testprogs/blackbox/test_kinit_trusts.sh

   1 #!/bin/sh
   2 # Blackbox tests for kinit and trust validation
   3 # Copyright (c) 2015 Stefan Metzmacher <metze@samba.org>
   4 # Copyright (c) Andreas Schneider <asn@samba.org>
   5
   6 if [ $# -lt 13 ]; then
   7         cat <<EOF
   8 Usage: test_kinit_trusts.sh SERVER USERNAME PASSWORD REALM DOMAIN TRUST_USERNAME TRUST_PASSWORD TRUST_REALM TRUST_DOMAIN PREFIX TYPE CONFIGURATION
   9 EOF
  10         exit 1
  11 fi
  12
  13 SERVER=${1}
  14 USERNAME=${2}
  15 PASSWORD=${3}
  16 REALM=${4}
  17 DOMAIN=${5}
  18 shift 5
  19 TRUST_SERVER=${1}
  20 TRUST_USERNAME=${2}
  21 TRUST_PASSWORD=${3}
  22 TRUST_REALM=${4}
  23 TRUST_DOMAIN=${5}
  24 shift 5
  25 PREFIX=${1}
  26 TYPE=${2}
  27 CONFIGURATION="${3}"
  28 shift 3
  29
  30 failed=0
  31
  32 . "$(dirname "${0}")/subunit.sh"
  33 . "$(dirname "${0}")/common_test_fns.inc"
  34
  35 samba_bindir="$BINDIR"
  36 samba_kinit=$(system_or_builddir_binary kinit "${BINDIR}" samba4kinit)
  37
  38 samba_tool="${samba_bindir}/samba-tool"
  39
  40 smbclient="${samba_bindir}/smbclient"
  41 wbinfo="${samba_bindir}/wbinfo"
  42
  43 ldbsearch=$(system_or_builddir_binary ldbsearch "${BINDIR}")
  44
  45 SMBCLIENT_UNC="//$SERVER.$REALM/tmp"
  46
  47 kbase="$(basename "${samba_kinit}")"
  48 if [ "${kbase}" = "samba4kinit" ]; then
  49         # HEIMDAL
  50         OPTION_LIFETIME_2M="--lifetime=2m"
  51         OPTION_RENEWABLE="--renewable"
  52         OPTION_RENEW_TICKET="--renew"
  53         OPTION_ENTERPRISE_NAME="--enterprise"
  54         OPTION_CANONICALIZATION=""
  55         OPTION_WINDOWS="--windows"
  56         OPTION_SERVICE="-S"
  57 else
  58         # MIT
  59         OPTION_LIFETIME_2M="-l 2m"
  60         OPTION_RENEWABLE="-r 1h"
  61         OPTION_RENEW_TICKET="-R"
  62         OPTION_ENTERPRISE_NAME="-E"
  63         OPTION_CANONICALIZATION="-C"
  64         OPTION_WINDOWS=""
  65         OPTION_SERVICE="-S"
  66 fi
  67
  68 KRB5CCNAME_PATH="$PREFIX/test_kinit_trusts_ccache"
  69 KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
  70 export KRB5CCNAME
  71 rm -f "${KRB5CCNAME_PATH}"
  72
  73 ###########################################################
  74 ### Test incoming trust direction
  75 ###########################################################
  76
  77 testit "kinit with password" \
  78         kerberos_kinit "${samba_kinit}" \
  79         "$TRUST_USERNAME@$TRUST_REALM" "${TRUST_PASSWORD}" || \
  80         failed=$((failed + 1))
  81
  82 test_smbclient "Test login with kerberos ccache" \
  83         "ls" "${SMBCLIENT_UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
  84         failed=$((failed + 1))
  85
  86 rm -f "${KRB5CCNAME_PATH}"
  87
  88 ###########################################################
  89 ### Test with 2min lifetime
  90 ###########################################################
  91
  92 # CVE-2022-2031 - test for short-lived ticket across an incoming trust
  93 #
  94 # We ensure that the KDC does not reject a TGS-REQ with our short-lived TGT
  95 # over an incoming trust.
  96 #
  97 # BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
  98 if [ "${kbase}" = "samba4kinit" ]; then
  99         # HEIMDAL ONLY
 100         testit "kinit with password (lifetime 2min)" \
 101                 kerberos_kinit "${samba_kinit}" \
 102                 "${TRUST_USERNAME}@${TRUST_REALM}" "${TRUST_PASSWORD}" \
 103                 "${OPTION_SERVICE}" "krbtgt/${REALM}@${TRUST_REALM}" \
 104                 "${OPTION_LIFETIME_2M}" || \
 105                 failed=$((failed + 1))
 106
 107         test_smbclient "Test login with kerberos ccache (lifetime 2min)" \
 108                 "ls" "${SMBCLIENT_UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
 109                 failed=$((failed + 1))
 110 fi
 111
 112 rm -f "${KRB5CCNAME_PATH}"
 113
 114 ###########################################################
 115 ### Test with smbclient4 to check gensec_gssapi works
 116 ###########################################################
 117
 118 testit "kinit with password (smbclient4)" \
 119         kerberos_kinit "${samba_kinit}" \
 120         "${TRUST_USERNAME}@${TRUST_REALM}" "${TRUST_PASSWORD}" || \
 121         failed=$((failed + 1))
 122
 123 smbclient="${samba_bindir}/smbclient4"
 124 test_smbclient "Test login with user kerberos ccache (smbclient4)" \
 125         'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" -d10 || \
 126         failed=$((failed + 1))
 127 smbclient="${samba_bindir}/smbclient"
 128
 129 rm -f "${KRB5CCNAME_PATH}"
 130
 131 ###########################################################
 132 ### Test incoming trust direction (enterprise)
 133 ###########################################################
 134
 135 testit "kinit with password (enterprise)" \
 136         kerberos_kinit "${samba_kinit}" \
 137         "$TRUST_USERNAME@$TRUST_REALM" "${TRUST_PASSWORD}" \
 138         "${OPTION_ENTERPRISE_NAME}" || \
 139         failed=$((failed + 1))
 140
 141 test_smbclient "Test login with user kerberos ccache (enterprise)" \
 142         "ls" "${SMBCLIENT_UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
 143         failed=$((failed + 1))
 144
 145
 146 rm -f "${KRB5CCNAME_PATH}"
 147
 148 if [ "${TYPE}" = "forest" ]; then
 149         testit "kinit with password (enterprise UPN)" \
 150                 kerberos_kinit "${samba_kinit}" \
 151                 "testdenied_upn@${TRUST_REALM}.upn" "${TRUST_PASSWORD}" \
 152                 "${OPTION_ENTERPRISE_NAME}" || \
 153                 failed=$((failed + 1))
 154
 155         test_smbclient "Test login with user kerberos ccache (enterprise UPN)" \
 156                 "ls" "${SMBCLIENT_UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
 157                 failed=$((failed + 1))
 158
 159         rm -f "${KRB5CCNAME_PATH}"
 160 fi
 161
 162 testit "kinit with password (enterprise)" \
 163         kerberos_kinit "${samba_kinit}" \
 164         "${TRUST_USERNAME}@${TRUST_REALM}" "${TRUST_PASSWORD}" \
 165         "${OPTION_ENTERPRISE_NAME}" "${OPTION_RENEWABLE}" || \
 166         failed=$((failed + 1))
 167
 168 test_smbclient "Test login with kerberos ccache (enterprise)" \
 169         "ls" "${SMBCLIENT_UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
 170         failed=$((failed + 1))
 171
 172 testit "kinit renew ticket (enterprise)" \
 173         "${samba_kinit}" ${OPTION_RENEW_TICKET} \
 174         || failed=$((failed + 1))
 175
 176 test_smbclient "Test login with kerberos ccache (enterprise)" \
 177         "ls" "${SMBCLIENT_UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \
 178         failed=$((failed + 1))
 179
 180 testit "check time with kerberos ccache" \
 181         "${VALGRIND}" "${samba_tool}" time "${SERVER}.${REALM}" \
 182         "${CONFIGURATION}" --use-krb5-ccache="${KRB5CCNAME}" "$@" || \
 183         failed=$((failed + 1))
 184
 185 rm -f "${KRB5CCNAME_PATH}"
 186
 187 ###########################################################
 188 ### Test with password authentication
 189 ###########################################################
 190
 191 lowerrealm="$(echo "${TRUST_REALM}" | tr '[:upper:]' '[:lower:]')"
 192 test_smbclient "Test login with user kerberos lowercase realm" \
 193         "ls" "${SMBCLIENT_UNC}" \
 194         -U"${TRUST_USERNAME}@${lowerrealm}%${TRUST_PASSWORD}" \
 195         --use-kerberos=required || \
 196         failed=$((failed + 1))
 197
 198 test_smbclient "Test login with user kerberos lowercase realm 2" \
 199         "ls" "${SMBCLIENT_UNC}" \
 200         -U"${TRUST_USERNAME}@${TRUST_REALM}%${TRUST_PASSWORD}" \
 201         --realm="${lowerrealm}" \
 202         --use-kerberos=required || \
 203         failed=$((failed + 1))
 204
 205 ###########################################################
 206 ### Test outgoing trust direction
 207 ###########################################################
 208
 209 SMBCLIENT_UNC="//$TRUST_SERVER.$TRUST_REALM/tmp"
 210
 211 test_smbclient "Test user login with the first outgoing secret" \
 212         "ls" "${SMBCLIENT_UNC}" \
 213         --use-kerberos=required \
 214         -U"${USERNAME}@${REALM}%${PASSWORD}" || \
 215         failed=$((failed + 1))
 216
 217 testit_expect_failure "setpassword should not work" \
 218         "${VALGRIND}" "${samba_tool}" user setpassword "${TRUST_DOMAIN}\$" \
 219         --random-password "${CONFIGURATION}" || \
 220         failed=$((failed + 1))
 221
 222 testit "wbinfo ping dc" \
 223         "${VALGRIND}" "${wbinfo}" \
 224         --ping-dc --domain="${TRUST_DOMAIN}" || \
 225         failed=$((failed + 1))
 226
 227 testit "wbinfo change outgoing trust pw" \
 228         "${VALGRIND}" "${wbinfo}" \
 229         --change-secret --domain="${TRUST_DOMAIN}" || \
 230         failed=$((failed + 1))
 231
 232 testit "wbinfo check outgoing trust pw" \
 233         "${VALGRIND}" "${wbinfo}" \
 234         --check-secret --domain="${TRUST_DOMAIN}" || \
 235         failed=$((failed + 1))
 236
 237 test_smbclient "Test user login with the changed outgoing secret" \
 238         "ls" "${SMBCLIENT_UNC}" \
 239         --use-kerberos=required \
 240         -U"${USERNAME}@${REALM}%${PASSWORD}" || \
 241         failed=$((failed + 1))
 242
 243 ### Cleanup
 244
 245 rm -f "${KRB5CCNAME_PATH}"
 246
 247 exit $failed