search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
VERSION: Disable GIT_SNAPSHOT for the Samba 4.17.0rc1 release.
[Samba.git] / testprogs / blackbox / test_kinit_trusts_mit.sh
blob35fcb6d1c53d328dd0e77e1063ca4f2f213127c3
1 #!/bin/sh
2 # Blackbox tests for kinit and trust validation
3 # Copyright (c) 2015 Stefan Metzmacher <metze@samba.org>
4 # Copyright (c) 2016 Andreas Schneider <asn@samba.org>
5
6 if [ $# -lt 5 ]; then
7 cat <<EOF
8 Usage: test_kinit_trusts.sh SERVER USERNAME PASSWORD REALM DOMAIN TRUST_USERNAME TRUST_PASSWORD TRUST_REALM TRUST_DOMAIN PREFIX TYPE
9 EOF
10 exit 1
11 fi
12
13 SERVER=$1
14 USERNAME=$2
15 PASSWORD=$3
16 REALM=$4
17 DOMAIN=$5
18 shift 5
19 TRUST_SERVER=$1
20 TRUST_USERNAME=$2
21 TRUST_PASSWORD=$3
22 TRUST_REALM=$4
23 TRUST_DOMAIN=$5
24 shift 5
25 PREFIX=$1
26 TYPE=$2
27 shift 2
28
29 failed=0
30
31 samba_bindir="$BINDIR"
32 samba_srcdir="$SRCDIR/source4"
33 samba_kinit=kinit
34 samba_kdestroy=kdestroy
35 samba_kpasswd=kpasswd
36
37 samba_tool="$samba_bindir/samba-tool"
38 samba_texpect="$samba_bindir/texpect"
39
40 smbclient="$samba_bindir/smbclient"
41 wbinfo="$samba_bindir/wbinfo"
42 rpcclient="$samba_bindir/rpcclient"
43
44 SMBCLIENT_UNC="//$SERVER.$REALM/tmp"
45
46 . $(dirname $0)/subunit.sh
47
48 test_smbclient()
49 {
50 name="$1"
51 cmd="$2"
52 shift
53 shift
54 echo "test: $name"
55 $VALGRIND $smbclient $CONFIGURATION $SMBCLIENT_UNC -c "$cmd" $@
56 status=$?
57 if [ x$status = x0 ]; then
58 echo "success: $name"
59 else
60 echo "failure: $name"
61 fi
62 return $status
63 }
64
65 KRB5CCNAME_PATH="$PREFIX/test_kinit_trusts_ccache"
66 KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
67 export KRB5CCNAME
68 rm -rf $KRB5CCNAME_PATH
69
70 cat >$PREFIX/tmpkinitscript <<EOF
71 expect Password for
72 send ${TRUST_PASSWORD}\n
73 EOF
74
75 ###########################################################
76 ### Test incoming trust direction
77 ###########################################################
78
79 testit "kinit with password" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit $TRUST_USERNAME@$TRUST_REALM || failed=$(expr $failed + 1)
80 test_smbclient "Test login with kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
81 $samba_kdestroy
82
83 smbclient="$samba_bindir/smbclient4"
84
85 testit "kinit with password" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit $TRUST_USERNAME@$TRUST_REALM || failed=$(expr $failed + 1)
86 test_smbclient "Test login with user kerberos ccache (smbclient4)" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
87 $samba_kdestroy
88
89 smbclient="$samba_bindir/smbclient"
90
91 testit "kinit with password (enterprise)" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit -E $TRUST_USERNAME@$TRUST_REALM || failed=$(expr $failed + 1)
92 test_smbclient "Test login with kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
93
94 $samba_kdestroy
95
96 if test x"${TYPE}" = x"forest"; then
97 testit "kinit with password (enterprise UPN)" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit -E testdenied_upn@${TRUST_REALM}.upn || failed=$(expr $failed + 1)
98 test_smbclient "Test login with user kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
99 fi
100
101 $samba_kdestroy
102
103 testit "kinit with password (enterprise)" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit -E $TRUST_USERNAME@$TRUST_REALM || failed=$(expr $failed + 1)
104 test_smbclient "Test login with kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
105
106 testit "kinit renew ticket" $samba_kinit -R
107 test_smbclient "Test login with kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
108
109 testit "check time with kerberos ccache" $VALGRIND $samba_tool time $SERVER.$REALM $CONFIGURATION -k yes $@ || failed=$(expr $failed + 1)
110
111 $samba_kdestroy
112
113 lowerrealm=$(echo $TRUST_REALM | tr '[A-Z]' '[a-z]')
114 test_smbclient "Test login with user kerberos lowercase realm" 'ls' --use-kerberos=required -U$TRUST_USERNAME@$lowerrealm%$TRUST_PASSWORD || failed=$(expr $failed + 1)
115 test_smbclient "Test login with user kerberos lowercase realm 2" 'ls' --use-kerberos=required -U$TRUST_USERNAME@$TRUST_REALM%$TRUST_PASSWORD --realm=$lowerrealm || failed=$(expr $failed + 1)
116
117 ###########################################################
118 ### Test outgoing trust direction
119 ###########################################################
120
121 SMBCLIENT_UNC="//$TRUST_SERVER.$TRUST_REALM/tmp"
122 test_smbclient "Test user login with the first outgoing secret" 'ls' --use-kerberos=required -U$USERNAME@$REALM%$PASSWORD || failed=$(expr $failed + 1)
123
124 testit_expect_failure "setpassword should not work" $VALGRIND $samba_tool user setpassword "${TRUST_DOMAIN}\$" --random-password || failed=$(expr $failed + 1)
125
126 testit "wbinfo ping dc" $VALGRIND $wbinfo --ping-dc --domain=$TRUST_DOMAIN || failed=$(expr $failed + 1)
127 testit "wbinfo change outgoing trust pw" $VALGRIND $wbinfo --change-secret --domain=$TRUST_DOMAIN || failed=$(expr $failed + 1)
128 testit "wbinfo check outgoing trust pw" $VALGRIND $wbinfo --check-secret --domain=$TRUST_DOMAIN || failed=$(expr $failed + 1)
129
130 test_smbclient "Test user login with the changed outgoing secret" 'ls' --use-kerberos=required -U$USERNAME@$REALM%$PASSWORD || failed=$(expr $failed + 1)
131
132 ### Cleanup
133
134 $samba_kdestroy
135
136 rm -f $KRB5CCNAME_PATH
137 rm -f $PREFIX/tmpkinituserpassscript
138 rm -f $PREFIX/tmpkinitscript
139
140 exit $failed
Samba GIT mirror