREFIX}/tmpkeytab-user-princ-2" --principal="${TEST_USER}@${REALM}" \
177 "${CONFIGURATION}" "$@" || \
178 failed=$((failed + 1))
179
180 test_keytab "read keytab from domain for user principal (2nd time)" \
181 "${PREFIX}/tmpkeytab-user-princ-2" "${TEST_USER}@${REALM}" \
182 "${EXPECTED_NKEYS}" || \
183 failed=$((failed + 1))
184
185 testit "dump keytab from domain for user principal with SPN as UPN" \
186 "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \
187 "${PREFIX}/tmpkeytab-spn-upn" \
188 --principal="http/testupnspn.${DNSDOMAIN}" "${CONFIGURATION}" "$@" || \
189 failed=$((failed + 1))
190
191 test_keytab "read keytab from domain for user principal with SPN as UPN" \
192 "${PREFIX}/tmpkeytab-spn-upn" "http/testupnspn.${DNSDOMAIN}@${REALM}" \
193 "${EXPECTED_NKEYS}"
194
195 KRB5CCNAME_PATH="${PREFIX}/tmpuserccache"
196 KRB5CCNAME="FILE:${PREFIX}/tmpuserccache"
197 export KRB5CCNAME
198
199 testit "kinit with keytab as user" \
200 "${VALGRIND}" "${samba_kinit}" \
201 "${OPTION_USE_KEYTAB}" \
202 "${OPTION_KEYTAB_FILENAME}" "${PREFIX}/tmpkeytab-all" \
203 "${TEST_USER}@${REALM}" || \
204 failed=$((failed + 1))
205
206 test_smbclient "Test login with user kerberos ccache" \
207 "ls" "${SMBCLIENT_UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
208 failed=$((failed + 1))
209
210 testit "kinit with keytab as user (one princ)" \
211 "${VALGRIND}" "$samba_kinit" \
212 "${OPTION_USE_KEYTAB}" \
213 "${OPTION_KEYTAB_FILENAME}" "${PREFIX}/tmpkeytab-user-princ" \
214 "${TEST_USER}@$REALM" || \
215 failed=$((failed + 1))
216
217 test_smbclient "Test login with user kerberos ccache (one princ)" \
218 "ls" "${SMBCLIENT_UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
219 failed=$((failed + 1))
220
221 rm -f "${KRB5CCNAME_PATH}"
222
223 KRB5CCNAME_PATH="${PREFIX}/tmpadminccache"
224 KRB5CCNAME="FILE:${PREFIX}/tmpadminccache"
225 export KRB5CCNAME
226
227 testit "kinit with keytab as ${USERNAME}" \
228 "${VALGRIND}" "${samba_kinit}" \
229 "${OPTION_USE_KEYTAB}" \
230 "${OPTION_KEYTAB_FILENAME}" "${PREFIX}/tmpkeytab-all" \
231 "${USERNAME}@${REALM}" || \
232 failed=$((failed + 1))
233
234 rm -f "${KRB5CCNAME_PATH}"
235
236 KRB5CCNAME_PATH="${PREFIX}/tmpserverccache"
237 KRB5CCNAME="FILE:${PREFIX}/tmpserverccache"
238 export KRB5CCNAME
239
240 testit "kinit with SPN from keytab" \
241 "${VALGRIND}" "${samba_kinit}" \
242 "${OPTION_USE_KEYTAB}" \
243 "${OPTION_KEYTAB_FILENAME}" "${PREFIX}/tmpkeytab-spn-upn" \
244 "http/testupnspn.${DNSDOMAIN}" || \
245 failed=$((failed + 1))
246
247 # cleanup
248 testit "delete user ${TEST_USER}" \
249 "${VALGRIND}" "${PYTHON}" "${samba_tool}" user delete "${TEST_USER}" \
250 --use-krb5-ccache="${KRB5CCNAME}" "${CONFIGURATION}" "$@" || \
251 failed=$((failed + 1))
252
253 rm -f "${KRB5CCNAME_PATH}"
254 rm -f "${PREFIX}/tmpadminccache" \
255 "${PREFIX}/tmpuserccache" \
256 "${PREFIX}/tmpkeytab" \
257 "${PREFIX}/tmpkeytab-user-princ" \
258 "${PREFIX}/tmpkeytab-user-princ-2" \
259 "${PREFIX}/tmpkeytab-server" \
260 "${PREFIX}/tmpkeytab-spn-upn" \
261 "${PREFIX}/tmpkeytab-all"
262
263 exit $failed
Samba GIT mirror