2 # Blackbox tests for pkinit and pac verification
4 # Copyright (C) 2006-2008 Stefan Metzmacher
5 # Copyright (C) 2022 Andreas Schneider
9 Usage: test_pkinit_pac.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX
23 samba_bindir
="$BINDIR"
25 samba_kinit
="$(command -v kinit)"
26 if [ -x "${samba_bindir}/samba4kinit" ]; then
27 samba_kinit
="${samba_bindir}/samba4kinit"
29 samba_smbtorture
="${samba_bindir}/smbtorture --basedir=$SELFTEST_TMPDIR"
31 .
"$(dirname "$0")"/subunit.sh
32 .
"$(dirname "$0")"/common_test_fns.inc
34 KRB5CCNAME_PATH
="$PREFIX/tmpccache"
35 rm -f "${KRB5CCNAME_PATH}"
36 KRB5CCNAME
="FILE:$KRB5CCNAME_PATH"
39 USER_PRINCIPAL_NAME
="$(echo "${USERNAME}@
${REALM}" | tr "[:upper
:]" "[:lower
:]")"
41 kbase
="$(basename "${samba_kinit}")"
42 if [ "${kbase}" = "samba4kinit" ]; then
44 X509_USER_IDENTITY
="--pk-user=FILE:${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-cert.pem,${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-private-key.pem"
45 OPTION_RENEWABLE
="--renewable"
47 X509_USER_IDENTITY
="-X X509_user_identity=FILE:${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-cert.pem,${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-private-key.pem"
48 OPTION_RENEWABLE
="-r 1h"
50 OPTION_REQUEST_PAC
="--request-pac"
52 testit
"STEP1 kinit with pkinit (name specified)" \
53 "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
54 "${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" ||
55 failed
=$
((failed
+ 1))
56 testit
"STEP1 remote.pac verification" \
57 "${samba_smbtorture}" ncacn_np
:"${SERVER}" rpc.pac \
58 --workgroup="${DOMAIN}" -U"${USERNAME}%${PASSWORD}" \
59 --option=torture
:pkinit_ccache
="${KRB5CCNAME}" ||
60 failed
=$
((failed
+ 1))
62 rm -f "${KRB5CCNAME_PATH}"