search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:param: Fix old-style function definition
[Samba.git] / testprogs / blackbox / test_kinit_mit.sh
blob8901148898f4b14046dc3e676145876bb7f84776
1 #!/bin/sh
2 # Blackbox tests for kinit and kerberos integration with smbclient etc
3 # Copyright (c) 2015-2016 Andreas Schneider <asn@samba.org>
4
5 if [ $# -lt 5 ]; then
6 cat <<EOF
7 Usage: test_kinit.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX SMBCLIENT
8 EOF
9 exit 1
10 fi
11
12 SERVER=$1
13 USERNAME=$2
14 PASSWORD=$3
15 REALM=$4
16 DOMAIN=$5
17 PREFIX=$6
18 smbclient=$7
19 shift 7
20 failed=0
21
22 samba_bindir="$BINDIR"
23 samba_srcdir="$SRCDIR/source4"
24 samba_kinit=kinit
25 samba_kdestroy=kdestroy
26 samba_kpasswd=kpasswd
27 samba_kvno=kvno
28
29 samba_tool="$samba_bindir/samba-tool"
30 samba_texpect="$samba_bindir/texpect"
31
32 samba_enableaccount="$samba_tool user enable"
33 machineaccountccache="$samba_srcdir/scripting/bin/machineaccountccache"
34
35 ldbmodify="ldbmodify"
36 if [ -x "$samba_bindir/ldbmodify" ]; then
37 ldbmodify="$samba_bindir/ldbmodify"
38 fi
39
40 ldbsearch="ldbsearch"
41 if [ -x "$samba_bindir/ldbsearch" ]; then
42 ldbsearch="$samba_bindir/ldbsearch"
43 fi
44
45 . $(dirname $0)/subunit.sh
46
47 test_smbclient()
48 {
49 name="$1"
50 cmd="$2"
51 shift
52 shift
53 echo "test: $name"
54 $VALGRIND $smbclient $CONFIGURATION //$SERVER/tmp -c "$cmd" "$@"
55 status=$?
56 if [ x$status = x0 ]; then
57 echo "success: $name"
58 else
59 echo "failure: $name"
60 fi
61 return $status
62 }
63
64 ADMIN_LDBMODIFY_CONFIG="-H ldap://$SERVER -U$USERNAME%$PASSWORD"
65 export ADMIN_LDBMODIFY_CONFIG
66
67 KRB5CCNAME_PATH="$PREFIX/tmpccache"
68 KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
69 ADMIN_KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
70 export KRB5CCNAME
71 rm -rf $KRB5CCNAME_PATH
72
73 testit "reset password policies beside of minimum password age of 0 days" $VALGRIND $PYTHON $samba_tool domain passwordsettings set $ADMIN_LDBMODIFY_CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=0 --max-pwd-age=default || failed=$(expr $failed + 1)
74
75 cat >$PREFIX/tmpkinitscript <<EOF
76 expect Password for
77 send ${PASSWORD}\n
78 EOF
79
80 ###########################################################
81 ### Test kinit defaults
82 ###########################################################
83
84 testit "kinit with password" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit $USERNAME@$REALM || failed=$(expr $failed + 1)
85 test_smbclient "Test login with user kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
86
87 testit "kinit renew ticket" $samba_kinit -R || failed=$(expr $failed + 1)
88 test_smbclient "Test login with kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
89
90 $samba_kdestroy
91
92 ###########################################################
93 ### Test kinit with enterprice principal
94 ###########################################################
95
96 testit "kinit with password (enterprise style)" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit -E $USERNAME@$REALM || failed=$(expr $failed + 1)
97 test_smbclient "Test login with user kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
98
99 # This does not work with MIT Kerberos 1.14 or older
100 testit "kinit renew ticket (enterprise style)" $samba_kinit -R || failed=$(expr $failed + 1)
101 test_smbclient "Test login with kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
102
103 $samba_kdestroy
104
105 ###########################################################
106 ### Tests with kinit default again
107 ###########################################################
108
109 testit "kinit with password" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit $USERNAME@$REALM || failed=$(expr $failed + 1)
110 testit "check time with kerberos ccache" $VALGRIND $PYTHON $samba_tool time $SERVER $CONFIGURATION -k yes "$@" || failed=$(expr $failed + 1)
111
112 USERPASS="testPass@12%"
113
114 testit "add user with kerberos ccache" $VALGRIND $PYTHON $samba_tool user create nettestuser $USERPASS $CONFIGURATION -k yes "$@" || failed=$(expr $failed + 1)
115
116 echo "Getting defaultNamingContext"
117 BASEDN=$($ldbsearch $options --basedn='' -H ldap://$SERVER --scope=base DUMMY=x defaultNamingContext | grep defaultNamingContext | awk '{print $2}')
118
119 cat >$PREFIX/tmpldbmodify <<EOF
120 dn: cn=nettestuser,cn=users,$BASEDN
121 changetype: modify
122 add: servicePrincipalName
123 servicePrincipalName: host/nettestuser
124 replace: userPrincipalName
125 userPrincipalName: nettest@$REALM
126 EOF
127
128 testit "modify servicePrincipalName and userPrincpalName" $VALGRIND $ldbmodify -H ldap://$SERVER $PREFIX/tmpldbmodify -k yes "$@" || failed=$(expr $failed + 1)
129
130 testit "set user password with kerberos ccache" $VALGRIND $PYTHON $samba_tool user setpassword nettestuser --newpassword=$USERPASS $CONFIGURATION -k yes "$@" || failed=$(expr $failed + 1)
131
132 testit "enable user with kerberos cache" $VALGRIND $PYTHON $samba_enableaccount nettestuser -H ldap://$SERVER -k yes "$@" || failed=$(expr $failed + 1)
133
134 ###########################################################
135 ### Test kinit with canonicalization
136 ###########################################################
137
138 upperusername=$(echo $USERNAME | tr '[a-z]' '[A-Z]')
139 testit "kinit with canonicalize" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit -C $upperusername@$REALM -S kadmin/changepw@$REALM || failed=$(expr $failed + 1)
140
141 $samba_kdestroy
142
143 ###########################################################
144 ### Test kinit with user credentials
145 ###########################################################
146
147 KRB5CCNAME_PATH="$PREFIX/tmpuserccache"
148 KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
149 export KRB5CCNAME
150
151 rm -f $KRB5CCNAME_PATH
152
153 cat >$PREFIX/tmpkinituserpassscript <<EOF
154 expect Password for
155 send ${USERPASS}\n
156 EOF
157
158 testit "kinit with user password" $samba_texpect $PREFIX/tmpkinituserpassscript $samba_kinit nettestuser@$REALM || failed=$(expr $failed + 1)
159 test_smbclient "Test login with user kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
160
161 ### Change password
162
163 NEWUSERPASS="testPaSS@34%"
164 testit "change user password with 'samba-tool user password' (rpc)" $VALGRIND $PYTHON $samba_tool user password -W$DOMAIN -Unettestuser%$USERPASS $CONFIGURATION -k no --newpassword=$NEWUSERPASS "$@" || failed=$(expr $failed + 1)
165
166 cat >$PREFIX/tmpkinituserpassscript <<EOF
167 expect Password for
168 send ${NEWUSERPASS}\n
169 EOF
170
171 testit "kinit with new user password" $samba_texpect $PREFIX/tmpkinituserpassscript $samba_kinit nettestuser@$REALM || failed=$(expr $failed + 1)
172 test_smbclient "Test login with user kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
173
174 $samba_kdestroy
175
176 ###########################################################
177 ### Test kinit with user credentials in special formats
178 ###########################################################
179
180 testit "kinit with new (NT-Principal style) using UPN" $samba_texpect $PREFIX/tmpkinituserpassscript $samba_kinit nettest@$REALM || failed=$(expr $failed + 1)
181 test_smbclient "Test login with user kerberos ccache from NT UPN" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
182
183 $samba_kdestroy
184
185 testit "kinit with new (enterprise style) using UPN" $samba_texpect $PREFIX/tmpkinituserpassscript $samba_kinit -E nettest@$REALM || failed=$(expr $failed + 1)
186 test_smbclient "Test login with user kerberos ccache from enterprise UPN" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
187
188 $samba_kdestroy
189
190 ###########################################################
191 ### Test kinit with user credentials and changed realm
192 ###########################################################
193
194 cat >$PREFIX/tmpldbmodify <<EOF
195 dn: cn=nettestuser,cn=users,$BASEDN
196 changetype: modify
197 replace: userPrincipalName
198 userPrincipalName: nettest@$REALM.org
199 EOF
200
201 testit "modify userPrincipalName to be a different domain" $VALGRIND $ldbmodify $ADMIN_LDBMODIFY_CONFIG $PREFIX/tmpldbmodify $PREFIX/tmpldbmodify -k yes "$@" || failed=$(expr $failed + 1)
202
203 testit "kinit with new (enterprise style) using UPN" $samba_texpect $PREFIX/tmpkinituserpassscript $samba_kinit -E nettest@$REALM.org || failed=$(expr $failed + 1)
204 test_smbclient "Test login with user kerberos ccache from enterprise UPN" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
205
206 $samba_kdestroy
207
208 ###########################################################
209 ### Test password change with kpasswd
210 ###########################################################
211
212 testit "kinit with user password" $samba_texpect $PREFIX/tmpkinituserpassscript $samba_kinit nettestuser@$REALM || failed=$(expr $failed + 1)
213 test_smbclient "Test login with user kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
214
215 USERPASS=$NEWUSERPASS
216 NEWUSERPASS=testPaSS@56%
217
218 cat >$PREFIX/tmpkpasswdscript <<EOF
219 expect Password for
220 password ${USERPASS}\n
221 expect Enter new password
222 send ${NEWUSERPASS}\n
223 expect Enter it again
224 send ${NEWUSERPASS}\n
225 expect Password changed
226 EOF
227
228 testit "change user password with kpasswd" $samba_texpect $PREFIX/tmpkpasswdscript $samba_kpasswd nettestuser@$REALM || failed=$(expr $failed + 1)
229
230 $samba_kdestroy
231
232 USERPASS=$NEWUSERPASS
233 cat >$PREFIX/tmpkinituserpassscript <<EOF
234 expect Password for
235 send ${USERPASS}\n
236 EOF
237
238 testit "kinit with user password" $samba_texpect $PREFIX/tmpkinituserpassscript $samba_kinit nettestuser@$REALM || failed=$(expr $failed + 1)
239 test_smbclient "Test login with user kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
240
241 $samba_kdestroy
242
243 ###########################################################
244 ### TODO Test set password with kpasswd
245 ###########################################################
246
247 # This is not implemented in kpasswd
248
249 ###########################################################
250 ### Test password expiry
251 ###########################################################
252
253 cat >$PREFIX/tmpldbmodify <<EOF
254 dn: cn=nettestuser,cn=users,$BASEDN
255 changetype: modify
256 replace: pwdLastSet
257 pwdLastSet: 0
258 EOF
259
260 USERPASS=$NEWUSERPASS
261 NEWUSERPASS=testPaSS@911%
262
263 testit "modify pwdLastSet" $VALGRIND $ldbmodify $ADMIN_LDBMODIFY_CONFIG $PREFIX/tmpldbmodify $PREFIX/tmpldbmodify -k yes "$@" || failed=$(expr $failed + 1)
264
265 cat >$PREFIX/tmpkinituserpassscript <<EOF
266 expect Password for
267 send ${USERPASS}\n
268 expect Password expired. You must change it now.
269 expect Enter new password
270 send ${NEWUSERPASS}\n
271 expect Enter it again
272 send ${NEWUSERPASS}\n
273 EOF
274
275 testit "kinit (MIT) with user password for expired password" $samba_texpect $PREFIX/tmpkinituserpassscript $samba_kinit nettestuser@$REALM || failed=$(expr $failed + 1)
276 test_smbclient "Test login with user kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
277
278 USERPASS=$NEWUSERPASS
279 cat >$PREFIX/tmpkinituserpassscript <<EOF
280 expect Password for
281 send ${USERPASS}\n
282 EOF
283
284 testit "kinit with user password" $samba_texpect $PREFIX/tmpkinituserpassscript $samba_kinit nettestuser@$REALM || failed=$(expr $failed + 1)
285 test_smbclient "Test login with user kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
286
287 ###########################################################
288 ### Test login with lowercase realm
289 ###########################################################
290
291 KRB5CCNAME_PATH="$PREFIX/tmpccache"
292 KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
293 export KRB5CCNAME
294
295 rm -rf $KRB5CCNAME_PATH
296
297 lowerrealm=$(echo $REALM | tr '[A-Z]' '[a-z]')
298 test_smbclient "Test login with user kerberos lowercase realm" 'ls' --use-kerberos=required -Unettestuser@$lowerrealm%$NEWUSERPASS || failed=$(expr $failed + 1)
299 test_smbclient "Test login with user kerberos lowercase realm 2" 'ls' --use-kerberos=required -Unettestuser@$REALM%$NEWUSERPASS --realm=$lowerrealm || failed=$(expr $failed + 1)
300
301 testit "del user with kerberos ccache" $VALGRIND $PYTHON $samba_tool user delete nettestuser $CONFIGURATION -k yes "$@" || failed=$(expr $failed + 1)
302
303 ###########################################################
304 ### Test login with machine account
305 ###########################################################
306
307 rm -f $KRB5CCNAME_PATH
308 testit "kinit with machineaccountccache script" $PYTHON $machineaccountccache $CONFIGURATION $KRB5CCNAME || failed=$(expr $failed + 1)
309 test_smbclient "Test machine account login with kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
310
311 testit "reset password policies" $VALGRIND $PYTHON $samba_tool domain passwordsettings set $ADMIN_LDBMODIFY_CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=$(expr $failed + 1)
312
313 ###########################################################
314 ### Test basic s4u2self request
315 ###########################################################
316
317 # Use previous acquired machine creds to request a ticket for self.
318 # We expect it to fail for now.
319 MACHINE_ACCOUNT="$(hostname -s | tr [a-z] [A-Z])\$@$REALM"
320 $samba_kvno -U$MACHINE_ACCOUNT $MACHINE_ACCOUNT
321 # But we expect the KDC to be up and running still
322 testit "kinit with machineaccountccache after s4u2self" $machineaccountccache $CONFIGURATION $KRB5CCNAME || failed=$(expr $failed + 1)
323
324 ### Cleanup
325
326 $samba_kdestroy
327
328 rm -f $KRB5CCNAME_PATH
329 rm -f $PREFIX/tmpkinituserpassscript
330 rm -f $PREFIX/tmpkinitscript
331 rm -f $PREFIX/tmpkpasswdscript
332 exit $failed
Samba GIT mirror