2 # Blackbox tests for kinit and trust validation
3 # Copyright (c) 2015 Stefan Metzmacher <metze@samba.org>
4 # Copyright (c) 2016 Andreas Schneider <asn@samba.org>
8 Usage: test_kinit_trusts.sh SERVER USERNAME PASSWORD REALM DOMAIN TRUST_USERNAME TRUST_PASSWORD TRUST_REALM TRUST_DOMAIN PREFIX TYPE
31 samba_bindir
="$BINDIR"
32 samba_srcdir
="$SRCDIR/source4"
34 samba_kdestroy
=kdestroy
37 samba_tool
="$samba_bindir/samba-tool"
38 samba_texpect
="$samba_bindir/texpect"
40 smbclient
="$samba_bindir/smbclient"
41 wbinfo
="$samba_bindir/wbinfo"
42 rpcclient
="$samba_bindir/rpcclient"
44 SMBCLIENT_UNC
="//$SERVER.$REALM/tmp"
46 . $
(dirname $0)/subunit.sh
55 $VALGRIND $smbclient $CONFIGURATION $SMBCLIENT_UNC -c "$cmd" $@
57 if [ x
$status = x0
]; then
65 KRB5CCNAME_PATH
="$PREFIX/test_kinit_trusts_ccache"
66 KRB5CCNAME
="FILE:$KRB5CCNAME_PATH"
68 rm -rf $KRB5CCNAME_PATH
70 cat >$PREFIX/tmpkinitscript
<<EOF
72 send ${TRUST_PASSWORD}\n
75 ###########################################################
76 ### Test incoming trust direction
77 ###########################################################
79 testit
"kinit with password" $samba_texpect $PREFIX/tmpkinitscript
$samba_kinit $TRUST_USERNAME@
$TRUST_REALM || failed
=$
(expr $failed + 1)
80 test_smbclient
"Test login with kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed
=$
(expr $failed + 1)
83 smbclient
="$samba_bindir/smbclient4"
85 testit
"kinit with password" $samba_texpect $PREFIX/tmpkinitscript
$samba_kinit $TRUST_USERNAME@
$TRUST_REALM || failed
=$
(expr $failed + 1)
86 test_smbclient
"Test login with user kerberos ccache (smbclient4)" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed
=$
(expr $failed + 1)
89 smbclient
="$samba_bindir/smbclient"
91 testit
"kinit with password (enterprise)" $samba_texpect $PREFIX/tmpkinitscript
$samba_kinit -E $TRUST_USERNAME@
$TRUST_REALM || failed
=$
(expr $failed + 1)
92 test_smbclient
"Test login with kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed
=$
(expr $failed + 1)
96 if test x
"${TYPE}" = x
"forest"; then
97 testit
"kinit with password (enterprise UPN)" $samba_texpect $PREFIX/tmpkinitscript
$samba_kinit -E testdenied_upn@
${TRUST_REALM}.upn || failed
=$
(expr $failed + 1)
98 test_smbclient
"Test login with user kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed
=$
(expr $failed + 1)
103 testit
"kinit with password (enterprise)" $samba_texpect $PREFIX/tmpkinitscript
$samba_kinit -E $TRUST_USERNAME@
$TRUST_REALM || failed
=$
(expr $failed + 1)
104 test_smbclient
"Test login with kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed
=$
(expr $failed + 1)
106 testit
"kinit renew ticket" $samba_kinit -R
107 test_smbclient
"Test login with kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed
=$
(expr $failed + 1)
109 testit
"check time with kerberos ccache" $VALGRIND $samba_tool time $SERVER.
$REALM $CONFIGURATION -k yes $@ || failed
=$
(expr $failed + 1)
113 lowerrealm
=$
(echo $TRUST_REALM |
tr '[A-Z]' '[a-z]')
114 test_smbclient
"Test login with user kerberos lowercase realm" 'ls' --use-kerberos=required
-U$TRUST_USERNAME@
$lowerrealm%$TRUST_PASSWORD || failed
=$
(expr $failed + 1)
115 test_smbclient
"Test login with user kerberos lowercase realm 2" 'ls' --use-kerberos=required
-U$TRUST_USERNAME@
$TRUST_REALM%$TRUST_PASSWORD --realm=$lowerrealm || failed
=$
(expr $failed + 1)
117 ###########################################################
118 ### Test outgoing trust direction
119 ###########################################################
121 SMBCLIENT_UNC
="//$TRUST_SERVER.$TRUST_REALM/tmp"
122 test_smbclient
"Test user login with the first outgoing secret" 'ls' --use-kerberos=required
-U$USERNAME@
$REALM%$PASSWORD || failed
=$
(expr $failed + 1)
124 testit_expect_failure
"setpassword should not work" $VALGRIND $samba_tool user setpassword
"${TRUST_DOMAIN}\$" --random-password || failed
=$
(expr $failed + 1)
126 testit
"wbinfo ping dc" $VALGRIND $wbinfo --ping-dc --domain=$TRUST_DOMAIN || failed
=$
(expr $failed + 1)
127 testit
"wbinfo change outgoing trust pw" $VALGRIND $wbinfo --change-secret --domain=$TRUST_DOMAIN || failed
=$
(expr $failed + 1)
128 testit
"wbinfo check outgoing trust pw" $VALGRIND $wbinfo --check-secret --domain=$TRUST_DOMAIN || failed
=$
(expr $failed + 1)
130 test_smbclient
"Test user login with the changed outgoing secret" 'ls' --use-kerberos=required
-U$USERNAME@
$REALM%$PASSWORD || failed
=$
(expr $failed + 1)
136 rm -f $KRB5CCNAME_PATH
137 rm -f $PREFIX/tmpkinituserpassscript
138 rm -f $PREFIX/tmpkinitscript