2 # Blackbox tests for kinit and kerberos integration with smbclient etc
4 # Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
5 # Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org>
6 # Copyright (C) 2022 Andreas Schneider <asn@samba.org>
10 Usage: test_pkinit_simple.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX SMBCLIENT
25 samba_bindir
="${BINDIR}"
27 samba_tool
="${PYTHON} ${samba_bindir}/samba-tool"
28 wbinfo
="${samba_bindir}/wbinfo"
30 .
"$(dirname "$0")"/subunit.sh
31 .
"$(dirname "$0")"/common_test_fns.inc
33 samba_kinit
=$
(system_or_builddir_binary kinit
"${BINDIR}" samba4kinit
)
37 KRB5CCNAME_PATH
="$PREFIX/tmpccache"
38 rm -f "${KRB5CCNAME_PATH}"
39 KRB5CCNAME
="FILE:$KRB5CCNAME_PATH"
42 USER_PRINCIPAL_NAME
="$(echo "${USERNAME}@
${REALM}" | tr "[:upper
:]" "[:lower
:]")"
44 kbase
="$(basename "${samba_kinit}")"
45 if [ "${kbase}" = "samba4kinit" ]; then
47 X509_USER_IDENTITY
="--pk-user=FILE:${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-cert.pem,${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-private-key.pem"
48 OPTION_RENEWABLE
="--renewable"
49 OPTION_RENEW_TICKET
="--renew"
50 OPTION_ENTERPRISE_NAME
="--enterprise"
53 X509_USER_IDENTITY
="-X X509_user_identity=FILE:${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-cert.pem,${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-private-key.pem"
54 OPTION_RENEWABLE
="-r 1h"
55 OPTION_RENEW_TICKET
="-R"
56 OPTION_ENTERPRISE_NAME
="-E"
58 OPTION_REQUEST_PAC
="--request-pac"
61 # Now we set the UF_SMARTCARD_REQUIRED bit
62 # This means we have a normal enabled account *without* a known password
63 testit
"STEP0 samba-tool user create ${USERNAME} --smartcard-required" \
64 "${samba_tool}" user create
"${USERNAME}" --smartcard-required ||
65 failed
=$
((failed
+ 1))
67 testit_expect_failure
"STEP1 kinit with password" \
68 kerberos_kinit
"${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \
69 "${OPTION_REQUEST_PAC}" ||
70 failed
=$
((failed
+ 1))
71 testit_expect_failure
"STEP1 Test login with NTLM" \
72 "${smbclient}" "${unc}" -c 'ls' "-U${USERNAME}%${PASSWORD}" ||
73 failed
=$
((failed
+ 1))
74 testit_expect_failure
"STEP1 Test wbinfo with password" \
75 "${wbinfo}" "--authenticate=$DOMAIN/$USERNAME%$PASSWORD" ||
76 failed
=$
((failed
+ 1))
78 testit
"STEP1 kinit with pkinit (name specified: ${USERNAME})" \
79 "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
80 "${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" ||
81 failed
=$
((failed
+ 1))
83 testit
"STEP1 kinit renew ticket (name specified)" \
84 "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
85 failed
=$
((failed
+ 1))
86 test_smbclient
"STEP1 Test login with kerberos ccache (name specified)" \
87 'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" ||
88 failed
=$
((failed
+ 1))
91 testit_expect_failure
"STEP1 kinit with pkinit (wrong name specified)" \
92 "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
93 "${X509_USER_IDENTITY}" "not${USERNAME}@${REALM}" ||
94 failed
=$
((failed
+ 1))
96 testit_expect_failure
"STEP1 kinit with pkinit (wrong name specified 2)" \
97 "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
98 "${X509_USER_IDENTITY}" "${SERVER}@${REALM}" ||
99 failed
=$
((failed
+ 1))
101 testit
"STEP1 kinit with pkinit (enterprise name specified)" \
102 "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
103 "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \
104 "${USERNAME}@${REALM}" ||
105 failed
=$
((failed
+ 1))
106 testit
"STEP1 kinit renew ticket (enterprise name specified)" \
107 "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
108 failed
=$
((failed
+ 1))
109 test_smbclient
"STEP1 Test login with kerberos ccache (enterprise name specified)" \
110 'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" ||
111 failed
=$
((failed
+ 1))
112 testit_expect_failure
"STEP1 kinit with pkinit (wrong enterprise name specified)" \
113 "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
114 "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \
115 "not${USERNAME}@${REALM}" ||
116 failed
=$
((failed
+ 1))
117 testit_expect_failure
"STEP1 kinit with pkinit (wrong enterprise name specified 2)" \
118 "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
119 "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \
120 "${SERVER}@${REALM}" ||
121 failed
=$
((failed
+ 1))
123 testit
"STEP1 kinit with pkinit (enterprise name in cert)" \
124 "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
125 "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" ||
126 failed
=$
((failed
+ 1))
127 testit
"STEP1 kinit renew ticket (enterprise name in cert)" \
128 "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
129 failed
=$
((failed
+ 1))
130 test_smbclient
"STEP1 Test login with kerberos ccache (enterprise name in cert)" \
131 'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" ||
132 failed
=$
((failed
+ 1))
135 # We still have UF_SMARTCARD_REQUIRED, but with a known password
136 testit
"STEP2 samba-tool user setpassword ${USERNAME} --newpassword" \
137 "${samba_tool}" user setpassword
"${USERNAME}" \
138 --newpassword="${PASSWORD}" ||
139 failed
=$
((failed
+ 1))
141 testit_expect_failure
"STEP2 kinit with password" \
142 kerberos_kinit
"${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \
143 "${OPTION_REQUEST_PAC}" ||
144 failed
=$
((failed
+ 1))
145 test_smbclient
"STEP2 Test login with NTLM" \
146 'ls' "$unc" -U"${USERNAME}%${PASSWORD}" ||
147 failed
=$
((failed
+ 1))
148 testit_expect_failure
"STEP2 Test wbinfo with password" \
149 "${wbinfo}" --authenticate="${DOMAIN}/${USERNAME}%${PASSWORD}" ||
150 failed
=$
((failed
+ 1))
152 testit
"STEP2 kinit with pkinit (name specified) " \
153 "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
154 "${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" ||
155 failed
=$
((failed
+ 1))
156 testit
"STEP2 kinit renew ticket (name specified)" \
157 "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
158 failed
=$
((failed
+ 1))
159 test_smbclient
"STEP2 Test login with kerberos ccache (name specified)" \
160 'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" ||
161 failed
=$
((failed
+ 1))
163 testit
"STEP2 kinit with pkinit (enterprise name specified)" \
164 "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
165 "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \
166 "${USERNAME}@${REALM}" ||
167 failed
=$
((failed
+ 1))
168 testit
"STEP2 kinit renew ticket (enterprise name specified)" \
169 "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
170 failed
=$
((failed
+ 1))
171 test_smbclient
"STEP2 Test login with kerberos ccache (enterprise name specified)" \
172 'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" ||
173 failed
=$
((failed
+ 1))
175 testit
"STEP2 kinit with pkinit (enterprise name in cert)" \
176 "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
177 "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" ||
178 failed
=$
((failed
+ 1))
179 testit
"STEP2 kinit renew ticket (enterprise name in cert)" \
180 "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
181 failed
=$
((failed
+ 1))
182 test_smbclient
"STEP2 Test login with kerberos ccache (enterprise name in cert)" \
183 'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" ||
184 failed
=$
((failed
+ 1))
187 # The account is a normal account without the UF_SMARTCARD_REQUIRED bit set
188 testit
"STEP3 samba-tool user setpassword ${USERNAME} --clear-smartcard-required" \
189 "${samba_tool}" user setpassword
"${USERNAME}" \
190 --newpassword="${PASSWORD}" --clear-smartcard-required ||
191 failed
=$
((failed
+ 1))
193 testit
"STEP3 kinit with password" \
194 kerberos_kinit
"${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \
195 "${OPTION_REQUEST_PAC}" ||
196 failed
=$
((failed
+ 1))
197 test_smbclient
"STEP3 Test login with user kerberos ccache" \
198 'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" ||
199 failed
=$
((failed
+ 1))
200 test_smbclient
"STEP3 Test login with NTLM" \
201 'ls' "$unc" -U"${USERNAME}%${PASSWORD}" ||
202 failed
=$
((failed
+ 1))
203 testit
"STEP3 Test wbinfo with password" \
204 "${wbinfo}" --authenticate="${DOMAIN}/${USERNAME}%${PASSWORD}" ||
205 failed
=$
((failed
+ 1))
207 testit
"STEP3 kinit with pkinit (name specified) " \
208 "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
209 "${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" ||
210 failed
=$
((failed
+ 1))
211 testit
"STEP3 kinit renew ticket (name specified)" \
212 "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
213 failed
=$
((failed
+ 1))
214 test_smbclient
"STEP3 Test login with kerberos ccache (name specified)" \
215 'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" ||
216 failed
=$
((failed
+ 1))
218 testit
"STEP3 kinit with pkinit (enterprise name specified)" \
219 "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
220 "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \
221 "${USERNAME}@${REALM}" ||
222 failed
=$
((failed
+ 1))
223 testit
"STEP3 kinit renew ticket (enterprise name specified)" \
224 "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
225 failed
=$
((failed
+ 1))
226 test_smbclient
"STEP3 Test login with kerberos ccache (enterprise name specified)" \
227 'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" ||
228 failed
=$
((failed
+ 1))
230 testit
"STEP3 kinit with pkinit (enterprise name in cert)" \
231 "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
232 "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" ||
233 failed
=$
((failed
+ 1))
234 testit
"STEP3 kinit renew ticket (enterprise name in cert)" \
235 "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
236 failed
=$
((failed
+ 1))
237 test_smbclient
"STEP3 Test login with kerberos ccache (enterprise name in cert)" \
238 'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" ||
239 failed
=$
((failed
+ 1))
242 # Now we set the UF_SMARTCARD_REQUIRED bit
243 # This means we have a normal enabled account *without* a known password
244 testit
"STEP4 samba-tool user setpassword $USERNAME --smartcard-required" \
245 "${samba_tool}" user setpassword
"${USERNAME}" --smartcard-required ||
246 failed
=$
((failed
+ 1))
248 testit_expect_failure
"STEP4 kinit with password" \
249 kerberos_kinit
"${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \
250 "${OPTION_REQUEST_PAC}" ||
251 failed
=$
((failed
+ 1))
252 testit_expect_failure
"STEP4 Test login with NTLM" \
253 "${smbclient}" "${unc}" -c 'ls' -U"${USERNAME}%${PASSWORD}" ||
254 failed
=$
((failed
+ 1))
255 testit_expect_failure
"STEP4 Test wbinfo with password" \
256 "${wbinfo}" --authenticate="${DOMAIN}/${USERNAME}%${PASSWORD}" ||
257 failed
=$
((failed
+ 1))
259 testit
"STEP4 kinit with pkinit (name specified)" \
260 "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
261 "${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" ||
262 failed
=$
((failed
+ 1))
263 testit
"STEP4 kinit renew ticket (name specified)" \
264 "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
265 failed
=$
((failed
+ 1))
266 test_smbclient
"STEP4 Test login with kerberos ccache (name specified)" \
267 'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" ||
268 failed
=$
((failed
+ 1))
270 testit
"STEP4 kinit with pkinit (enterprise name specified)" \
271 "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
272 "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \
273 "${USERNAME}@${REALM}" ||
274 failed
=$
((failed
+ 1))
275 testit
"STEP4 kinit renew ticket (enterprise name specified)" \
276 "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
277 failed
=$
((failed
+ 1))
278 test_smbclient
"STEP4 Test login with kerberos ccache (enterprise name specified)" \
279 'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" ||
280 failed
=$
((failed
+ 1))
282 testit
"STEP4 kinit with pkinit (enterprise name in cert)" \
283 "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
284 "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" ||
285 failed
=$
((failed
+ 1))
286 testit
"STEP4 kinit renew ticket (enterprise name in cert)" \
287 "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
288 failed
=$
((failed
+ 1))
289 test_smbclient
"STEP4 Test login with kerberos ccache (enterprise name in cert)" \
290 'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" ||
291 failed
=$
((failed
+ 1))
294 # disable the account
295 testit
"STEP5 samba-tool user disable $USERNAME" \
296 "${samba_tool}" user disable
"${USERNAME}" ||
297 failed
=$
((failed
+ 1))
299 testit_expect_failure
"STEP5 kinit with password" \
300 kerberos_kinit
"${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \
301 "${OPTION_REQUEST_PAC}" ||
302 failed
=$
((failed
+ 1))
303 testit_expect_failure
"STEP5 Test login with NTLM" \
304 "${smbclient}" "${unc}" -c 'ls' -U"${USERNAME}%${PASSWORD}" ||
305 failed
=$
((failed
+ 1))
306 testit_expect_failure
"STEP5 Test wbinfo with password" \
307 "${wbinfo}" --authenticate="${DOMAIN}/${USERNAME}%${PASSWORD}" ||
308 failed
=$
((failed
+ 1))
310 testit_expect_failure
"STEP5 kinit with pkinit (name specified)" \
311 "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
312 "${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" ||
313 failed
=$
((failed
+ 1))
314 testit_expect_failure
"STEP5 kinit with pkinit (enterprise name specified)" \
315 "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
316 "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \
317 "${USERNAME}@${REALM}" ||
318 failed
=$
((failed
+ 1))
319 testit_expect_failure
"STEP5 kinit with pkinit (enterprise name in cert)" \
320 "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
321 "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" ||
322 failed
=$
((failed
+ 1))
326 testit
"STEP6 samba-tool user delete ${USERNAME}" \
327 "${samba_tool}" user delete
"${USERNAME}" ||
328 failed
=$
((failed
+ 1))
330 rm -f "${KRB5CCNAME_PATH}"