2 # Blackbox tests for kinit and trust validation
3 # Copyright (c) 2015 Stefan Metzmacher <metze@samba.org>
4 # Copyright (c) 2016 Andreas Schneider <asn@samba.org>
8 Usage: test_kinit_trusts.sh SERVER USERNAME PASSWORD REALM DOMAIN TRUST_USERNAME TRUST_PASSWORD TRUST_REALM TRUST_DOMAIN PREFIX TYPE
31 samba_bindir
="$BINDIR"
32 samba_srcdir
="$SRCDIR/source4"
34 samba_kdestroy
=kdestroy
37 samba_tool
="$samba_bindir/samba-tool"
38 samba_texpect
="$samba_bindir/texpect"
40 smbclient
="$samba_bindir/smbclient"
41 wbinfo
="$samba_bindir/wbinfo"
42 rpcclient
="$samba_bindir/rpcclient"
44 SMBCLIENT_UNC
="//$SERVER.$REALM/tmp"
46 .
`dirname $0`/subunit.sh
54 $VALGRIND $smbclient $CONFIGURATION $SMBCLIENT_UNC -c "$cmd" $@
56 if [ x
$status = x0
]; then
64 KRB5CCNAME_PATH
="$PREFIX/test_kinit_trusts_ccache"
65 KRB5CCNAME
="FILE:$KRB5CCNAME_PATH"
67 rm -rf $KRB5CCNAME_PATH
69 cat > $PREFIX/tmpkinitscript
<<EOF
71 send ${TRUST_PASSWORD}\n
74 ###########################################################
75 ### Test incoming trust direction
76 ###########################################################
78 testit
"kinit with password" $samba_texpect $PREFIX/tmpkinitscript
$samba_kinit $TRUST_USERNAME@
$TRUST_REALM || failed
=`expr $failed + 1`
79 test_smbclient
"Test login with kerberos ccache" 'ls' -k yes || failed
=`expr $failed + 1`
82 smbclient
="$samba_bindir/smbclient4"
84 testit
"kinit with password" $samba_texpect $PREFIX/tmpkinitscript
$samba_kinit $TRUST_USERNAME@
$TRUST_REALM || failed
=`expr $failed + 1`
85 test_smbclient
"Test login with kerberos ccache (smbclient4)" 'ls' -k yes || failed
=`expr $failed + 1`
88 smbclient
="$samba_bindir/smbclient"
90 testit
"kinit with password (enterprise)" $samba_texpect $PREFIX/tmpkinitscript
$samba_kinit -E $TRUST_USERNAME@
$TRUST_REALM || failed
=`expr $failed + 1`
91 test_smbclient
"Test login with kerberos ccache" 'ls' -k yes || failed
=`expr $failed + 1`
95 if test x
"${TYPE}" = x
"forest" ;then
96 testit
"kinit with password (enterprise UPN)" $samba_texpect $PREFIX/tmpkinitscript
$samba_kinit -E testdenied_upn@
${TRUST_REALM}.upn || failed
=`expr $failed + 1`
97 test_smbclient
"Test login with user kerberos ccache" 'ls' -k yes || failed
=`expr $failed + 1`
102 testit
"kinit with password (enterprise)" $samba_texpect $PREFIX/tmpkinitscript
$samba_kinit -E $TRUST_USERNAME@
$TRUST_REALM || failed
=`expr $failed + 1`
103 test_smbclient
"Test login with kerberos ccache" 'ls' -k yes || failed
=`expr $failed + 1`
105 testit
"kinit renew ticket" $samba_kinit -R
106 test_smbclient
"Test login with kerberos ccache" 'ls' -k yes || failed
=`expr $failed + 1`
108 testit
"check time with kerberos ccache" $VALGRIND $samba_tool time $SERVER.
$REALM $CONFIGURATION -k yes $@ || failed
=`expr $failed + 1`
112 lowerrealm
=$
(echo $TRUST_REALM |
tr '[A-Z]' '[a-z]')
113 test_smbclient
"Test login with user kerberos lowercase realm" 'ls' -k yes -d5 -U$TRUST_USERNAME@
$lowerrealm%$TRUST_PASSWORD || failed
=`expr $failed + 1`
114 test_smbclient
"Test login with user kerberos lowercase realm 2" 'ls' -k yes -U$TRUST_USERNAME@
$TRUST_REALM%$TRUST_PASSWORD --realm=$lowerrealm || failed
=`expr $failed + 1`
116 ###########################################################
117 ### Test outgoing trust direction
118 ###########################################################
120 SMBCLIENT_UNC
="//$TRUST_SERVER.$TRUST_REALM/tmp"
121 test_smbclient
"Test user login with the first outgoing secret" 'ls' -k yes -U$USERNAME@
$REALM%$PASSWORD || failed
=`expr $failed + 1`
123 testit_expect_failure
"setpassword should not work" $VALGRIND $samba_tool user setpassword
"${TRUST_DOMAIN}\$" --random-password || failed
=`expr $failed + 1`
125 testit
"wbinfo ping dc" $VALGRIND $wbinfo --ping-dc --domain=$TRUST_DOMAIN || failed
=`expr $failed + 1`
126 testit
"wbinfo change outgoing trust pw" $VALGRIND $wbinfo --change-secret --domain=$TRUST_DOMAIN || failed
=`expr $failed + 1`
127 testit
"wbinfo check outgoing trust pw" $VALGRIND $wbinfo --check-secret --domain=$TRUST_DOMAIN || failed
=`expr $failed + 1`
129 test_smbclient
"Test user login with the changed outgoing secret" 'ls' -k yes -U$USERNAME@
$REALM%$PASSWORD || failed
=`expr $failed + 1`
135 rm -f $KRB5CCNAME_PATH
136 rm -f $PREFIX/tmpkinituserpassscript
137 rm -f $PREFIX/tmpkinitscript