2 # Blackbox tests for kinit and trust validation
3 # Copyright (c) 2015 Stefan Metzmacher <metze@samba.org>
4 # Copyright (c) Andreas Schneider <asn@samba.org>
8 Usage: test_kinit_trusts.sh SERVER USERNAME PASSWORD REALM DOMAIN TRUST_USERNAME TRUST_PASSWORD TRUST_REALM TRUST_DOMAIN PREFIX TYPE CONFIGURATION
32 .
"$(dirname "${0}")/subunit.sh"
33 .
"$(dirname "${0}")/common_test_fns.inc"
35 samba_bindir
="$BINDIR"
36 samba_kinit
=$
(system_or_builddir_binary kinit
"${BINDIR}" samba4kinit
)
38 samba_tool
="${samba_bindir}/samba-tool"
40 smbclient
="${samba_bindir}/smbclient"
41 wbinfo
="${samba_bindir}/wbinfo"
43 ldbsearch
=$
(system_or_builddir_binary ldbsearch
"${BINDIR}")
45 SMBCLIENT_UNC
="//$SERVER.$REALM/tmp"
47 kbase
="$(basename "${samba_kinit}")"
48 if [ "${kbase}" = "samba4kinit" ]; then
50 OPTION_LIFETIME_2M
="--lifetime=2m"
51 OPTION_RENEWABLE
="--renewable"
52 OPTION_RENEW_TICKET
="--renew"
53 OPTION_ENTERPRISE_NAME
="--enterprise"
54 OPTION_CANONICALIZATION
=""
55 OPTION_WINDOWS
="--windows"
59 OPTION_LIFETIME_2M
="-l 2m"
60 OPTION_RENEWABLE
="-r 1h"
61 OPTION_RENEW_TICKET
="-R"
62 OPTION_ENTERPRISE_NAME
="-E"
63 OPTION_CANONICALIZATION
="-C"
68 KRB5CCNAME_PATH
="$PREFIX/test_kinit_trusts_ccache"
69 KRB5CCNAME
="FILE:$KRB5CCNAME_PATH"
71 rm -f "${KRB5CCNAME_PATH}"
73 ###########################################################
74 ### Test incoming trust direction
75 ###########################################################
77 testit
"kinit with password" \
78 kerberos_kinit
"${samba_kinit}" \
79 "$TRUST_USERNAME@$TRUST_REALM" "${TRUST_PASSWORD}" || \
80 failed
=$
((failed
+ 1))
82 test_smbclient
"Test login with kerberos ccache" \
83 "ls" "${SMBCLIENT_UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
84 failed
=$
((failed
+ 1))
86 rm -f "${KRB5CCNAME_PATH}"
88 ###########################################################
89 ### Test with 2min lifetime
90 ###########################################################
92 # CVE-2022-2031 - test for short-lived ticket across an incoming trust
94 # We ensure that the KDC does not reject a TGS-REQ with our short-lived TGT
95 # over an incoming trust.
97 # BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
98 if [ "${kbase}" = "samba4kinit" ]; then
100 testit
"kinit with password (lifetime 2min)" \
101 kerberos_kinit
"${samba_kinit}" \
102 "${TRUST_USERNAME}@${TRUST_REALM}" "${TRUST_PASSWORD}" \
103 "${OPTION_SERVICE}" "krbtgt/${REALM}@${TRUST_REALM}" \
104 "${OPTION_LIFETIME_2M}" || \
105 failed
=$
((failed
+ 1))
107 test_smbclient
"Test login with kerberos ccache (lifetime 2min)" \
108 "ls" "${SMBCLIENT_UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
109 failed
=$
((failed
+ 1))
112 rm -f "${KRB5CCNAME_PATH}"
114 ###########################################################
115 ### Test with smbclient4 to check gensec_gssapi works
116 ###########################################################
118 testit
"kinit with password (smbclient4)" \
119 kerberos_kinit
"${samba_kinit}" \
120 "${TRUST_USERNAME}@${TRUST_REALM}" "${TRUST_PASSWORD}" || \
121 failed
=$
((failed
+ 1))
123 smbclient
="${samba_bindir}/smbclient4"
124 test_smbclient
"Test login with user kerberos ccache (smbclient4)" \
125 'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" -d10 || \
126 failed
=$
((failed
+ 1))
127 smbclient
="${samba_bindir}/smbclient"
129 rm -f "${KRB5CCNAME_PATH}"
131 ###########################################################
132 ### Test incoming trust direction (enterprise)
133 ###########################################################
135 testit
"kinit with password (enterprise)" \
136 kerberos_kinit
"${samba_kinit}" \
137 "$TRUST_USERNAME@$TRUST_REALM" "${TRUST_PASSWORD}" \
138 "${OPTION_ENTERPRISE_NAME}" || \
139 failed
=$
((failed
+ 1))
141 test_smbclient
"Test login with user kerberos ccache (enterprise)" \
142 "ls" "${SMBCLIENT_UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
143 failed
=$
((failed
+ 1))
146 rm -f "${KRB5CCNAME_PATH}"
148 if [ "${TYPE}" = "forest" ]; then
149 testit
"kinit with password (enterprise UPN)" \
150 kerberos_kinit
"${samba_kinit}" \
151 "testdenied_upn@${TRUST_REALM}.upn" "${TRUST_PASSWORD}" \
152 "${OPTION_ENTERPRISE_NAME}" || \
153 failed
=$
((failed
+ 1))
155 test_smbclient
"Test login with user kerberos ccache (enterprise UPN)" \
156 "ls" "${SMBCLIENT_UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
157 failed
=$
((failed
+ 1))
159 rm -f "${KRB5CCNAME_PATH}"
162 testit
"kinit with password (enterprise)" \
163 kerberos_kinit
"${samba_kinit}" \
164 "${TRUST_USERNAME}@${TRUST_REALM}" "${TRUST_PASSWORD}" \
165 "${OPTION_ENTERPRISE_NAME}" "${OPTION_RENEWABLE}" || \
166 failed
=$
((failed
+ 1))
168 test_smbclient
"Test login with kerberos ccache (enterprise)" \
169 "ls" "${SMBCLIENT_UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
170 failed
=$
((failed
+ 1))
172 testit
"kinit renew ticket (enterprise)" \
173 "${samba_kinit}" ${OPTION_RENEW_TICKET} \
174 || failed
=$
((failed
+ 1))
176 test_smbclient
"Test login with kerberos ccache (enterprise)" \
177 "ls" "${SMBCLIENT_UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
178 failed
=$
((failed
+ 1))
180 testit
"check time with kerberos ccache" \
181 "${VALGRIND}" "${samba_tool}" time "${SERVER}.${REALM}" \
182 "${CONFIGURATION}" --use-krb5-ccache="${KRB5CCNAME}" "$@" || \
183 failed
=$
((failed
+ 1))
185 rm -f "${KRB5CCNAME_PATH}"
187 ###########################################################
188 ### Test with password authentication
189 ###########################################################
191 lowerrealm
="$(echo "${TRUST_REALM}" | tr '[:upper:]' '[:lower:]')"
192 test_smbclient
"Test login with user kerberos lowercase realm" \
193 "ls" "${SMBCLIENT_UNC}" \
194 -U"${TRUST_USERNAME}@${lowerrealm}%${TRUST_PASSWORD}" \
195 --use-kerberos=required || \
196 failed
=$
((failed
+ 1))
198 test_smbclient
"Test login with user kerberos lowercase realm 2" \
199 "ls" "${SMBCLIENT_UNC}" \
200 -U"${TRUST_USERNAME}@${TRUST_REALM}%${TRUST_PASSWORD}" \
201 --realm="${lowerrealm}" \
202 --use-kerberos=required || \
203 failed
=$
((failed
+ 1))
205 ###########################################################
206 ### Test outgoing trust direction
207 ###########################################################
209 SMBCLIENT_UNC
="//$TRUST_SERVER.$TRUST_REALM/tmp"
211 test_smbclient
"Test user login with the first outgoing secret" \
212 "ls" "${SMBCLIENT_UNC}" \
213 --use-kerberos=required \
214 -U"${USERNAME}@${REALM}%${PASSWORD}" || \
215 failed
=$
((failed
+ 1))
217 testit_expect_failure
"setpassword should not work" \
218 "${VALGRIND}" "${samba_tool}" user setpassword "${TRUST_DOMAIN}\$" \
219 --random-password "${CONFIGURATION}" || \
220 failed
=$
((failed
+ 1))
222 testit
"wbinfo ping dc" \
223 "${VALGRIND}" "${wbinfo}" \
224 --ping-dc --domain="${TRUST_DOMAIN}" || \
225 failed
=$
((failed
+ 1))
227 testit
"wbinfo change outgoing trust pw" \
228 "${VALGRIND}" "${wbinfo}" \
229 --change-secret --domain="${TRUST_DOMAIN}" || \
230 failed
=$
((failed
+ 1))
232 testit
"wbinfo check outgoing trust pw" \
233 "${VALGRIND}" "${wbinfo}" \
234 --check-secret --domain="${TRUST_DOMAIN}" || \
235 failed
=$
((failed
+ 1))
237 test_smbclient
"Test user login with the changed outgoing secret" \
238 "ls" "${SMBCLIENT_UNC}" \
239 --use-kerberos=required \
240 -U"${USERNAME}@${REALM}%${PASSWORD}" || \
241 failed
=$
((failed
+ 1))
245 rm -f "${KRB5CCNAME_PATH}"