2 # Blackbox tests for pkinit and pac verification
4 # Copyright (C) 2006-2008 Stefan Metzmacher
5 # Copyright (C) 2022 Andreas Schneider
9 Usage: test_pkinit_pac.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX
23 samba_bindir
="$BINDIR"
25 samba_smbtorture
="${samba_bindir}/smbtorture --basedir=$SELFTEST_TMPDIR"
27 .
"$(dirname "$0")"/subunit.sh
28 .
"$(dirname "$0")"/common_test_fns.inc
30 samba_kinit
=$
(system_or_builddir_binary kinit
"${BINDIR}" samba4kinit
)
32 KRB5CCNAME_PATH
="$PREFIX/tmpccache"
33 rm -f "${KRB5CCNAME_PATH}"
34 KRB5CCNAME
="FILE:$KRB5CCNAME_PATH"
37 USER_PRINCIPAL_NAME
="$(echo "${USERNAME}@
${REALM}" | tr "[:upper
:]" "[:lower
:]")"
39 kbase
="$(basename "${samba_kinit}")"
40 if [ "${kbase}" = "samba4kinit" ]; then
42 X509_USER_IDENTITY
="--pk-user=FILE:${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-cert.pem,${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-private-key.pem"
43 OPTION_RENEWABLE
="--renewable"
45 X509_USER_IDENTITY
="-X X509_user_identity=FILE:${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-cert.pem,${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-private-key.pem"
46 OPTION_RENEWABLE
="-r 1h"
48 OPTION_REQUEST_PAC
="--request-pac"
50 testit
"STEP1 kinit with pkinit (name specified)" \
51 "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
52 "${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" ||
53 failed
=$
((failed
+ 1))
54 testit
"STEP1 remote.pac verification" \
55 "${samba_smbtorture}" ncacn_np
:"${SERVER}" rpc.pac \
56 --workgroup="${DOMAIN}" -U"${USERNAME}%${PASSWORD}" \
57 --option=torture
:pkinit_ccache
="${KRB5CCNAME}" ||
58 failed
=$
((failed
+ 1))
60 rm -f "${KRB5CCNAME_PATH}"