3 # Blackbox tests for an exported keytab with kinit
5 # Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
6 # Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org>
7 # Copyright (C) Andreas Schneider <asn@cryptomilk.org>
11 Usage: test_kinit_export_keytab.sh SERVER USERNAME REALM DOMAIN PREFIX SMBCLIENT CONFIGURATION
26 .
"$(dirname "${0}")/subunit.sh"
27 .
"$(dirname "${0}")/common_test_fns.inc"
29 samba_bindir
="${BINDIR}"
30 samba_tool
="$samba_bindir/samba-tool"
31 samba_newuser
="$samba_tool user create"
32 samba_ktutil
="${BINDIR}/samba4ktutil"
34 samba_kinit
=$
(system_or_builddir_binary kinit
"${BINDIR}" samba4kinit
)
36 DNSDOMAIN
=$
(echo "${REALM}" |
tr '[:upper:]' '[:lower:]')
37 SERVER_FQDN
="${SERVER}.$(echo "${REALM}" | tr '[:upper:]' '[:lower:]')"
38 SMBCLIENT_UNC
="//${SERVER}/tmp"
40 TEST_USER
="$(mktemp -u keytabtest-XXXXXX)"
41 TEST_PASSWORD
=testPaSS@
01%
44 EXPECTED_NKEYS_WITH_OLD
=6
47 kbase
="$(basename "${samba_kinit}")"
48 if [ "${kbase}" != "samba4kinit" ]; then
49 krb5_version
="$(krb5-config --version | cut -d ' ' -f 4)"
50 krb5_major_version
="$(echo "${krb5_version}" | awk -F. '{ print $1; }')"
51 krb5_minor_version
="$(echo "${krb5_version}" | awk -F. '{ print $2; }')"
53 # MIT Kerberos < 1.18 has support for DES keys
54 if [ "${krb5_major_version}" -eq 1 ] && [ "${krb5_minor_version}" -lt 18 ]; then
59 if [ "${kbase}" = "samba4kinit" ]; then
61 OPTION_RENEWABLE
="--renewable"
62 OPTION_RENEW_TICKET
="--renew"
63 OPTION_ENTERPRISE_NAME
="--enterprise"
64 OPTION_CANONICALIZATION
=""
65 OPTION_WINDOWS
="--windows"
67 OPTION_USE_KEYTAB
="-k"
68 OPTION_KEYTAB_FILENAME
="-t"
70 KEYTAB_GREP
="[aes|arcfour]"
73 OPTION_RENEWABLE
="-r 1h"
74 OPTION_RENEW_TICKET
="-R"
75 OPTION_ENTERPRISE_NAME
="-E"
76 OPTION_CANONICALIZATION
="-C"
79 OPTION_USE_KEYTAB
="-k"
80 OPTION_KEYTAB_FILENAME
="-t"
82 KEYTAB_GREP
="[DES|AES|ArcFour]"
92 subunit_start_test
"$testname"
94 if [ ! -r "${keytab}" ]; then
95 echo "Could not read keytab: ${keytab}" | \
96 subunit_fail_test
"${testname}"
100 output
=$
($VALGRIND "${samba_ktutil}" "${keytab}" 2>&1)
102 if [ ${status} -ne 0 ]; then
103 echo "${output}" | subunit_fail_test
"${testname}"
107 NKEYS
=$
(echo "${output}" |
grep -i "${principal}" | \
108 grep -c -e "${KEYTAB_GREP}")
109 if [ "${NKEYS}" -ne "${expected_nkeys}" ]; then
110 echo "Unexpected number of keys passed ${NKEYS} != ${expected_nkeys}" | \
111 subunit_fail_test
"${testname}"
115 subunit_pass_test
"${testname}"
119 testit
"create local user ${TEST_USER}" \
120 "${VALGRIND}" "${PYTHON}" "${samba_newuser}" "${TEST_USER}" "First${TEST_PASSWORD}Pwd" \
121 "${CONFIGURATION}" "$@" || \
122 failed
=$
((failed
+ 1))
124 testit
"reset local user pw ${TEST_USER}" \
125 "${VALGRIND}" "${PYTHON}" "${samba_tool}" user setpassword "${TEST_USER}" --newpassword="${TEST_PASSWORD}" \
126 "${CONFIGURATION}" "$@" || \
127 failed
=$
((failed
+ 1))
129 testit
"dump keytab from domain" \
130 "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \
131 "${PREFIX}/tmpkeytab-all" \
132 "${CONFIGURATION}" "$@" || \
133 failed
=$
((failed
+ 1))
135 test_keytab
"read keytab from domain" \
136 "${PREFIX}/tmpkeytab-all" "${SERVER}\\\$" "${EXPECTED_NKEYS}" || \
137 failed
=$
((failed
+ 1))
139 testit
"dump keytab from domain (2nd time)" \
140 "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \
141 --keep-stale-entries \
142 "${PREFIX}/tmpkeytab-all" "${CONFIGURATION}" "$@" || \
143 failed
=$
((failed
+ 1))
145 test_keytab
"read keytab from domain (2nd time)" \
146 "${PREFIX}/tmpkeytab-all" "${SERVER}\\\$" "${EXPECTED_NKEYS}" || \
147 failed
=$
((failed
+ 1))
149 testit
"dump keytab from domain for cifs service principal" \
150 "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \
151 "${PREFIX}/tmpkeytab-server" --principal="cifs/$SERVER_FQDN" \
152 "${CONFIGURATION}" "$@" || \
153 failed
=$
((failed
+ 1))
155 test_keytab
"read keytab from domain for cifs service principal" \
156 "${PREFIX}/tmpkeytab-server" "cifs/${SERVER_FQDN}" \
157 "${EXPECTED_NKEYS}" || \
158 failed
=$
((failed
+ 1))
160 testit
"dump keytab from domain for cifs service principal (2nd time)" \
161 "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \
162 "$PREFIX/tmpkeytab-server" --principal="cifs/$SERVER_FQDN" \
163 "${CONFIGURATION}" "$@" || \
164 failed
=$
((failed
+ 1))
166 test_keytab
"read keytab from domain for cifs service principal (2nd time)" \
167 "${PREFIX}/tmpkeytab-server" "cifs/${SERVER_FQDN}" \
168 "${EXPECTED_NKEYS}" || \
169 failed
=$
((failed
+ 1))
171 testit
"dump keytab from domain for user principal" \
172 "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \
173 "${PREFIX}/tmpkeytab-user-princ" --principal="${TEST_USER}" \
174 --only-current-keys \
175 "${CONFIGURATION}" "$@" || \
176 failed
=$
((failed
+ 1))
178 test_keytab
"read keytab from domain for user principal" \
179 "${PREFIX}/tmpkeytab-user-princ" "${TEST_USER}@${REALM}" \
180 "${EXPECTED_NKEYS}" || \
181 failed
=$
((failed
+ 1))
183 testit
"dump keytab from domain for user principal (all keys)" \
184 "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \
185 "${PREFIX}/tmpkeytab-user-princ-all-keys" --principal="${TEST_USER}@${REALM}" \
186 "${CONFIGURATION}" "$@" || \
187 failed
=$
((failed
+ 1))
189 test_keytab
"read keytab from domain for user principal (all keys)" \
190 "${PREFIX}/tmpkeytab-user-princ-all-keys" "${TEST_USER}@${REALM}" \
191 "${EXPECTED_NKEYS_WITH_OLD}" || \
192 failed
=$
((failed
+ 1))
194 testit
"dump keytab from domain for user principal with SPN as UPN" \
195 "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \
196 "${PREFIX}/tmpkeytab-spn-upn" \
197 --principal="http/testupnspn.${DNSDOMAIN}" "${CONFIGURATION}" "$@" || \
198 failed
=$
((failed
+ 1))
200 test_keytab
"read keytab from domain for user principal with SPN as UPN" \
201 "${PREFIX}/tmpkeytab-spn-upn" "http/testupnspn.${DNSDOMAIN}@${REALM}" \
204 KRB5CCNAME_PATH
="${PREFIX}/tmpuserccache"
205 KRB5CCNAME
="FILE:${PREFIX}/tmpuserccache"
208 testit
"kinit with keytab as user" \
209 "${VALGRIND}" "${samba_kinit}" \
210 "${OPTION_USE_KEYTAB}" \
211 "${OPTION_KEYTAB_FILENAME}" "${PREFIX}/tmpkeytab-all" \
212 "${TEST_USER}@${REALM}" || \
213 failed
=$
((failed
+ 1))
215 test_smbclient
"Test login with user kerberos ccache" \
216 "ls" "${SMBCLIENT_UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
217 failed
=$
((failed
+ 1))
219 testit
"kinit with keytab as user (one princ)" \
220 "${VALGRIND}" "$samba_kinit" \
221 "${OPTION_USE_KEYTAB}" \
222 "${OPTION_KEYTAB_FILENAME}" "${PREFIX}/tmpkeytab-user-princ" \
223 "${TEST_USER}@$REALM" || \
224 failed
=$
((failed
+ 1))
226 test_smbclient
"Test login with user kerberos ccache (one princ)" \
227 "ls" "${SMBCLIENT_UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
228 failed
=$
((failed
+ 1))
230 rm -f "${KRB5CCNAME_PATH}"
232 KRB5CCNAME_PATH
="${PREFIX}/tmpadminccache"
233 KRB5CCNAME
="FILE:${PREFIX}/tmpadminccache"
236 testit
"kinit with keytab as ${USERNAME}" \
237 "${VALGRIND}" "${samba_kinit}" \
238 "${OPTION_USE_KEYTAB}" \
239 "${OPTION_KEYTAB_FILENAME}" "${PREFIX}/tmpkeytab-all" \
240 "${USERNAME}@${REALM}" || \
241 failed
=$
((failed
+ 1))
243 rm -f "${KRB5CCNAME_PATH}"
245 KRB5CCNAME_PATH
="${PREFIX}/tmpserverccache"
246 KRB5CCNAME
="FILE:${PREFIX}/tmpserverccache"
249 testit
"kinit with SPN from keytab" \
250 "${VALGRIND}" "${samba_kinit}" \
251 "${OPTION_USE_KEYTAB}" \
252 "${OPTION_KEYTAB_FILENAME}" "${PREFIX}/tmpkeytab-spn-upn" \
253 "http/testupnspn.${DNSDOMAIN}" || \
254 failed
=$
((failed
+ 1))
257 testit
"delete user ${TEST_USER}" \
258 "${VALGRIND}" "${PYTHON}" "${samba_tool}" user delete "${TEST_USER}" \
259 --use-krb5-ccache="${KRB5CCNAME}" "${CONFIGURATION}" "$@" || \
260 failed
=$
((failed
+ 1))
262 rm -f "${KRB5CCNAME_PATH}"
263 rm -f "${PREFIX}/tmpadminccache" \
264 "${PREFIX}/tmpuserccache" \
265 "${PREFIX}/tmpkeytab" \
266 "${PREFIX}/tmpkeytab-user-princ" \
267 "${PREFIX}/tmpkeytab-user-princ-all-keys" \
268 "${PREFIX}/tmpkeytab-server" \
269 "${PREFIX}/tmpkeytab-spn-upn" \
270 "${PREFIX}/tmpkeytab-all"