search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ctdb-failover: Split statd_callout add-client/del-client
[Samba.git] / testprogs / blackbox / test_kinit_export_keytab.sh
blobedc3590de8b1d8b1222e3fdb53897886bb3782e7
1 #!/bin/sh
2 #
3 # Blackbox tests for an exported keytab with kinit
4 #
5 # Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
6 # Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org>
7 # Copyright (C) Andreas Schneider <asn@cryptomilk.org>
8
9 if [ $# -lt 7 ]; then
10 cat <<EOF
11 Usage: test_kinit_export_keytab.sh SERVER USERNAME REALM DOMAIN PREFIX SMBCLIENT CONFIGURATION
12 EOF
13 exit 1
14 fi
15
16 SERVER=$1
17 USERNAME=$2
18 REALM=$3
19 DOMAIN=$4
20 PREFIX=$5
21 smbclient=$6
22 CONFIGURATION=${7}
23 shift 7
24 failed=0
25
26 . "$(dirname "${0}")/subunit.sh"
27 . "$(dirname "${0}")/common_test_fns.inc"
28
29 samba_bindir="${BINDIR}"
30 samba_tool="$samba_bindir/samba-tool"
31 samba_newuser="$samba_tool user create"
32 samba_ktutil="${BINDIR}/samba4ktutil"
33
34 samba_kinit=$(system_or_builddir_binary kinit "${BINDIR}" samba4kinit)
35
36 DNSDOMAIN=$(echo "${REALM}" | tr '[:upper:]' '[:lower:]')
37 SERVER_FQDN="${SERVER}.$(echo "${REALM}" | tr '[:upper:]' '[:lower:]')"
38 SMBCLIENT_UNC="//${SERVER}/tmp"
39
40 TEST_USER="$(mktemp -u keytabtest-XXXXXX)"
41 TEST_PASSWORD=testPaSS@01%
42
43 EXPECTED_NKEYS=3
44 EXPECTED_NKEYS_WITH_OLD=6
45
46 # MIT
47 kbase="$(basename "${samba_kinit}")"
48 if [ "${kbase}" != "samba4kinit" ]; then
49 krb5_version="$(krb5-config --version | cut -d ' ' -f 4)"
50 krb5_major_version="$(echo "${krb5_version}" | awk -F. '{ print $1; }')"
51 krb5_minor_version="$(echo "${krb5_version}" | awk -F. '{ print $2; }')"
52
53 # MIT Kerberos < 1.18 has support for DES keys
54 if [ "${krb5_major_version}" -eq 1 ] && [ "${krb5_minor_version}" -lt 18 ]; then
55 EXPECTED_NKEYS=5
56 fi
57 fi # MIT
58
59 if [ "${kbase}" = "samba4kinit" ]; then
60 # HEIMDAL
61 OPTION_RENEWABLE="--renewable"
62 OPTION_RENEW_TICKET="--renew"
63 OPTION_ENTERPRISE_NAME="--enterprise"
64 OPTION_CANONICALIZATION=""
65 OPTION_WINDOWS="--windows"
66 OPTION_SERVICE="-S"
67 OPTION_USE_KEYTAB="-k"
68 OPTION_KEYTAB_FILENAME="-t"
69
70 KEYTAB_GREP="[aes|arcfour]"
71 else
72 # MIT
73 OPTION_RENEWABLE="-r 1h"
74 OPTION_RENEW_TICKET="-R"
75 OPTION_ENTERPRISE_NAME="-E"
76 OPTION_CANONICALIZATION="-C"
77 OPTION_WINDOWS=""
78 OPTION_SERVICE="-S"
79 OPTION_USE_KEYTAB="-k"
80 OPTION_KEYTAB_FILENAME="-t"
81
82 KEYTAB_GREP="[DES|AES|ArcFour]"
83 fi
84
85 test_keytab()
86 {
87 testname="$1"
88 keytab="$2"
89 principal="$3"
90 expected_nkeys="$4"
91
92 subunit_start_test "$testname"
93
94 if [ ! -r "${keytab}" ]; then
95 echo "Could not read keytab: ${keytab}" | \
96 subunit_fail_test "${testname}"
97 return 1
98 fi
99
100 output=$($VALGRIND "${samba_ktutil}" "${keytab}" 2>&1)
101 status=$?
102 if [ ${status} -ne 0 ]; then
103 echo "${output}" | subunit_fail_test "${testname}"
104 return $status
105 fi
106
107 NKEYS=$(echo "${output}" | grep -i "${principal}" | \
108 grep -c -e "${KEYTAB_GREP}")
109 if [ "${NKEYS}" -ne "${expected_nkeys}" ]; then
110 echo "Unexpected number of keys passed ${NKEYS} != ${expected_nkeys}" | \
111 subunit_fail_test "${testname}"
112 return 1
113 fi
114
115 subunit_pass_test "${testname}"
116 return 0
117 }
118
119 testit "create local user ${TEST_USER}" \
120 "${VALGRIND}" "${PYTHON}" "${samba_newuser}" "${TEST_USER}" "First${TEST_PASSWORD}Pwd" \
121 "${CONFIGURATION}" "$@" || \
122 failed=$((failed + 1))
123
124 testit "reset local user pw ${TEST_USER}" \
125 "${VALGRIND}" "${PYTHON}" "${samba_tool}" user setpassword "${TEST_USER}" --newpassword="${TEST_PASSWORD}" \
126 "${CONFIGURATION}" "$@" || \
127 failed=$((failed + 1))
128
129 testit "dump keytab from domain" \
130 "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \
131 "${PREFIX}/tmpkeytab-all" \
132 "${CONFIGURATION}" "$@" || \
133 failed=$((failed + 1))
134
135 test_keytab "read keytab from domain" \
136 "${PREFIX}/tmpkeytab-all" "${SERVER}\\\$" "${EXPECTED_NKEYS}" || \
137 failed=$((failed + 1))
138
139 testit "dump keytab from domain (2nd time)" \
140 "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \
141 --keep-stale-entries \
142 "${PREFIX}/tmpkeytab-all" "${CONFIGURATION}" "$@" || \
143 failed=$((failed + 1))
144
145 test_keytab "read keytab from domain (2nd time)" \
146 "${PREFIX}/tmpkeytab-all" "${SERVER}\\\$" "${EXPECTED_NKEYS}" || \
147 failed=$((failed + 1))
148
149 testit "dump keytab from domain for cifs service principal" \
150 "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \
151 "${PREFIX}/tmpkeytab-server" --principal="cifs/$SERVER_FQDN" \
152 "${CONFIGURATION}" "$@" || \
153 failed=$((failed + 1))
154
155 test_keytab "read keytab from domain for cifs service principal" \
156 "${PREFIX}/tmpkeytab-server" "cifs/${SERVER_FQDN}" \
157 "${EXPECTED_NKEYS}" || \
158 failed=$((failed + 1))
159
160 testit "dump keytab from domain for cifs service principal (2nd time)" \
161 "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \
162 "$PREFIX/tmpkeytab-server" --principal="cifs/$SERVER_FQDN" \
163 "${CONFIGURATION}" "$@" || \
164 failed=$((failed + 1))
165
166 test_keytab "read keytab from domain for cifs service principal (2nd time)" \
167 "${PREFIX}/tmpkeytab-server" "cifs/${SERVER_FQDN}" \
168 "${EXPECTED_NKEYS}" || \
169 failed=$((failed + 1))
170
171 testit "dump keytab from domain for user principal" \
172 "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \
173 "${PREFIX}/tmpkeytab-user-princ" --principal="${TEST_USER}" \
174 --only-current-keys \
175 "${CONFIGURATION}" "$@" || \
176 failed=$((failed + 1))
177
178 test_keytab "read keytab from domain for user principal" \
179 "${PREFIX}/tmpkeytab-user-princ" "${TEST_USER}@${REALM}" \
180 "${EXPECTED_NKEYS}" || \
181 failed=$((failed + 1))
182
183 testit "dump keytab from domain for user principal (all keys)" \
184 "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \
185 "${PREFIX}/tmpkeytab-user-princ-all-keys" --principal="${TEST_USER}@${REALM}" \
186 "${CONFIGURATION}" "$@" || \
187 failed=$((failed + 1))
188
189 test_keytab "read keytab from domain for user principal (all keys)" \
190 "${PREFIX}/tmpkeytab-user-princ-all-keys" "${TEST_USER}@${REALM}" \
191 "${EXPECTED_NKEYS_WITH_OLD}" || \
192 failed=$((failed + 1))
193
194 testit "dump keytab from domain for user principal with SPN as UPN" \
195 "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \
196 "${PREFIX}/tmpkeytab-spn-upn" \
197 --principal="http/testupnspn.${DNSDOMAIN}" "${CONFIGURATION}" "$@" || \
198 failed=$((failed + 1))
199
200 test_keytab "read keytab from domain for user principal with SPN as UPN" \
201 "${PREFIX}/tmpkeytab-spn-upn" "http/testupnspn.${DNSDOMAIN}@${REALM}" \
202 "${EXPECTED_NKEYS}"
203
204 KRB5CCNAME_PATH="${PREFIX}/tmpuserccache"
205 KRB5CCNAME="FILE:${PREFIX}/tmpuserccache"
206 export KRB5CCNAME
207
208 testit "kinit with keytab as user" \
209 "${VALGRIND}" "${samba_kinit}" \
210 "${OPTION_USE_KEYTAB}" \
211 "${OPTION_KEYTAB_FILENAME}" "${PREFIX}/tmpkeytab-all" \
212 "${TEST_USER}@${REALM}" || \
213 failed=$((failed + 1))
214
215 test_smbclient "Test login with user kerberos ccache" \
216 "ls" "${SMBCLIENT_UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
217 failed=$((failed + 1))
218
219 testit "kinit with keytab as user (one princ)" \
220 "${VALGRIND}" "$samba_kinit" \
221 "${OPTION_USE_KEYTAB}" \
222 "${OPTION_KEYTAB_FILENAME}" "${PREFIX}/tmpkeytab-user-princ" \
223 "${TEST_USER}@$REALM" || \
224 failed=$((failed + 1))
225
226 test_smbclient "Test login with user kerberos ccache (one princ)" \
227 "ls" "${SMBCLIENT_UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
228 failed=$((failed + 1))
229
230 rm -f "${KRB5CCNAME_PATH}"
231
232 KRB5CCNAME_PATH="${PREFIX}/tmpadminccache"
233 KRB5CCNAME="FILE:${PREFIX}/tmpadminccache"
234 export KRB5CCNAME
235
236 testit "kinit with keytab as ${USERNAME}" \
237 "${VALGRIND}" "${samba_kinit}" \
238 "${OPTION_USE_KEYTAB}" \
239 "${OPTION_KEYTAB_FILENAME}" "${PREFIX}/tmpkeytab-all" \
240 "${USERNAME}@${REALM}" || \
241 failed=$((failed + 1))
242
243 rm -f "${KRB5CCNAME_PATH}"
244
245 KRB5CCNAME_PATH="${PREFIX}/tmpserverccache"
246 KRB5CCNAME="FILE:${PREFIX}/tmpserverccache"
247 export KRB5CCNAME
248
249 testit "kinit with SPN from keytab" \
250 "${VALGRIND}" "${samba_kinit}" \
251 "${OPTION_USE_KEYTAB}" \
252 "${OPTION_KEYTAB_FILENAME}" "${PREFIX}/tmpkeytab-spn-upn" \
253 "http/testupnspn.${DNSDOMAIN}" || \
254 failed=$((failed + 1))
255
256 # cleanup
257 testit "delete user ${TEST_USER}" \
258 "${VALGRIND}" "${PYTHON}" "${samba_tool}" user delete "${TEST_USER}" \
259 --use-krb5-ccache="${KRB5CCNAME}" "${CONFIGURATION}" "$@" || \
260 failed=$((failed + 1))
261
262 rm -f "${KRB5CCNAME_PATH}"
263 rm -f "${PREFIX}/tmpadminccache" \
264 "${PREFIX}/tmpuserccache" \
265 "${PREFIX}/tmpkeytab" \
266 "${PREFIX}/tmpkeytab-user-princ" \
267 "${PREFIX}/tmpkeytab-user-princ-all-keys" \
268 "${PREFIX}/tmpkeytab-server" \
269 "${PREFIX}/tmpkeytab-spn-upn" \
270 "${PREFIX}/tmpkeytab-all"
271
272 exit $failed
Samba GIT mirror