testprogs/blackbox/test_pkinit_simple.sh

   1 #!/bin/sh
   2 # Blackbox tests for kinit and kerberos integration with smbclient etc
   3 #
   4 # Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
   5 # Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org>
   6 # Copyright (C) 2022      Andreas Schneider <asn@samba.org>
   7
   8 if [ $# -lt 7 ]; then
   9         cat <<EOF
  10 Usage: test_pkinit_simple.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX SMBCLIENT
  11 EOF
  12         exit 1
  13 fi
  14
  15 SERVER="${1}"
  16 USERNAME="${2}"
  17 PASSWORD="${3}"
  18 REALM="${4}"
  19 DOMAIN="${5}"
  20 PREFIX="${6}"
  21 smbclient="${7}"
  22 shift 7
  23 failed=0
  24
  25 samba_bindir="${BINDIR}"
  26
  27 samba_tool="${PYTHON} ${samba_bindir}/samba-tool"
  28 wbinfo="${samba_bindir}/wbinfo"
  29
  30 . "$(dirname "$0")"/subunit.sh
  31 . "$(dirname "$0")"/common_test_fns.inc
  32
  33 samba_kinit=$(system_or_builddir_binary kinit "${BINDIR}" samba4kinit)
  34
  35 unc="//${SERVER}/tmp"
  36
  37 KRB5CCNAME_PATH="$PREFIX/tmpccache"
  38 rm -f "${KRB5CCNAME_PATH}"
  39 KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
  40 export KRB5CCNAME
  41
  42 USER_PRINCIPAL_NAME="$(echo "${USERNAME}@${REALM}" | tr "[:upper:]" "[:lower:]")"
  43
  44 kbase="$(basename "${samba_kinit}")"
  45 if [ "${kbase}" = "samba4kinit" ]; then
  46         # HEIMDAL
  47         X509_USER_IDENTITY="--pk-user=FILE:${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-cert.pem,${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-private-key.pem"
  48         OPTION_RENEWABLE="--renewable"
  49         OPTION_RENEW_TICKET="--renew"
  50         OPTION_ENTERPRISE_NAME="--enterprise"
  51 else
  52         # MIT
  53         X509_USER_IDENTITY="-X X509_user_identity=FILE:${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-cert.pem,${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-private-key.pem"
  54         OPTION_RENEWABLE="-r 1h"
  55         OPTION_RENEW_TICKET="-R"
  56         OPTION_ENTERPRISE_NAME="-E"
  57 fi
  58 OPTION_REQUEST_PAC="--request-pac"
  59
  60 # STEP0:
  61 # Now we set the UF_SMARTCARD_REQUIRED bit
  62 # This means we have a normal enabled account *without* a known password
  63 testit "STEP0 samba-tool user create ${USERNAME} --smartcard-required" \
  64         "${samba_tool}" user create "${USERNAME}" --smartcard-required ||
  65         failed=$((failed + 1))
  66
  67 testit_expect_failure "STEP1 kinit with password" \
  68         kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \
  69         "${OPTION_REQUEST_PAC}" ||
  70         failed=$((failed + 1))
  71 testit_expect_failure "STEP1 Test login with NTLM" \
  72         "${smbclient}" "${unc}" -c 'ls' "-U${USERNAME}%${PASSWORD}" ||
  73         failed=$((failed + 1))
  74 testit_expect_failure "STEP1 Test wbinfo with password" \
  75         "${wbinfo}" "--authenticate=$DOMAIN/$USERNAME%$PASSWORD" ||
  76         failed=$((failed + 1))
  77
  78 testit "STEP1 kinit with pkinit (name specified: ${USERNAME})" \
  79         "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
  80         "${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" ||
  81         failed=$((failed + 1))
  82
  83 testit "STEP1 kinit renew ticket (name specified)" \
  84         "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
  85         failed=$((failed + 1))
  86 test_smbclient "STEP1 Test login with kerberos ccache (name specified)" \
  87         'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" ||
  88         failed=$((failed + 1))
  89
  90 # OK
  91 testit_expect_failure "STEP1 kinit with pkinit (wrong name specified)" \
  92         "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
  93         "${X509_USER_IDENTITY}" "not${USERNAME}@${REALM}" ||
  94         failed=$((failed + 1))
  95
  96 testit_expect_failure "STEP1 kinit with pkinit (wrong name specified 2)" \
  97         "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
  98         "${X509_USER_IDENTITY}" "${SERVER}@${REALM}" ||
  99         failed=$((failed + 1))
 100
 101 testit "STEP1 kinit with pkinit (enterprise name specified)" \
 102         "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
 103         "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \
 104         "${USERNAME}@${REALM}" ||
 105         failed=$((failed + 1))
 106 testit "STEP1 kinit renew ticket (enterprise name specified)" \
 107         "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
 108         failed=$((failed + 1))
 109 test_smbclient "STEP1 Test login with kerberos ccache (enterprise name specified)" \
 110         'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" ||
 111         failed=$((failed + 1))
 112 testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified)" \
 113         "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
 114         "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \
 115         "not${USERNAME}@${REALM}" ||
 116         failed=$((failed + 1))
 117 testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified 2)" \
 118         "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
 119         "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \
 120         "${SERVER}@${REALM}" ||
 121         failed=$((failed + 1))
 122
 123 testit "STEP1 kinit with pkinit (enterprise name in cert)" \
 124         "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
 125         "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" ||
 126         failed=$((failed + 1))
 127 testit "STEP1 kinit renew ticket (enterprise name in cert)" \
 128         "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
 129         failed=$((failed + 1))
 130 test_smbclient "STEP1 Test login with kerberos ccache (enterprise name in cert)" \
 131         'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" ||
 132         failed=$((failed + 1))
 133
 134 # STEP2:
 135 # We still have UF_SMARTCARD_REQUIRED, but with a known password
 136 testit "STEP2 samba-tool user setpassword ${USERNAME} --newpassword" \
 137         "${samba_tool}" user setpassword "${USERNAME}" \
 138         --newpassword="${PASSWORD}" ||
 139         failed=$((failed + 1))
 140
 141 testit_expect_failure "STEP2 kinit with password" \
 142         kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \
 143         "${OPTION_REQUEST_PAC}" ||
 144         failed=$((failed + 1))
 145 test_smbclient "STEP2 Test login with NTLM" \
 146         'ls' "$unc" -U"${USERNAME}%${PASSWORD}" ||
 147         failed=$((failed + 1))
 148 testit_expect_failure "STEP2 Test wbinfo with password" \
 149         "${wbinfo}" --authenticate="${DOMAIN}/${USERNAME}%${PASSWORD}" ||
 150         failed=$((failed + 1))
 151
 152 testit "STEP2 kinit with pkinit (name specified) " \
 153         "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
 154         "${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" ||
 155         failed=$((failed + 1))
 156 testit "STEP2 kinit renew ticket (name specified)" \
 157         "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
 158         failed=$((failed + 1))
 159 test_smbclient "STEP2 Test login with kerberos ccache (name specified)" \
 160         'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" ||
 161         failed=$((failed + 1))
 162
 163 testit "STEP2 kinit with pkinit (enterprise name specified)" \
 164         "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
 165         "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \
 166         "${USERNAME}@${REALM}" ||
 167         failed=$((failed + 1))
 168 testit "STEP2 kinit renew ticket (enterprise name specified)" \
 169         "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
 170         failed=$((failed + 1))
 171 test_smbclient "STEP2 Test login with kerberos ccache (enterprise name specified)" \
 172         'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" ||
 173         failed=$((failed + 1))
 174
 175 testit "STEP2 kinit with pkinit (enterprise name in cert)" \
 176         "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
 177         "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" ||
 178         failed=$((failed + 1))
 179 testit "STEP2 kinit renew ticket (enterprise name in cert)" \
 180         "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
 181         failed=$((failed + 1))
 182 test_smbclient "STEP2 Test login with kerberos ccache (enterprise name in cert)" \
 183         'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" ||
 184         failed=$((failed + 1))
 185
 186 # STEP3:
 187 # The account is a normal account without the UF_SMARTCARD_REQUIRED bit set
 188 testit "STEP3 samba-tool user setpassword ${USERNAME} --clear-smartcard-required" \
 189         "${samba_tool}" user setpassword "${USERNAME}" \
 190         --newpassword="${PASSWORD}" --clear-smartcard-required ||
 191         failed=$((failed + 1))
 192
 193 testit "STEP3 kinit with password" \
 194         kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \
 195         "${OPTION_REQUEST_PAC}" ||
 196         failed=$((failed + 1))
 197 test_smbclient "STEP3 Test login with user kerberos ccache" \
 198         'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" ||
 199         failed=$((failed + 1))
 200 test_smbclient "STEP3 Test login with NTLM" \
 201         'ls' "$unc" -U"${USERNAME}%${PASSWORD}" ||
 202         failed=$((failed + 1))
 203 testit "STEP3 Test wbinfo with password" \
 204         "${wbinfo}" --authenticate="${DOMAIN}/${USERNAME}%${PASSWORD}" ||
 205         failed=$((failed + 1))
 206
 207 testit "STEP3 kinit with pkinit (name specified) " \
 208         "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
 209         "${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" ||
 210         failed=$((failed + 1))
 211 testit "STEP3 kinit renew ticket (name specified)" \
 212         "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
 213         failed=$((failed + 1))
 214 test_smbclient "STEP3 Test login with kerberos ccache (name specified)" \
 215         'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" ||
 216         failed=$((failed + 1))
 217
 218 testit "STEP3 kinit with pkinit (enterprise name specified)" \
 219         "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
 220         "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \
 221         "${USERNAME}@${REALM}" ||
 222         failed=$((failed + 1))
 223 testit "STEP3 kinit renew ticket (enterprise name specified)" \
 224         "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
 225         failed=$((failed + 1))
 226 test_smbclient "STEP3 Test login with kerberos ccache (enterprise name specified)" \
 227         'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" ||
 228         failed=$((failed + 1))
 229
 230 testit "STEP3 kinit with pkinit (enterprise name in cert)" \
 231         "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
 232         "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" ||
 233         failed=$((failed + 1))
 234 testit "STEP3 kinit renew ticket (enterprise name in cert)" \
 235         "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
 236         failed=$((failed + 1))
 237 test_smbclient "STEP3 Test login with kerberos ccache (enterprise name in cert)" \
 238         'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" ||
 239         failed=$((failed + 1))
 240
 241 # STEP4:
 242 # Now we set the UF_SMARTCARD_REQUIRED bit
 243 # This means we have a normal enabled account *without* a known password
 244 testit "STEP4 samba-tool user setpassword $USERNAME --smartcard-required" \
 245         "${samba_tool}" user setpassword "${USERNAME}" --smartcard-required ||
 246         failed=$((failed + 1))
 247
 248 testit_expect_failure "STEP4 kinit with password" \
 249         kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \
 250         "${OPTION_REQUEST_PAC}" ||
 251         failed=$((failed + 1))
 252 testit_expect_failure "STEP4 Test login with NTLM" \
 253         "${smbclient}" "${unc}" -c 'ls' -U"${USERNAME}%${PASSWORD}" ||
 254         failed=$((failed + 1))
 255 testit_expect_failure "STEP4 Test wbinfo with password" \
 256         "${wbinfo}" --authenticate="${DOMAIN}/${USERNAME}%${PASSWORD}" ||
 257         failed=$((failed + 1))
 258
 259 testit "STEP4 kinit with pkinit (name specified)" \
 260         "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
 261         "${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" ||
 262         failed=$((failed + 1))
 263 testit "STEP4 kinit renew ticket (name specified)" \
 264         "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
 265         failed=$((failed + 1))
 266 test_smbclient "STEP4 Test login with kerberos ccache (name specified)" \
 267         'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" ||
 268         failed=$((failed + 1))
 269
 270 testit "STEP4 kinit with pkinit (enterprise name specified)" \
 271         "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
 272         "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \
 273         "${USERNAME}@${REALM}" ||
 274         failed=$((failed + 1))
 275 testit "STEP4 kinit renew ticket (enterprise name specified)" \
 276         "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
 277         failed=$((failed + 1))
 278 test_smbclient "STEP4 Test login with kerberos ccache (enterprise name specified)" \
 279         'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" ||
 280         failed=$((failed + 1))
 281
 282 testit "STEP4 kinit with pkinit (enterprise name in cert)" \
 283         "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
 284         "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" ||
 285         failed=$((failed + 1))
 286 testit "STEP4 kinit renew ticket (enterprise name in cert)" \
 287         "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
 288         failed=$((failed + 1))
 289 test_smbclient "STEP4 Test login with kerberos ccache (enterprise name in cert)" \
 290         'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" ||
 291         failed=$((failed + 1))
 292
 293 # STEP5:
 294 # disable the account
 295 testit "STEP5 samba-tool user disable $USERNAME" \
 296         "${samba_tool}" user disable "${USERNAME}" ||
 297         failed=$((failed + 1))
 298
 299 testit_expect_failure "STEP5 kinit with password" \
 300         kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \
 301         "${OPTION_REQUEST_PAC}" ||
 302         failed=$((failed + 1))
 303 testit_expect_failure "STEP5 Test login with NTLM" \
 304         "${smbclient}" "${unc}" -c 'ls' -U"${USERNAME}%${PASSWORD}" ||
 305         failed=$((failed + 1))
 306 testit_expect_failure "STEP5 Test wbinfo with password" \
 307         "${wbinfo}" --authenticate="${DOMAIN}/${USERNAME}%${PASSWORD}" ||
 308         failed=$((failed + 1))
 309
 310 testit_expect_failure "STEP5 kinit with pkinit (name specified)" \
 311         "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
 312         "${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" ||
 313         failed=$((failed + 1))
 314 testit_expect_failure "STEP5 kinit with pkinit (enterprise name specified)" \
 315         "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
 316         "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \
 317         "${USERNAME}@${REALM}" ||
 318         failed=$((failed + 1))
 319 testit_expect_failure "STEP5 kinit with pkinit (enterprise name in cert)" \
 320         "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
 321         "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" ||
 322         failed=$((failed + 1))
 323
 324 # STEP6:
 325 # cleanup
 326 testit "STEP6 samba-tool user delete ${USERNAME}" \
 327         "${samba_tool}" user delete "${USERNAME}" ||
 328         failed=$((failed + 1))
 329
 330 rm -f "${KRB5CCNAME_PATH}"
 331 exit ${failed}