search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
rpcclient3: Factor out cli_rpc_pipe_open_bind_schannel()
[Samba.git] / testprogs / blackbox / test_kpasswd_heimdal.sh
blob7e3daed8467bf26c01d906e6a328ad6e4b8bdd1d
1 #!/bin/sh
2 # Blackbox tests for chainging passwords with kinit and kpasswd
3 #
4 # Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
5 # Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org>
6 # Copyright (C) 2016 Andreas Schneider <asn@samba.org>
7
8 if [ $# -lt 6 ]; then
9 cat <<EOF
10 Usage: test_passwords.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX SMBCLIENT
11 EOF
12 exit 1;
13 fi
14
15 SERVER=$1
16 USERNAME=$2
17 PASSWORD=$3
18 REALM=$4
19 DOMAIN=$5
20 PREFIX=$6
21 shift 6
22 failed=0
23
24 samba_bindir="$BINDIR"
25
26 smbclient="$samba_bindir/smbclient"
27 samba_kinit=$samba_bindir/samba4kinit
28 samba_kpasswd=$samba_bindir/samba4kpasswd
29
30 samba_tool="$samba_bindir/samba-tool"
31 net_tool="$samba_bindir/net"
32 texpect="$samba_bindir/texpect"
33
34 newuser="$samba_tool user create"
35 SMB_UNC="//$SERVER/tmp"
36
37 . `dirname $0`/subunit.sh
38 . `dirname $0`/common_test_fns.inc
39
40 do_kinit() {
41 principal="$1"
42 password="$2"
43 shift
44 shift
45 echo $password > $PREFIX/tmppassfile
46 $samba_kinit --password-file=$PREFIX/tmppassfile $principal $@
47 }
48
49 UID_WRAPPER_ROOT=1
50 export UID_WRAPPER_ROOT
51
52 CONFIG="--configfile=$PREFIX/etc/smb.conf"
53 export CONFIG
54
55 testit "reset password policies beside of minimum password age of 0 days" \
56 $VALGRIND $samba_tool domain passwordsettings $CONFIG set --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=0 --max-pwd-age=default || failed=`expr $failed + 1`
57
58 TEST_USERNAME="$(mktemp -u alice-XXXXXX)"
59 TEST_PRINCIPAL="$TEST_USERNAME@$REALM"
60 TEST_PASSWORD="testPaSS@00%"
61 TEST_PASSWORD_NEW="testPaSS@01%"
62 TEST_PASSWORD_SHORT="secret"
63 TEST_PASSWORD_WEAK="Supersecret"
64
65 testit "create user locally" \
66 $VALGRIND $newuser $CONFIG $TEST_USERNAME $TEST_PASSWORD || failed=`expr $failed + 1`
67
68 KRB5CCNAME="$PREFIX/tmpuserccache"
69 export KRB5CCNAME
70
71 testit "kinit with user password" \
72 do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed=`expr $failed + 1`
73
74 test_smbclient "Test login with user kerberos ccache" \
75 "ls" "$SMB_UNC" -k yes || failed=`expr $failed + 1`
76
77 testit "change user password with 'samba-tool user password' (unforced)" \
78 $VALGRIND $samba_tool user password -W$DOMAIN -U$TEST_USERNAME%$TEST_PASSWORD -k no --newpassword=$TEST_PASSWORD_NEW || failed=`expr $failed + 1`
79
80 TEST_PASSWORD_OLD=$TEST_PASSWORD
81 TEST_PASSWORD=$TEST_PASSWORD_NEW
82 TEST_PASSWORD_NEW="testPaSS@02%"
83
84 testit "kinit with user password" \
85 do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed=`expr $failed + 1`
86
87 test_smbclient "Test login with user kerberos ccache" \
88 "ls" "$SMB_UNC" -k yes || failed=`expr $failed + 1`
89
90 ###########################################################
91 ### check that a short password is rejected
92 ###########################################################
93
94 cat > $PREFIX/tmpkpasswdscript <<EOF
95 expect Password
96 password ${TEST_PASSWORD}\n
97 expect New password
98 send ${TEST_PASSWORD_SHORT}\n
99 expect Verify password
100 send ${TEST_PASSWORD_SHORT}\n
101 expect Password too short
102 EOF
103
104 testit "kpasswd check short user password" \
105 $texpect $PREFIX/tmpkpasswdscript $samba_kpasswd $TEST_PRINCIPAL || failed=`expr $failed + 1`
106
107 ###########################################################
108 ### check that a weak password is rejected
109 ###########################################################
110
111 echo "check that a short password is rejected"
112 cat > ./tmpkpasswdscript <<EOF
113 expect Password
114 password ${TEST_PASSWORD}\n
115 expect New password
116 send $TEST_PASSWORD_WEAK\n
117 expect Verify password
118 send $TEST_PASSWORD_WEAK\n
119 expect Password does not meet complexity requirements
120 EOF
121
122 testit "kpasswd check weak user password" \
123 $texpect $PREFIX/tmpkpasswdscript $samba_kpasswd $TEST_PRINCIPAL || failed=`expr $failed + 1`
124
125 ###########################################################
126 ### check that a strong password is accepted
127 ###########################################################
128
129 cat > ./tmpkpasswdscript <<EOF
130 expect Password
131 password ${TEST_PASSWORD}\n
132 expect New password
133 send ${TEST_PASSWORD_NEW}\n
134 expect Verify password
135 send ${TEST_PASSWORD_NEW}\n
136 expect Success
137 EOF
138
139 testit "kpasswd change user password" \
140 $texpect $PREFIX/tmpkpasswdscript $samba_kpasswd $TEST_PRINCIPAL || failed=`expr $failed + 1`
141
142 TEST_PASSWORD=$TEST_PASSWORD_NEW
143 TEST_PASSWORD_NEW="testPaSS@03%"
144
145 ###########################################################
146 ### Force password change at login
147 ###########################################################
148
149 testit "set password on user locally" \
150 $VALGRIND $samba_tool user setpassword $TEST_USERNAME $CONFIG --newpassword=$TEST_PASSWORD_NEW --must-change-at-next-login || failed=`expr $failed + 1`
151
152 TEST_PASSWORD=$TEST_PASSWORD_NEW
153 TEST_PASSWORD_NEW="testPaSS@04%"
154
155 rm -f $PREFIX/tmpuserccache
156
157 cat > $PREFIX/tmpkinitscript <<EOF
158 expect Password
159 password ${TEST_PASSWORD}\n
160 expect Changing password
161 expect New password
162 send ${TEST_PASSWORD_NEW}\n
163 expect Repeat new password
164 send ${TEST_PASSWORD_NEW}\n
165 expect Success
166 EOF
167
168 testit "kinit and change user password" \
169 $texpect $PREFIX/tmpkinitscript $samba_kinit $TEST_PRINCIPAL || failed=`expr $failed + 1`
170
171 TEST_PASSWORD=$TEST_PASSWORD_NEW
172 TEST_PASSWORD_NEW="testPaSS@07%"
173
174 test_smbclient "Test login with user (kerberos)" \
175 "ls" "$SMB_UNC" -k yes -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=`expr $failed + 1`
176
177 ###########################################################
178 ### Test kpasswd service via 'net ads password'
179 ###########################################################
180
181 # NOTE: This works with heimdal because the krb5_set_password function tries
182 # set_password call first and falls back to change_password if it doesn't
183 # succeed.
184 testit "change user password with 'net ads password', admin: $DOMAIN/$TEST_USERNAME, target: $TEST_PRINCIPAL" \
185 $VALGRIND $net_tool ads password -W$DOMAIN -U$TEST_PRINCIPAL%$TEST_PASSWORD $TEST_PRINCIPAL "$TEST_PASSWORD_NEW" || failed=`expr $failed + 1`
186
187 TEST_PASSWORD=$TEST_PASSWORD_NEW
188 TEST_PASSWORD_NEW="testPaSS@08%"
189
190 test_smbclient "Test login with smbclient (ntlm)" \
191 "ls" "$SMB_UNC" -k no -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=`expr $failed + 1`
192
193 ###########################################################
194 ### Test kpasswd service via 'net ads password' as admin
195 ###########################################################
196
197 testit "set user password with 'net ads password', admin: $DOMAIN/$USERNAME, target: $TEST_PRINCIPAL" \
198 $VALGRIND $net_tool ads password -W$DOMAIN -U$USERNAME@$REALM%$PASSWORD $TEST_PRINCIPAL "$TEST_PASSWORD_NEW" || failed=`expr $failed + 1`
199
200 TEST_PASSWORD=$TEST_PASSWORD_NEW
201 TEST_PASSWORD_NEW="testPaSS@07%"
202
203 test_smbclient "Test login with smbclient (ntlm)" \
204 "ls" "$SMB_UNC" -k no -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=`expr $failed + 1`
205
206 ###########################################################
207 ### Cleanup
208 ###########################################################
209
210 testit "reset password policies" \
211 $VALGRIND $samba_tool domain passwordsettings $CONFIG set --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=`expr $failed + 1`
212
213 testit "delete user" \
214 $VALGRIND $samba_tool user delete $TEST_USERNAME -U"$USERNAME%$PASSWORD" $CONFIG -k no || failed=`expr $failed + 1`
215
216 rm -f $PREFIX/tmpuserccache $PREFIX/tmpkpasswdscript $PREFIX/tmpkinitscript
217 exit $failed
Samba GIT mirror