search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
lib/util: add debug_set_forced_log_priority()
[Samba.git] / testprogs / blackbox / test_kinit.sh
blob80188e8f852b4bd74518e358c67cf74d01b8899b
1 #!/bin/sh
2 # Blackbox tests for kinit and kerberos integration with smbclient etc
3 # Copyright (c) Andreas Schneider <asn@samba.org>
4 # Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
5 # Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org>
6
7 if [ $# -lt 8 ]; then
8 cat <<EOF
9 Usage: test_kinit.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX SMBCLIENT CONFIGURATION
10 EOF
11 exit 1
12 fi
13
14 SERVER=$1
15 USERNAME=$2
16 PASSWORD=$3
17 REALM=$4
18 DOMAIN=$5
19 PREFIX=$6
20 smbclient=$7
21 CONFIGURATION="${8}"
22 shift 8
23 failed=0
24
25 . "$(dirname "${0}")/subunit.sh"
26 . "$(dirname "${0}")/common_test_fns.inc"
27
28 samba_bindir="$BINDIR"
29 samba_srcdir="$SRCDIR/source4"
30 samba_kinit=$(system_or_builddir_binary kinit "${BINDIR}" samba4kinit)
31 samba_kpasswd=$(system_or_builddir_binary kpasswd "${BINDIR}" samba4kpasswd)
32 samba_kvno=$(system_or_builddir_binary kvno "${BINDIR}" samba4kvno)
33
34 samba_tool="${samba_bindir}/samba-tool"
35 samba_texpect="${samba_bindir}/texpect"
36
37 samba_enableaccount="${samba_tool} user enable"
38 machineaccountccache="${samba_srcdir}/scripting/bin/machineaccountccache"
39
40 ldbmodify=$(system_or_builddir_binary ldbmodify "${BINDIR}")
41 ldbsearch=$(system_or_builddir_binary ldbsearch "${BINDIR}")
42
43 kbase="$(basename "${samba_kinit}")"
44 if [ "${kbase}" = "samba4kinit" ]; then
45 # HEIMDAL
46 OPTION_RENEWABLE="--renewable"
47 OPTION_RENEW_TICKET="--renew"
48 OPTION_ENTERPRISE_NAME="--enterprise"
49 OPTION_CANONICALIZATION=""
50 OPTION_WINDOWS="--windows"
51 OPTION_SERVICE="-S"
52 else
53 # MIT
54 OPTION_RENEWABLE="-r 1h"
55 OPTION_RENEW_TICKET="-R"
56 OPTION_ENTERPRISE_NAME="-E"
57 OPTION_CANONICALIZATION="-C"
58 OPTION_WINDOWS=""
59 OPTION_SERVICE="-S"
60 fi
61
62 TEST_USER="$(mktemp -u kinittest-XXXXXX)"
63 UNC="//${SERVER}/tmp"
64
65 ADMIN_LDBMODIFY_CONFIG="-H ldap://${SERVER} -U${USERNAME}%${PASSWORD}"
66 export ADMIN_LDBMODIFY_CONFIG
67
68 KRB5CCNAME_PATH="${PREFIX}/tmpccache"
69 KRB5CCNAME="FILE:${KRB5CCNAME_PATH}"
70 export KRB5CCNAME
71 rm -rf "${KRB5CCNAME_PATH}"
72
73 testit "reset password policies beside of minimum password age of 0 days" \
74 "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain passwordsettings set \
75 "${ADMIN_LDBMODIFY_CONFIG}" \
76 --complexity=default \
77 --history-length=default \
78 --min-pwd-length=default \
79 --min-pwd-age=0 \
80 --max-pwd-age=default || \
81 failed=$((failed + 1))
82
83 ###########################################################
84 ### Test kinit defaults
85 ###########################################################
86
87 testit "kinit with password (initial)" \
88 kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \
89 "${OPTION_RENEWABLE}" || \
90 failed=$((failed + 1))
91 test_smbclient "Test login with user kerberos ccache" \
92 "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
93 failed=$((failed + 1))
94
95 testit "kinit renew ticket (initial)" \
96 "${samba_kinit}" ${OPTION_RENEW_TICKET} || \
97 failed=$((failed + 1))
98
99 test_smbclient "Test login with kerberos ccache (initial)" \
100 "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
101 failed=$((failed + 1))
102
103 rm -f "${KRB5CCNAME_PATH}"
104
105 ###########################################################
106 ### Test kinit with enterprice principal
107 ###########################################################
108
109 testit "kinit with password (enterprise style)" \
110 kerberos_kinit "${samba_kinit}" \
111 "${USERNAME}@${REALM}" "${PASSWORD}" "${OPTION_ENTERPRISE_NAME}" \
112 "${OPTION_RENEWABLE}" || \
113 failed=$((failed + 1))
114
115 test_smbclient "Test login with user kerberos ccache (enterprise style)" \
116 "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
117 failed=$((failed + 1))
118
119 testit "kinit renew ticket (enterprise style)" \
120 "${samba_kinit}" ${OPTION_RENEW_TICKET} || \
121 failed=$((failed + 1))
122
123 test_smbclient "Test login with kerberos ccache (enterprise style)" \
124 "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
125 failed=$((failed + 1))
126
127 rm -f "${KRB5CCNAME_PATH}"
128
129 ###########################################################
130 ### Tests with kinit windows
131 ###########################################################
132
133 # HEIMDAL ONLY
134 if [ "${kbase}" = "samba4kinit" ]; then
135 testit "kinit with password (windows style)" \
136 kerberos_kinit "${samba_kinit}" \
137 "${USERNAME}@${REALM}" "${PASSWORD}" \
138 "${OPTION_RENEWABLE}" "${OPTION_WINDOWS}" || \
139 failed=$((failed + 1))
140
141 test_smbclient "Test login with kerberos ccache (windows style)" \
142 "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
143 failed=$((failed + 1))
144
145 testit "kinit renew ticket (windows style)" \
146 "${samba_kinit}" ${OPTION_RENEW_TICKET} || \
147 failed=$((failed + 1))
148
149 test_smbclient "Test login with kerberos ccache (windows style)" \
150 "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
151 failed=$((failed + 1))
152
153 rm -f "${KRB5CCNAME_PATH}"
154 fi # HEIMDAL ONLY
155
156 ###########################################################
157 ### Tests with kinit default again
158 ###########################################################
159
160 testit "kinit with password (default)" \
161 kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" || \
162 failed=$((failed + 1))
163
164 testit "check time with kerberos ccache (default)" \
165 "${VALGRIND}" "${PYTHON}" "${samba_tool}" time "${SERVER}" \
166 "${CONFIGURATION}" --use-krb5-ccache="${KRB5CCNAME}" "$@" || \
167 failed=$((failed + 1))
168
169 USERPASS="testPass@12%"
170
171 testit "add user with kerberos ccache" \
172 "${VALGRIND}" "${PYTHON}" "${samba_tool}" user create \
173 "${TEST_USER}" "${USERPASS}" \
174 "${CONFIGURATION}" --use-krb5-ccache="${KRB5CCNAME}" "$@" || \
175 failed=$((failed + 1))
176
177 echo "Getting defaultNamingContext"
178 BASEDN=$(${ldbsearch} --basedn='' -H "ldap://${SERVER}" --scope=base \
179 DUMMY=x defaultNamingContext | awk '/defaultNamingContext/ {print $2}')
180
181
182 TEST_UPN="$(mktemp -u test-XXXXXX)@${REALM}"
183 cat >"${PREFIX}/tmpldbmodify" <<EOF
184 dn: cn=${TEST_USER},cn=users,${BASEDN}
185 changetype: modify
186 add: servicePrincipalName
187 servicePrincipalName: host/${TEST_USER}
188 replace: userPrincipalName
189 userPrincipalName: ${TEST_UPN}
190 EOF
191
192 testit "modify servicePrincipalName and userPrincpalName" \
193 "${VALGRIND}" "${ldbmodify}" -H "ldap://${SERVER}" "${PREFIX}/tmpldbmodify" \
194 --use-krb5-ccache="${KRB5CCNAME}" "$@" || \
195 failed=$((failed + 1))
196
197 testit "set user password with kerberos ccache" \
198 "${VALGRIND}" "${PYTHON}" "${samba_tool}" user setpassword "${TEST_USER}" \
199 --newpassword="${USERPASS}" "${CONFIGURATION}" \
200 --use-krb5-ccache="${KRB5CCNAME}" "$@" || \
201 failed=$((failed + 1))
202
203 testit "enable user with kerberos cache" \
204 "${VALGRIND}" "${PYTHON}" "${samba_enableaccount}" "${TEST_USER}" \
205 -H "ldap://$SERVER" --use-krb5-ccache="${KRB5CCNAME}" "$@" || \
206 failed=$((failed + 1))
207
208 testit "kinit with new user password" \
209 kerberos_kinit "${samba_kinit}" "${TEST_USER}" "${USERPASS}" || \
210 failed=$((failed + 1))
211
212 test_smbclient "Test login with new user kerberos ccache" \
213 "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
214 failed=$((failed + 1))
215
216 rm -f "${KRB5CCNAME_PATH}"
217
218 ###########################################################
219 ### Test kinit fter changing password with samba-tool
220 ###########################################################
221
222 NEW_USERPASS="testPaSS@34%"
223 testit "change user password with 'samba-tool user password' (rpc)" \
224 "${VALGRIND}" "${PYTHON}" "${samba_tool}" user password \
225 -W"${DOMAIN}" -U"${TEST_USER}%${USERPASS}" "${CONFIGURATION}" \
226 --newpassword="${NEW_USERPASS}" \
227 --use-kerberos=off "$@" || \
228 failed=$((failed + 1))
229
230 testit "kinit with user password (after rpc password change)" \
231 kerberos_kinit "${samba_kinit}" \
232 "${TEST_USER}@${REALM}" "${NEW_USERPASS}" || \
233 failed=$((failed + 1))
234
235 test_smbclient "Test login with user kerberos (after rpc password change)" \
236 "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
237 failed=$((failed + 1))
238
239 USERPASS="${NEW_USERPASS}"
240
241 rm -f "${KRB5CCNAME_PATH}"
242
243 ###########################################################
244 ### Test kinit with UPN
245 ###########################################################
246
247 testit "kinit with new (NT-Principal style) using UPN" \
248 kerberos_kinit "${samba_kinit}" "${TEST_UPN}" "${USERPASS}" || \
249 failed=$((failed + 1))
250
251 test_smbclient "Test login with user kerberos ccache from NT UPN" \
252 "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
253 failed=$((failed + 1))
254
255 rm -f "${KRB5CCNAME_PATH}"
256
257 testit "kinit with new (enterprise style) using UPN" \
258 kerberos_kinit "${samba_kinit}" "${TEST_UPN}" "${USERPASS}" \
259 ${OPTION_ENTERPRISE_NAME} || \
260 failed=$((failed + 1))
261
262 test_smbclient "Test login with user kerberos ccache from enterprise UPN" \
263 "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
264 failed=$((failed + 1))
265
266 rm -f "${KRB5CCNAME_PATH}"
267
268 # HEIMDAL ONLY
269 if [ "${kbase}" = "samba4kinit" ]; then
270 testit "kinit with new (windows style) using UPN" \
271 kerberos_kinit "${samba_kinit}" "${TEST_UPN}" "${USERPASS}" \
272 ${OPTION_WINDOWS} || \
273 failed=$((failed + 1))
274
275 test_smbclient "Test login with user kerberos ccache with (windows style) UPN" \
276 "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
277 failed=$((failed + 1))
278
279 rm -f "${KRB5CCNAME_PATH}"
280 fi # HEIMDAL ONLY
281
282 ###########################################################
283 ### Tests with SPN
284 ###########################################################
285
286 DNSDOMAIN=$(echo "${REALM}" | tr '[:upper:]' '[:lower:]')
287 testit "kinit with password (SPN)" \
288 kerberos_kinit "${samba_kinit}" \
289 "http/testupnspn.${DNSDOMAIN}" "${PASSWORD}" || \
290 failed=$((failed + 1))
291
292 test_smbclient "Test login with kerberos ccache (SPN)" \
293 "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
294 failed=$((failed + 1))
295
296 rm -f "${KRB5CCNAME_PATH}"
297
298 ###########################################################
299 ### Test kinit with canonicalization
300 ###########################################################
301
302 upperusername=$(echo "${USERNAME}" | tr '[:lower:]' '[:upper:]')
303 testit "kinit with canonicalize and service" \
304 kerberos_kinit "${samba_kinit}" "${upperusername}@${REALM}" "${PASSWORD}" \
305 ${OPTION_CANONICALIZATION} \
306 ${OPTION_SERVICE} "kadmin/changepw@${REALM}" || \
307 failed=$((failed + 1))
308
309 rm -f "${KRB5CCNAME_PATH}"
310
311 ###########################################################
312 ### Test kinit with user credentials and changed realm
313 ###########################################################
314
315 testit "kinit with password (default)" \
316 kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" || \
317 failed=$((failed + 1))
318
319 cat >"${PREFIX}/tmpldbmodify" <<EOF
320 dn: cn=${TEST_USER},cn=users,$BASEDN
321 changetype: modify
322 replace: userPrincipalName
323 userPrincipalName: ${TEST_UPN}.org
324 EOF
325
326 testit "modify userPrincipalName to be a different domain" \
327 "${VALGRIND}" "${ldbmodify}" "${ADMIN_LDBMODIFY_CONFIG}" \
328 "${PREFIX}/tmpldbmodify" "${PREFIX}/tmpldbmodify" \
329 --use-krb5-ccache="${KRB5CCNAME}" "$@" || \
330 failed=$((failed + 1))
331
332 testit "kinit with new (enterprise style) using UPN" \
333 kerberos_kinit "${samba_kinit}" "${TEST_UPN}.org" "${USERPASS}" \
334 ${OPTION_ENTERPRISE_NAME} || failed=$((failed + 1))
335
336 test_smbclient "Test login with user kerberos ccache from enterprise UPN" \
337 "ls" "${UNC}" \
338 --use-krb5-ccache="${KRB5CCNAME}" || \
339 failed=$((failed + 1))
340
341 rm -f "${KRB5CCNAME_PATH}"
342
343 ###########################################################
344 ### Test password change with kpasswd
345 ###########################################################
346
347 testit "kinit with user password" \
348 kerberos_kinit "${samba_kinit}" "${TEST_USER}@$REALM" "${USERPASS}" || \
349 failed=$((failed + 1))
350
351 test_smbclient "Test login with user kerberos ccache" \
352 "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
353 failed=$((failed + 1))
354
355 NEWUSERPASS=testPaSS@56%
356
357 if [ "${kbase}" = "samba4kinit" ]; then
358 # HEIMDAL
359 cat >"${PREFIX}/tmpkpasswdscript" <<EOF
360 expect Password
361 password ${USERPASS}\n
362 expect New password
363 send ${NEWUSERPASS}\n
364 expect Verify password
365 send ${NEWUSERPASS}\n
366 expect Success
367 EOF
368
369 else
370 # MIT
371 cat >"${PREFIX}/tmpkpasswdscript" <<EOF
372 expect Password for
373 password ${USERPASS}\n
374 expect Enter new password
375 send ${NEWUSERPASS}\n
376 expect Enter it again
377 send ${NEWUSERPASS}\n
378 expect Password changed
379 EOF
380 fi
381
382 testit "change user password with kpasswd" \
383 "${samba_texpect}" "${PREFIX}/tmpkpasswdscript" \
384 "${samba_kpasswd}" "${TEST_USER}@$REALM" || \
385 failed=$((failed + 1))
386
387 rm -f "${KRB5CCNAME_PATH}"
388
389 USERPASS="${NEWUSERPASS}"
390
391 testit "kinit with user password (after kpasswd)" \
392 kerberos_kinit "${samba_kinit}" \
393 "${TEST_USER}@${REALM}" "${USERPASS}" || \
394 failed=$((failed + 1))
395
396 test_smbclient "Test login with user kerberos ccache (after kpasswd)" \
397 "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
398 failed=$((failed + 1))
399
400 rm -f "${KRB5CCNAME_PATH}"
401
402 ###########################################################
403 ### TODO Test set password with kpasswd
404 ###########################################################
405
406 # This is not implemented in kpasswd
407
408 ###########################################################
409 ### Test password expiry
410 ###########################################################
411
412 cat >"${PREFIX}/tmpldbmodify" <<EOF
413 dn: cn=${TEST_USER},cn=users,${BASEDN}
414 changetype: modify
415 replace: pwdLastSet
416 pwdLastSet: 0
417 EOF
418
419 NEWUSERPASS=testPaSS@78%
420
421 testit "modify pwdLastSet" \
422 "${VALGRIND}" "${ldbmodify}" "${ADMIN_LDBMODIFY_CONFIG}" \
423 "${PREFIX}/tmpldbmodify" "${PREFIX}/tmpldbmodify" \
424 --use-krb5-ccache="${KRB5CCNAME}" "$@" || \
425 failed=$((failed + 1))
426
427 if [ "${kbase}" = "samba4kinit" ]; then
428 # HEIMDAL branch
429 cat >"${PREFIX}/tmpkinituserpassscript" <<EOF
430 expect ${TEST_USER}@$REALM's Password
431 send ${USERPASS}\n
432 expect Password has expired
433 expect New password
434 send ${NEWUSERPASS}\n
435 expect Repeat new password
436 send ${NEWUSERPASS}\n
437 EOF
438 else
439 # MIT branch
440 cat >"${PREFIX}/tmpkinituserpassscript" <<EOF
441 expect Password for
442 send ${USERPASS}\n
443 expect Password expired. You must change it now.
444 expect Enter new password
445 send ${NEWUSERPASS}\n
446 expect Enter it again
447 send ${NEWUSERPASS}\n
448 EOF
449
450 fi # END MIT ONLY
451
452 testit "kinit with user password for expired password" \
453 "${samba_texpect}" "$PREFIX/tmpkinituserpassscript" \
454 "${samba_kinit}" "${TEST_USER}@$REALM" || \
455 failed=$((failed + 1))
456
457 test_smbclient "Test login with user kerberos ccache" \
458 "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
459 failed=$((failed + 1))
460
461 USERPASS="${NEWUSERPASS}"
462
463 testit "kinit with user password" \
464 kerberos_kinit "${samba_kinit}" \
465 "${TEST_USER}@${REALM}" "${USERPASS}" || \
466 failed=$((failed + 1))
467
468 test_smbclient "Test login with user kerberos ccache" \
469 "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
470 failed=$((failed + 1))
471
472 ###########################################################
473 ### Test login with lowercase realm
474 ###########################################################
475
476 KRB5CCNAME_PATH="$PREFIX/tmpccache"
477 KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
478 export KRB5CCNAME
479
480 rm -rf "${KRB5CCNAME_PATH}"
481
482 testit "kinit with user password" \
483 kerberos_kinit "${samba_kinit}" "${TEST_USER}@${REALM}" "${USERPASS}" || \
484 failed=$((failed + 1))
485
486 lowerrealm=$(echo "${REALM}" | tr '[:upper:]' '[:lower:]')
487 test_smbclient "Test login with user kerberos lowercase realm" \
488 "ls" "${UNC}" --use-kerberos=required \
489 -U"${TEST_USER}@${lowerrealm}%${NEWUSERPASS}" || \
490 failed=$((failed + 1))
491
492 test_smbclient "Test login with user kerberos lowercase realm 2" \
493 "ls" "${UNC}" --use-kerberos=required \
494 -U"${TEST_USER}@${REALM}%${NEWUSERPASS}" --realm="${lowerrealm}" || \
495 failed=$((failed + 1))
496
497 testit "del user with kerberos ccache" \
498 "${VALGRIND}" "${PYTHON}" "${samba_tool}" user delete \
499 "${TEST_USER}" "${CONFIGURATION}" \
500 --use-krb5-ccache="${KRB5CCNAME}" "$@" || \
501 failed=$((failed + 1))
502
503 ###########################################################
504 ### Test login with machine account
505 ###########################################################
506
507 rm -f "${KRB5CCNAME_PATH}"
508
509 testit "kinit with machineaccountccache script" \
510 "${PYTHON}" "${machineaccountccache}" "${CONFIGURATION}" \
511 "${KRB5CCNAME}" || \
512 failed=$((failed + 1))
513
514 test_smbclient "Test machine account login with kerberos ccache" \
515 "ls" "${UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
516 failed=$((failed + 1))
517
518 testit "reset password policies" \
519 "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain passwordsettings set \
520 "${ADMIN_LDBMODIFY_CONFIG}" \
521 --complexity=default \
522 --history-length=default \
523 --min-pwd-length=default \
524 --min-pwd-age=default \
525 --max-pwd-age=default || \
526 failed=$((failed + 1))
527
528 ###########################################################
529 ### Test basic s4u2self request
530 ###########################################################
531
532 # MIT ONLY
533 if [ "${kbase}" = "kinit" ]; then
534
535 # Use previous acquired machine creds to request a ticket for self.
536 # We expect it to fail for now.
537 MACHINE_ACCOUNT="$(hostname -s | tr '[:lower:]' '[:upper:]')\$@${REALM}"
538
539 ${samba_kvno} -U"${MACHINE_ACCOUNT}" "${MACHINE_ACCOUNT}"
540
541 # But we expect the KDC to be up and running still
542 testit "kinit with machineaccountccache after s4u2self" \
543 "${machineaccountccache}" "${CONFIGURATION}" "${KRB5CCNAME}" || \
544 failed=$((failed + 1))
545
546 fi # END MIT ONLY
547
548 ### Cleanup
549
550 rm -f "${KRB5CCNAME_PATH}"
551 rm -f "${PREFIX}/tmpkinituserpassscript"
552 rm -f "${PREFIX}/tmpkinitscript"
553 rm -f "${PREFIX}/tmpkpasswdscript"
554
555 exit $failed
Samba GIT mirror