2 # Blackbox tests for kinit and kerberos integration with smbclient etc
3 # Copyright (c) 2015-2016 Andreas Schneider <asn@samba.org>
7 Usage: test_kinit.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX SMBCLIENT
22 samba_bindir
="$BINDIR"
23 samba_srcdir
="$SRCDIR/source4"
25 samba_kdestroy
=kdestroy
29 samba_tool
="$samba_bindir/samba-tool"
30 samba_texpect
="$samba_bindir/texpect"
32 samba_enableaccount
="$samba_tool user enable"
33 machineaccountccache
="$samba_srcdir/scripting/bin/machineaccountccache"
36 if [ -x "$samba_bindir/ldbmodify" ]; then
37 ldbmodify
="$samba_bindir/ldbmodify"
41 if [ -x "$samba_bindir/ldbsearch" ]; then
42 ldbsearch
="$samba_bindir/ldbsearch"
45 . $
(dirname $0)/subunit.sh
54 $VALGRIND $smbclient $CONFIGURATION //$SERVER/tmp
-c "$cmd" "$@"
56 if [ x
$status = x0
]; then
64 ADMIN_LDBMODIFY_CONFIG
="-H ldap://$SERVER -U$USERNAME%$PASSWORD"
65 export ADMIN_LDBMODIFY_CONFIG
67 KRB5CCNAME_PATH
="$PREFIX/tmpccache"
68 KRB5CCNAME
="FILE:$KRB5CCNAME_PATH"
69 ADMIN_KRB5CCNAME
="FILE:$KRB5CCNAME_PATH"
71 rm -rf $KRB5CCNAME_PATH
73 testit
"reset password policies beside of minimum password age of 0 days" $VALGRIND $PYTHON $samba_tool domain passwordsettings
set $ADMIN_LDBMODIFY_CONFIG --complexity=default
--history-length=default
--min-pwd-length=default
--min-pwd-age=0 --max-pwd-age=default || failed
=$
(expr $failed + 1)
75 cat >$PREFIX/tmpkinitscript
<<EOF
80 ###########################################################
81 ### Test kinit defaults
82 ###########################################################
84 testit
"kinit with password" $samba_texpect $PREFIX/tmpkinitscript
$samba_kinit $USERNAME@
$REALM || failed
=$
(expr $failed + 1)
85 test_smbclient
"Test login with user kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed
=$
(expr $failed + 1)
87 testit
"kinit renew ticket" $samba_kinit -R || failed
=$
(expr $failed + 1)
88 test_smbclient
"Test login with kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed
=$
(expr $failed + 1)
92 ###########################################################
93 ### Test kinit with enterprice principal
94 ###########################################################
96 testit
"kinit with password (enterprise style)" $samba_texpect $PREFIX/tmpkinitscript
$samba_kinit -E $USERNAME@
$REALM || failed
=$
(expr $failed + 1)
97 test_smbclient
"Test login with user kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed
=$
(expr $failed + 1)
99 # This does not work with MIT Kerberos 1.14 or older
100 testit
"kinit renew ticket (enterprise style)" $samba_kinit -R || failed
=$
(expr $failed + 1)
101 test_smbclient
"Test login with kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed
=$
(expr $failed + 1)
105 ###########################################################
106 ### Tests with kinit default again
107 ###########################################################
109 testit
"kinit with password" $samba_texpect $PREFIX/tmpkinitscript
$samba_kinit $USERNAME@
$REALM || failed
=$
(expr $failed + 1)
110 testit
"check time with kerberos ccache" $VALGRIND $PYTHON $samba_tool time $SERVER $CONFIGURATION -k yes "$@" || failed
=$
(expr $failed + 1)
112 USERPASS
="testPass@12%"
114 testit
"add user with kerberos ccache" $VALGRIND $PYTHON $samba_tool user create nettestuser
$USERPASS $CONFIGURATION -k yes "$@" || failed
=$
(expr $failed + 1)
116 echo "Getting defaultNamingContext"
117 BASEDN
=$
($ldbsearch $options --basedn='' -H ldap
://$SERVER --scope=base DUMMY
=x defaultNamingContext |
grep defaultNamingContext |
awk '{print $2}')
119 cat >$PREFIX/tmpldbmodify
<<EOF
120 dn: cn=nettestuser,cn=users,$BASEDN
122 add: servicePrincipalName
123 servicePrincipalName: host/nettestuser
124 replace: userPrincipalName
125 userPrincipalName: nettest@$REALM
128 testit
"modify servicePrincipalName and userPrincpalName" $VALGRIND $ldbmodify -H ldap
://$SERVER $PREFIX/tmpldbmodify
-k yes "$@" || failed
=$
(expr $failed + 1)
130 testit
"set user password with kerberos ccache" $VALGRIND $PYTHON $samba_tool user setpassword nettestuser
--newpassword=$USERPASS $CONFIGURATION -k yes "$@" || failed
=$
(expr $failed + 1)
132 testit
"enable user with kerberos cache" $VALGRIND $PYTHON $samba_enableaccount nettestuser
-H ldap
://$SERVER -k yes "$@" || failed
=$
(expr $failed + 1)
134 ###########################################################
135 ### Test kinit with canonicalization
136 ###########################################################
138 upperusername
=$
(echo $USERNAME |
tr '[a-z]' '[A-Z]')
139 testit
"kinit with canonicalize" $samba_texpect $PREFIX/tmpkinitscript
$samba_kinit -C $upperusername@
$REALM -S kadmin
/changepw@
$REALM || failed
=$
(expr $failed + 1)
143 ###########################################################
144 ### Test kinit with user credentials
145 ###########################################################
147 KRB5CCNAME_PATH
="$PREFIX/tmpuserccache"
148 KRB5CCNAME
="FILE:$KRB5CCNAME_PATH"
151 rm -f $KRB5CCNAME_PATH
153 cat >$PREFIX/tmpkinituserpassscript
<<EOF
158 testit
"kinit with user password" $samba_texpect $PREFIX/tmpkinituserpassscript
$samba_kinit nettestuser@
$REALM || failed
=$
(expr $failed + 1)
159 test_smbclient
"Test login with user kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed
=$
(expr $failed + 1)
163 NEWUSERPASS
="testPaSS@34%"
164 testit
"change user password with 'samba-tool user password' (rpc)" $VALGRIND $PYTHON $samba_tool user password
-W$DOMAIN -Unettestuser%$USERPASS $CONFIGURATION -k no
--newpassword=$NEWUSERPASS "$@" || failed
=$
(expr $failed + 1)
166 cat >$PREFIX/tmpkinituserpassscript
<<EOF
168 send ${NEWUSERPASS}\n
171 testit
"kinit with new user password" $samba_texpect $PREFIX/tmpkinituserpassscript
$samba_kinit nettestuser@
$REALM || failed
=$
(expr $failed + 1)
172 test_smbclient
"Test login with user kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed
=$
(expr $failed + 1)
176 ###########################################################
177 ### Test kinit with user credentials in special formats
178 ###########################################################
180 testit
"kinit with new (NT-Principal style) using UPN" $samba_texpect $PREFIX/tmpkinituserpassscript
$samba_kinit nettest@
$REALM || failed
=$
(expr $failed + 1)
181 test_smbclient
"Test login with user kerberos ccache from NT UPN" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed
=$
(expr $failed + 1)
185 testit
"kinit with new (enterprise style) using UPN" $samba_texpect $PREFIX/tmpkinituserpassscript
$samba_kinit -E nettest@
$REALM || failed
=$
(expr $failed + 1)
186 test_smbclient
"Test login with user kerberos ccache from enterprise UPN" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed
=$
(expr $failed + 1)
190 ###########################################################
191 ### Test kinit with user credentials and changed realm
192 ###########################################################
194 cat >$PREFIX/tmpldbmodify
<<EOF
195 dn: cn=nettestuser,cn=users,$BASEDN
197 replace: userPrincipalName
198 userPrincipalName: nettest@$REALM.org
201 testit
"modify userPrincipalName to be a different domain" $VALGRIND $ldbmodify $ADMIN_LDBMODIFY_CONFIG $PREFIX/tmpldbmodify
$PREFIX/tmpldbmodify
-k yes "$@" || failed
=$
(expr $failed + 1)
203 testit
"kinit with new (enterprise style) using UPN" $samba_texpect $PREFIX/tmpkinituserpassscript
$samba_kinit -E nettest@
$REALM.org || failed
=$
(expr $failed + 1)
204 test_smbclient
"Test login with user kerberos ccache from enterprise UPN" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed
=$
(expr $failed + 1)
208 ###########################################################
209 ### Test password change with kpasswd
210 ###########################################################
212 testit
"kinit with user password" $samba_texpect $PREFIX/tmpkinituserpassscript
$samba_kinit nettestuser@
$REALM || failed
=$
(expr $failed + 1)
213 test_smbclient
"Test login with user kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed
=$
(expr $failed + 1)
215 USERPASS
=$NEWUSERPASS
216 NEWUSERPASS
=testPaSS@
56%
218 cat >$PREFIX/tmpkpasswdscript
<<EOF
220 password ${USERPASS}\n
221 expect Enter new password
222 send ${NEWUSERPASS}\n
223 expect Enter it again
224 send ${NEWUSERPASS}\n
225 expect Password changed
228 testit
"change user password with kpasswd" $samba_texpect $PREFIX/tmpkpasswdscript
$samba_kpasswd nettestuser@
$REALM || failed
=$
(expr $failed + 1)
232 USERPASS
=$NEWUSERPASS
233 cat >$PREFIX/tmpkinituserpassscript
<<EOF
238 testit
"kinit with user password" $samba_texpect $PREFIX/tmpkinituserpassscript
$samba_kinit nettestuser@
$REALM || failed
=$
(expr $failed + 1)
239 test_smbclient
"Test login with user kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed
=$
(expr $failed + 1)
243 ###########################################################
244 ### TODO Test set password with kpasswd
245 ###########################################################
247 # This is not implemented in kpasswd
249 ###########################################################
250 ### Test password expiry
251 ###########################################################
253 cat >$PREFIX/tmpldbmodify
<<EOF
254 dn: cn=nettestuser,cn=users,$BASEDN
260 USERPASS
=$NEWUSERPASS
261 NEWUSERPASS
=testPaSS@
911%
263 testit
"modify pwdLastSet" $VALGRIND $ldbmodify $ADMIN_LDBMODIFY_CONFIG $PREFIX/tmpldbmodify
$PREFIX/tmpldbmodify
-k yes "$@" || failed
=$
(expr $failed + 1)
265 cat >$PREFIX/tmpkinituserpassscript
<<EOF
268 expect Password expired. You must change it now.
269 expect Enter new password
270 send ${NEWUSERPASS}\n
271 expect Enter it again
272 send ${NEWUSERPASS}\n
275 testit
"kinit (MIT) with user password for expired password" $samba_texpect $PREFIX/tmpkinituserpassscript
$samba_kinit nettestuser@
$REALM || failed
=$
(expr $failed + 1)
276 test_smbclient
"Test login with user kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed
=$
(expr $failed + 1)
278 USERPASS
=$NEWUSERPASS
279 cat >$PREFIX/tmpkinituserpassscript
<<EOF
284 testit
"kinit with user password" $samba_texpect $PREFIX/tmpkinituserpassscript
$samba_kinit nettestuser@
$REALM || failed
=$
(expr $failed + 1)
285 test_smbclient
"Test login with user kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed
=$
(expr $failed + 1)
287 ###########################################################
288 ### Test login with lowercase realm
289 ###########################################################
291 KRB5CCNAME_PATH
="$PREFIX/tmpccache"
292 KRB5CCNAME
="FILE:$KRB5CCNAME_PATH"
295 rm -rf $KRB5CCNAME_PATH
297 lowerrealm
=$
(echo $REALM |
tr '[A-Z]' '[a-z]')
298 test_smbclient
"Test login with user kerberos lowercase realm" 'ls' --use-kerberos=required
-Unettestuser@
$lowerrealm%$NEWUSERPASS || failed
=$
(expr $failed + 1)
299 test_smbclient
"Test login with user kerberos lowercase realm 2" 'ls' --use-kerberos=required
-Unettestuser@
$REALM%$NEWUSERPASS --realm=$lowerrealm || failed
=$
(expr $failed + 1)
301 testit
"del user with kerberos ccache" $VALGRIND $PYTHON $samba_tool user delete nettestuser
$CONFIGURATION -k yes "$@" || failed
=$
(expr $failed + 1)
303 ###########################################################
304 ### Test login with machine account
305 ###########################################################
307 rm -f $KRB5CCNAME_PATH
308 testit
"kinit with machineaccountccache script" $PYTHON $machineaccountccache $CONFIGURATION $KRB5CCNAME || failed
=$
(expr $failed + 1)
309 test_smbclient
"Test machine account login with kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed
=$
(expr $failed + 1)
311 testit
"reset password policies" $VALGRIND $PYTHON $samba_tool domain passwordsettings
set $ADMIN_LDBMODIFY_CONFIG --complexity=default
--history-length=default
--min-pwd-length=default
--min-pwd-age=default
--max-pwd-age=default || failed
=$
(expr $failed + 1)
313 ###########################################################
314 ### Test basic s4u2self request
315 ###########################################################
317 # Use previous acquired machine creds to request a ticket for self.
318 # We expect it to fail for now.
319 MACHINE_ACCOUNT
="$(hostname -s | tr [a-z] [A-Z])\$@$REALM"
320 $samba_kvno -U$MACHINE_ACCOUNT $MACHINE_ACCOUNT
321 # But we expect the KDC to be up and running still
322 testit
"kinit with machineaccountccache after s4u2self" $machineaccountccache $CONFIGURATION $KRB5CCNAME || failed
=$
(expr $failed + 1)
328 rm -f $KRB5CCNAME_PATH
329 rm -f $PREFIX/tmpkinituserpassscript
330 rm -f $PREFIX/tmpkinitscript
331 rm -f $PREFIX/tmpkpasswdscript