testprogs/blackbox/test_kpasswd_heimdal.sh

   1 #!/bin/sh
   2 # Blackbox tests for chainging passwords with kinit and kpasswd
   3 #
   4 # Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
   5 # Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org>
   6 # Copyright (C) 2016      Andreas Schneider <asn@samba.org>
   7
   8 if [ $# -lt 7 ]; then
   9         cat <<EOF
  10 Usage: test_kpasswd_heimdal.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX SMBCLIENT CONFIGURATION
  11 EOF
  12         exit 1
  13 fi
  14
  15 SERVER=$1
  16 USERNAME=$2
  17 PASSWORD=$3
  18 REALM=$4
  19 DOMAIN=$5
  20 PREFIX=$6
  21 CONFIGURATION=${7}
  22 shift 7
  23 failed=0
  24
  25 samba_bindir="$BINDIR"
  26
  27 smbclient="$samba_bindir/smbclient"
  28 samba_kinit=$samba_bindir/samba4kinit
  29 samba_kpasswd=$samba_bindir/samba4kpasswd
  30
  31 mit_kpasswd="$(command -v kpasswd)"
  32
  33 samba_tool="$samba_bindir/samba-tool"
  34 net_tool="$samba_bindir/net ${CONFIGURATION}"
  35 texpect="$samba_bindir/texpect"
  36
  37 newuser="$samba_tool user create"
  38 SMB_UNC="//$SERVER/tmp"
  39
  40 . $(dirname $0)/subunit.sh
  41 . $(dirname $0)/common_test_fns.inc
  42
  43 do_kinit()
  44 {
  45         principal="$1"
  46         password="$2"
  47         shift
  48         shift
  49         kerberos_kinit "$samba_kinit" "$principal" "$password" "$@"
  50 }
  51
  52 testit "reset password policies beside of minimum password age of 0 days" \
  53         $VALGRIND $PYTHON $samba_tool domain passwordsettings set "${CONFIGURATION}" --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=0 --max-pwd-age=default || failed=$(expr $failed + 1)
  54
  55 TEST_USERNAME="$(mktemp -u alice-XXXXXX)"
  56 TEST_PRINCIPAL="$TEST_USERNAME@$REALM"
  57 TEST_PASSWORD="testPaSS@00%"
  58 TEST_PASSWORD_NEW="testPaSS@01%"
  59 TEST_PASSWORD_SHORT="secret"
  60 TEST_PASSWORD_WEAK="Supersecret"
  61
  62 testit "create user locally" \
  63         $VALGRIND $PYTHON $newuser "${CONFIGURATION}" $TEST_USERNAME $TEST_PASSWORD || failed=$(expr $failed + 1)
  64
  65 KRB5CCNAME="$PREFIX/tmpuserccache"
  66 export KRB5CCNAME
  67
  68 testit "kinit with user password" \
  69         do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed=$(expr $failed + 1)
  70
  71 test_smbclient "Test login with user kerberos ccache" \
  72         "ls" "$SMB_UNC" --use-krb5-ccache=${KRB5CCNAME} || failed=$(expr $failed + 1)
  73
  74 testit "change user password with 'samba-tool user password' (unforced)" \
  75         $VALGRIND $PYTHON $samba_tool user password "${CONFIGURATION}" -W$DOMAIN -U$TEST_USERNAME%$TEST_PASSWORD --use-kerberos=off --newpassword=$TEST_PASSWORD_NEW || failed=$(expr $failed + 1)
  76
  77 TEST_PASSWORD_OLD=$TEST_PASSWORD
  78 TEST_PASSWORD=$TEST_PASSWORD_NEW
  79 TEST_PASSWORD_NEW="testPaSS@02%"
  80
  81 testit "kinit with user password" \
  82         do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed=$(expr $failed + 1)
  83
  84 test_smbclient "Test login with user kerberos ccache" \
  85         "ls" "$SMB_UNC" --use-krb5-ccache=${KRB5CCNAME} || failed=$(expr $failed + 1)
  86
  87 ###########################################################
  88 ### check that a short password is rejected
  89 ###########################################################
  90
  91 cat >$PREFIX/tmpkpasswdscript <<EOF
  92 expect Password
  93 password ${TEST_PASSWORD}\n
  94 expect New password
  95 send ${TEST_PASSWORD_SHORT}\n
  96 expect Verify password
  97 send ${TEST_PASSWORD_SHORT}\n
  98 expect Password too short
  99 EOF
 100
 101 testit "kpasswd check short user password" \
 102         $texpect $PREFIX/tmpkpasswdscript $samba_kpasswd $TEST_PRINCIPAL || failed=$(expr $failed + 1)
 103
 104 ###########################################################
 105 ### check that a weak password is rejected
 106 ###########################################################
 107
 108 echo "check that a short password is rejected"
 109 cat >$PREFIX/tmpkpasswdscript <<EOF
 110 expect Password
 111 password ${TEST_PASSWORD}\n
 112 expect New password
 113 send $TEST_PASSWORD_WEAK\n
 114 expect Verify password
 115 send $TEST_PASSWORD_WEAK\n
 116 expect Password does not meet complexity requirements
 117 EOF
 118
 119 testit "kpasswd check weak user password" \
 120         $texpect $PREFIX/tmpkpasswdscript $samba_kpasswd $TEST_PRINCIPAL || failed=$(expr $failed + 1)
 121
 122 ###########################################################
 123 ### check that a strong password is accepted
 124 ###########################################################
 125
 126 cat >$PREFIX/tmpkpasswdscript <<EOF
 127 expect Password
 128 password ${TEST_PASSWORD}\n
 129 expect New password
 130 send ${TEST_PASSWORD_NEW}\n
 131 expect Verify password
 132 send ${TEST_PASSWORD_NEW}\n
 133 expect Success
 134 EOF
 135
 136 testit "kpasswd change user password" \
 137         $texpect $PREFIX/tmpkpasswdscript $samba_kpasswd $TEST_PRINCIPAL || failed=$(expr $failed + 1)
 138
 139 TEST_PASSWORD=$TEST_PASSWORD_NEW
 140 TEST_PASSWORD_NEW="testPaSS@03%"
 141
 142 ###########################################################
 143 ### CVE-2022-2031
 144 ###########################################################
 145
 146 if [ -n "${mit_kpasswd}" ]; then
 147         cat > "${PREFIX}/tmpkpasswdscript" <<EOF
 148 expect Password for ${TEST_PRINCIPAL}
 149 password ${TEST_PASSWORD}\n
 150 expect Enter new password
 151 send ${TEST_PASSWORD_NEW}\n
 152 expect Enter it again
 153 send ${TEST_PASSWORD_NEW}\n
 154 expect Password changed.
 155 EOF
 156
 157         SAVE_KRB5_CONFIG="${KRB5_CONFIG}"
 158         KRB5_CONFIG="${PREFIX}/tmpkrb5.conf"
 159         export KRB5_CONFIG
 160         sed -e 's/\[libdefaults\]/[libdefaults]\n canonicalize = yes/' \
 161                 "${SAVE_KRB5_CONFIG}" > "${KRB5_CONFIG}"
 162         testit "MIT kpasswd change user password" \
 163                 "${texpect}" "${PREFIX}/tmpkpasswdscript" "${mit_kpasswd}" \
 164                 "${TEST_PRINCIPAL}" ||
 165                 failed=$((failed + 1))
 166         KRB5_CONFIG="${SAVE_KRB5_CONFIG}"
 167         export KRB5_CONFIG
 168 fi
 169
 170 TEST_PASSWORD="${TEST_PASSWORD_NEW}"
 171 TEST_PASSWORD_NEW="testPaSS@03force%"
 172
 173 ###########################################################
 174 ### Force password change at login
 175 ###########################################################
 176
 177 testit "set password on user locally" \
 178         $VALGRIND $PYTHON $samba_tool user setpassword $TEST_USERNAME "${CONFIGURATION}" --newpassword=$TEST_PASSWORD_NEW --must-change-at-next-login || failed=$(expr $failed + 1)
 179
 180 TEST_PASSWORD=$TEST_PASSWORD_NEW
 181 TEST_PASSWORD_NEW="testPaSS@04%"
 182
 183 rm -f $PREFIX/tmpuserccache
 184
 185 cat >$PREFIX/tmpkinitscript <<EOF
 186 expect Password
 187 password ${TEST_PASSWORD}\n
 188 expect Changing password
 189 expect New password
 190 send ${TEST_PASSWORD_NEW}\n
 191 expect Repeat new password
 192 send ${TEST_PASSWORD_NEW}\n
 193 expect Success
 194 EOF
 195
 196 testit "kinit and change user password" \
 197         $texpect $PREFIX/tmpkinitscript $samba_kinit $TEST_PRINCIPAL || failed=$(expr $failed + 1)
 198
 199 TEST_PASSWORD=$TEST_PASSWORD_NEW
 200 TEST_PASSWORD_NEW="testPaSS@07%"
 201
 202 test_smbclient "Test login with user (kerberos)" \
 203         "ls" "$SMB_UNC" -k yes -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=$(expr $failed + 1)
 204
 205 ###########################################################
 206 ### Test kpasswd service via 'net ads password'
 207 ###########################################################
 208
 209 # NOTE: This works with heimdal because the krb5_set_password function tries
 210 # set_password call first and falls back to change_password if it doesn't
 211 # succeed.
 212 testit "change user password with 'net ads password', admin: $DOMAIN/$TEST_USERNAME, target: $TEST_PRINCIPAL" \
 213         $VALGRIND $net_tool ads password -W$DOMAIN -U$TEST_PRINCIPAL%$TEST_PASSWORD $TEST_PRINCIPAL "$TEST_PASSWORD_NEW" || failed=$(expr $failed + 1)
 214
 215 TEST_PASSWORD=$TEST_PASSWORD_NEW
 216 TEST_PASSWORD_NEW="testPaSS@08%"
 217
 218 test_smbclient "Test login with smbclient (ntlm)" \
 219         "ls" "$SMB_UNC" -k no -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=$(expr $failed + 1)
 220
 221 ###########################################################
 222 ### Test kpasswd service via 'net ads password' as admin
 223 ###########################################################
 224
 225 testit "set user password with 'net ads password', admin: $DOMAIN/$USERNAME, target: $TEST_PRINCIPAL" \
 226         $VALGRIND $net_tool ads password -W$DOMAIN -U$USERNAME@$REALM%$PASSWORD $TEST_PRINCIPAL "$TEST_PASSWORD_NEW" || failed=$(expr $failed + 1)
 227
 228 TEST_PASSWORD=$TEST_PASSWORD_NEW
 229 TEST_PASSWORD_NEW="testPaSS@07%"
 230
 231 test_smbclient "Test login with smbclient (ntlm)" \
 232         "ls" "$SMB_UNC" -k no -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=$(expr $failed + 1)
 233
 234 ###########################################################
 235 ### Cleanup
 236 ###########################################################
 237
 238 testit "reset password policies" \
 239         $VALGRIND $PYTHON $samba_tool domain passwordsettings set "${CONFIGURATION}" --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=$(expr $failed + 1)
 240
 241 testit "delete user" \
 242         $VALGRIND $PYTHON $samba_tool user delete $TEST_USERNAME -U"$USERNAME%$PASSWORD" "${CONFIGURATION}" -k no || failed=$(expr $failed + 1)
 243
 244 rm -f $PREFIX/tmpuserccache $PREFIX/tmpkpasswdscript $PREFIX/tmpkinitscript
 245 exit $failed