3 # Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
4 # (Royal Institute of Technology, Stockholm, Sweden).
7 # Redistribution and use in source and binary forms, with or without
8 # modification, are permitted provided that the following conditions
11 # 1. Redistributions of source code must retain the above copyright
12 # notice, this list of conditions and the following disclaimer.
14 # 2. Redistributions in binary form must reproduce the above copyright
15 # notice, this list of conditions and the following disclaimer in the
16 # documentation and/or other materials provided with the distribution.
18 # 3. Neither the name of the Institute nor the names of its contributors
19 # may be used to endorse or promote products derived from this software
20 # without specific prior written permission.
22 # THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
23 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 # ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
26 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 top_builddir
="@top_builddir@"
35 env_setup
="@env_setup@"
40 KRB5_CONFIG
="${1-${objdir}/krb5.conf}"
43 testfailed
="echo test failed; cat messages.log; exit 1"
45 # If there is no useful db support compile in, disable test
59 kadmin
="${kadmin} -l -r $R"
60 kadmin5
="${kadmin} -l -r $R5"
61 kdc
="${kdc} --addresses=localhost -P $port"
63 server
=host
/datan.
test.h5l.se
64 server2
=host
/computer.example.com
65 serverip
=host
/10.11.12.13
66 serveripname
=host
/ip.
test.h5l.org
67 serveripname2
=host
/10.11.12.14
68 alias1
=host
/datan.example.com
70 aliaskeytab
=host
/datan
71 cache
="FILE:${objdir}/cache.krb5"
72 ocache
="FILE:${objdir}/ocache.krb5"
73 o2cache
="FILE:${objdir}/o2cache.krb5"
74 icache
="FILE:${objdir}/icache.krb5"
75 keytabfile
=${objdir}/server.keytab
76 keytab
="FILE:${keytabfile}"
77 ps
="proxy-service@${R}"
78 aesenctype
="aes256-cts-hmac-sha1-96"
80 kinit
="${kinit} -c $cache ${afs_no_afslog}"
81 klist
="${klist} -c $cache"
82 kgetcred
="${kgetcred} -c $cache"
83 kgetcred_imp
="${kgetcred} -c $cache --out-cache=${ocache}"
84 kdestroy
="${kdestroy} -c $cache ${afs_no_unlog}"
85 kimpersonate
="${kimpersonate} -k ${keytab} --ccache=${ocache}"
86 test_set_kvno0
="${test_set_kvno0} -c $cache"
95 echo Creating database
98 --realm-max-ticket-life=1day \
99 --realm-max-renewable-life=1month \
104 --realm-max-ticket-life=1day \
105 --realm-max-renewable-life=1month \
110 --realm-max-ticket-life=1day \
111 --realm-max-renewable-life=1month \
116 --realm-max-ticket-life=1day \
117 --realm-max-renewable-life=1month \
122 --realm-max-ticket-life=1day \
123 --realm-max-renewable-life=1month \
128 --realm-max-ticket-life=1day \
129 --realm-max-renewable-life=1month \
134 --realm-max-ticket-life=1day \
135 --realm-max-renewable-life=1month \
140 --realm-max-ticket-life=1day \
141 --realm-max-renewable-life=1month \
144 ${kadmin} cpw -r krbtgt/${R}@${R} ||
exit 1
145 ${kadmin} cpw -r krbtgt/${R}@${R} ||
exit 1
146 ${kadmin} cpw -r krbtgt/${R}@${R} ||
exit 1
147 ${kadmin} cpw -r krbtgt/${R}@${R} ||
exit 1
149 ${kadmin} add
-p foo
--use-defaults foo@
${R} ||
exit 1
150 ${kadmin} add
-p foo
--use-defaults foo@
${R2} ||
exit 1
151 ${kadmin} add
-p foo
--use-defaults foo@
${R3} ||
exit 1
152 ${kadmin} add
-p foo
--use-defaults foo@
${R4} ||
exit 1
153 ${kadmin5} add
-p foo
--use-defaults foo@
${R5} ||
exit 1
154 ${kadmin} add
-p foo
--use-defaults foo@
${R6} ||
exit 1
155 ${kadmin} add
-p foo
--use-defaults foo@
${R7} ||
exit 1
156 ${kadmin} add
-p bar
--use-defaults bar@
${R} ||
exit 1
157 ${kadmin} add
-p foo
--use-defaults remove@
${R} ||
exit 1
158 ${kadmin} add -p kaka --use-defaults ${server}@${R} ||
exit 1
159 ${kadmin} add -p kaka --use-defaults ${server}-des3@${R} ||
exit 1
160 ${kadmin} add
-p kaka
--use-defaults kt-des3@
${R} ||
exit 1
161 ${kadmin} add
-p kaka
--use-defaults foo
/des3-only@
${R} ||
exit 1
162 ${kadmin} add
-p kaka
--use-defaults bar
/des3-only@
${R} ||
exit 1
163 ${kadmin} add
-p kaka
--use-defaults foo
/aes-only@
${R} ||
exit 1
164 ${kadmin} add
-p foo
--use-defaults ${ps} ||
exit 1
165 ${kadmin} modify
--attributes=+trusted-for-delegation
${ps} ||
exit 1
166 ${kadmin} modify --constrained-delegation=${server} ${ps} ||
exit 1
167 ${kadmin} ext -k ${keytab} ${server}@${R} ||
exit 1
168 ${kadmin} ext -k ${keytab} ${ps} ||
exit 1
170 ${kadmin} add -p kaka --use-defaults ${server2}@${R2} ||
exit 1
171 ${kadmin} ext -k ${keytab} ${server2}@${R2} ||
exit 1
172 ${kadmin} add -p kaka --use-defaults ${serverip}@${R} ||
exit 1
173 ${kadmin} ext -k ${keytab} ${serverip}@${R} ||
exit 1
174 ${kadmin} add -p kaka --use-defaults ${serveripname}@${R} ||
exit 1
175 ${kadmin} ext -k ${keytab} ${serveripname}@${R} ||
exit 1
176 ${kadmin} modify --alias=${serveripname2}@${R} ${serveripname}@${R}
177 ${kadmin} add
-p foo
--use-defaults remove2@
${R2} ||
exit 1
179 ${kadmin} add -p kaka --use-defaults ${alias1}@${R} ||
exit 1
180 ${kadmin} ext -k ${keytab} ${alias1}@${R} ||
exit 1
181 ${kadmin} modify --alias=${alias2}@${R} ${alias1}@${R}
183 ${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} ||
exit 1
184 ${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} ||
exit 1
186 ${kadmin} add -p cross1 --use-defaults krbtgt/${R3}@${R2} ||
exit 1
187 ${kadmin} add -p cross2 --use-defaults krbtgt/${R2}@${R3} ||
exit 1
189 ${kadmin} add -p cross1 --use-defaults krbtgt/${R4}@${R2} ||
exit 1
190 ${kadmin} add -p cross2 --use-defaults krbtgt/${R2}@${R4} ||
exit 1
192 ${kadmin} add -p cross1 --use-defaults krbtgt/${R4}@${R3} ||
exit 1
193 ${kadmin} add -p cross2 --use-defaults krbtgt/${R3}@${R4} ||
exit 1
195 ${kadmin} add -p cross1 --use-defaults krbtgt/${R5}@${R} ||
exit 1
196 ${kadmin5} add -p cross2 --use-defaults krbtgt/${R}@${R5} ||
exit 1
198 ${kadmin5} add -p cross1 --use-defaults krbtgt/${R6}@${R5} ||
exit 1
199 ${kadmin} add -p cross2 --use-defaults krbtgt/${R5}@${R6} ||
exit 1
201 ${kadmin} add -p cross1 --use-defaults krbtgt/${R7}@${R6} ||
exit 1
202 ${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R7} ||
exit 1
204 ${kadmin} add
-p foo
--use-defaults pw-expire@
${R} ||
exit 1
205 ${kadmin} modify
--pw-expiration-time=+1day pw-expire@
${R} ||
exit 1
207 ${kadmin} add
-p foo
--use-defaults foo@
${RH} ||
exit 1
210 ${kadmin} add
-p foo
--use-defaults -- -p ||
exit 1
211 ${kadmin} delete
-- -p ||
exit 1
213 echo "Doing database check"
214 ${kadmin} check
${R} ||
exit 1
215 ${kadmin} check
${R2} ||
exit 1
216 ${kadmin} check
${R3} ||
exit 1
217 ${kadmin} check
${R4} ||
exit 1
218 ${kadmin5} check
${R5} ||
exit 1
219 ${kadmin} check
${R6} ||
exit 1
220 ${kadmin} check
${R7} ||
exit 1
222 echo "Extracting enctypes"
223 ${ktutil} -k ${keytab} list
> tempfile ||
exit 1
224 ${EGREP} -v '^FILE:' tempfile | ${EGREP} -v '^Vno' | ${EGREP} -v '^$' | \
225 awk '$1 !~ /1/ { exit 1 }' ||
exit 1
227 ${kadmin} get foo@
${R} > tempfile ||
exit 1
228 enctypes
=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://' | sed 's/\[[0-9]*\]//g'`
230 enctype_sans_aes
=`echo $enctypes | sed 's/aes[^ ]*//g'`
231 enctype_sans_des3
=`echo $enctypes | sed 's/des3-cbc-sha1//g'`
233 echo "deleting all but des enctypes on kt-des3 in keytab"
234 ${kadmin} ext -k ${keytab} kt-des3@${R} ||
exit 1
235 for a
in ${enctype_sans_des3} ; do
236 ${ktutil} -k ${keytab} remove -p kt-des3@${R} -e $a
239 echo "checking globbing keys rules"
240 ${kadmin} get foo
/des3-only@
${R} > tempfile ||
exit 1
241 enctypes
=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://' | sed 's/\[[0-9]*\]//g' | sed 's/ //g'`
242 if [ X
"$enctypes" != Xdes3-cbc-sha1
] ; then
243 echo "des3 only is not only des3: $enctypes"
247 ${kadmin} get foo
/aes-only@
${R} > tempfile ||
exit 1
248 enctypes
=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://' | sed 's/\[[0-9]*\]//g' | sed 's/ //g'`
249 if [ X
"$enctypes" != Xaes256-cts-hmac-sha1-96
] ; then
250 echo "aes only is not only aes: $enctypes"
255 echo foo
> ${objdir}/foopassword
257 echo Starting kdc
; > messages.log
258 env MallocStackLogging
=1 MallocStackLoggingNoCompact
=1 MallocErrorAbort
=1 MallocLogFile
=${objdir}/malloc-log \
263 if [ "$?" != 0 ] ; then
268 trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
272 echo "Getting client initial tickets"; > messages.log
273 ${kinit} --password-file=${objdir}/foopassword foo@
$R || \
274 { ec
=1 ; eval "${testfailed}"; }
275 echo "Doing krbtgt key rollover"; > messages.log
276 ${kadmin} cpw -r --keepold krbtgt/${R}@${R} ||
exit 1
277 echo "Getting tickets"; > messages.log
278 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
279 echo "Listing tickets"; > messages.log
280 ${klist} > /dev/null || { ec=1 ; eval "${testfailed}"; }
281 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
282 { ec
=1 ; eval "${testfailed}"; }
285 echo "Getting client initial tickets (http transport)"; > messages.log
286 ${kinit} --password-file=${objdir}/foopassword foo@${RH} || \
287 { ec
=1 ; eval "${testfailed}"; }
290 echo "Testing capaths logic"
291 ${kinit} --password-file=${objdir}/foopassword \
292 -e ${aesenctype} -e ${aesenctype} \
294 { ec
=1 ; eval "${testfailed}"; }
296 echo "Getting x-realm tickets with capaths for $R -> $R2"
297 ${kgetcred} foo@${R2} || { ec=1 ; eval "${testfailed}"; }
298 echo "Getting x-realm tickets with capaths for $R -> $R3"
299 ${kgetcred} foo@${R3} || { ec=1 ; eval "${testfailed}"; }
300 echo "Getting x-realm tickets with capaths for $R -> $R4"
301 ${kgetcred} foo@${R4} || { ec=1 ; eval "${testfailed}"; }
302 echo "Getting x-realm tickets with capaths for $R -> $R5"
303 ${kgetcred} foo@${R5} || { ec=1 ; eval "${testfailed}"; }
304 echo "Getting x-realm tickets with capaths for $R -> $R6"
305 ${kgetcred} foo@${R6} || { ec=1 ; eval "${testfailed}"; }
306 echo "Getting x-realm tickets with capaths for $R -> $R7"
307 ${kgetcred} foo@${R7} || { ec=1 ; eval "${testfailed}"; }
310 echo "Testing capaths logic (reverse order)"
311 ${kinit} --password-file=${objdir}/foopassword \
312 -e ${aesenctype} -e ${aesenctype} \
314 { ec
=1 ; eval "${testfailed}"; }
316 echo "Getting x-realm tickets with capaths for $R -> $R4"
317 ${kgetcred} foo@${R4} || { ec=1 ; eval "${testfailed}"; }
318 echo "Getting x-realm tickets with capaths for $R -> $R3"
319 ${kgetcred} foo@${R3} || { ec=1 ; eval "${testfailed}"; }
320 echo "Getting x-realm tickets with capaths for $R -> $R2"
321 ${kgetcred} foo@${R2} || { ec=1 ; eval "${testfailed}"; }
322 echo "Getting x-realm tickets with capaths for $R -> $R7"
323 ${kgetcred} foo@${R7} || { ec=1 ; eval "${testfailed}"; }
324 echo "Getting x-realm tickets with capaths for $R -> $R6"
325 ${kgetcred} foo@${R6} || { ec=1 ; eval "${testfailed}"; }
326 echo "Getting x-realm tickets with capaths for $R -> $R5"
327 ${kgetcred} foo@${R5} || { ec=1 ; eval "${testfailed}"; }
330 echo "Testing forwardable/renewable flag copying in TGS-REQ"
331 ${kinit} -f --renewable -r 5d
--password-file=${objdir}/foopassword foo@
$R || \
332 { ec
=1 ; eval "${testfailed}"; }
333 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
334 ${klist} -f |
grep ${server} |
grep FRA
> /dev
/null || \
335 { ec
=1 ; eval "${testfailed}"; }
338 echo "Specific enctype"; > messages.log
339 ${kinit} --password-file=${objdir}/foopassword \
340 -e ${aesenctype} -e ${aesenctype} \
342 { ec
=1 ; eval "${testfailed}"; }
344 for a
in $enctypes; do
345 echo "Getting client initial tickets ($a)"; > messages.log
346 ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
347 echo "Getting tickets"; > messages.log
348 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
349 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || { ec=1 ; eval "${testfailed}"; }
354 echo "Getting client initial tickets"; > messages.log
355 ${kinit} --password-file=${objdir}/foopassword foo@
$R || \
356 { ec
=1 ; eval "${testfailed}"; }
357 for a
in $enctypes; do
358 echo "Getting tickets ($a)"; > messages.log
359 ${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
360 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
361 { ec
=1 ; eval "${testfailed}"; }
362 ${kdestroy} --credential=${server}@${R}
366 echo "Getting client initial tickets for cross realm case"; > messages.log
367 ${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
368 for a
in $enctypes; do
369 echo "Getting cross realm tickets ($a)"; > messages.log
370 ${kgetcred} -e $a ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
371 echo " checking we we got back right ticket"
372 ${klist} | grep ${server2}@ > /dev/null || { ec=1 ; eval "${testfailed}"; }
373 echo " checking if ticket is useful"
374 ${test_ap_req} ${server2}@${R2} ${keytab} ${cache} || \
375 { ec
=1 ; eval "${testfailed}"; }
376 ${kdestroy} --credential=${server2}@${R2}
380 echo "Trying x-realm TGT with kvno 0 case";
381 ${kinit} --password-file=${objdir}/foopassword foo@
$R ||
382 { ec
=1 ; eval "${testfailed}"; }
383 ${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; }
384 echo "Getting cross realm tickets"; > messages.log
385 ${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
386 ${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; }
387 echo "Getting service ticket"; > messages.log
388 ${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
391 echo "Trying x-realm TGT with kvno 0 case with key rollover";
392 ${kinit} --password-file=${objdir}/foopassword foo@
$R ||
393 { ec
=1 ; eval "${testfailed}"; }
394 ${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; }
395 echo "Getting cross realm tickets"; > messages.log
396 ${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
397 echo "Rolling over cross realm keys"; > messages.log
398 ${kadmin} cpw -r --keepold krbtgt/${R}@${R} || { ec=1 ; eval "${testfailed}"; }
399 ${kadmin} cpw -r --keepold krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
400 ${kadmin} cpw -r --keepold krbtgt/${R}@${R2} || { ec=1 ; eval "${testfailed}"; }
401 ${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; }
402 echo "Getting service ticket"; > messages.log
403 echo "Start tracing kdc, then hit return"
404 ${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
407 echo "Trying x-realm TGT with no kvno case";
408 ${kinit} --password-file=${objdir}/foopassword foo@
$R ||
409 { ec
=1 ; eval "${testfailed}"; }
410 ${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; }
411 echo "Getting cross realm tickets"; > messages.log
412 ${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
413 ${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; }
414 echo "Getting service ticket"; > messages.log
415 ${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
418 echo "Trying x-realm TGT with no kvno case with key rollover";
419 ${kinit} --password-file=${objdir}/foopassword foo@
$R ||
420 { ec
=1 ; eval "${testfailed}"; }
421 ${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; }
422 echo "Getting cross realm tickets"; > messages.log
423 ${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
424 echo "Rolling over cross realm keys"; > messages.log
425 ${kadmin} cpw -r --keepold krbtgt/${R}@${R} || { ec=1 ; eval "${testfailed}"; }
426 ${kadmin} cpw -r --keepold krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
427 ${kadmin} cpw -r --keepold krbtgt/${R}@${R2} || { ec=1 ; eval "${testfailed}"; }
428 ${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; }
429 echo "Getting service ticket"; > messages.log
430 echo "Start tracing kdc, then hit return"
431 ${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
434 echo "try all permutations"; > messages.log
435 for a
in $enctypes; do
436 echo "Getting client initial tickets ($a)"; > messages.log
437 ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@
$R || \
438 { ec
=1 ; eval "${testfailed}"; }
439 for b
in $enctypes; do
440 echo "Getting tickets ($a -> $b)"; > messages.log
441 ${kgetcred} -e $b ${server}@${R} || \
442 { ec
=1 ; eval "${testfailed}"; }
443 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
444 { ec
=1 ; eval "${testfailed}"; }
445 ${kdestroy} --credential=${server}@${R}
450 echo "Getting client initial tickets ip based name"; > messages.log
451 ${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
452 echo "Getting ip based name tickets"; > messages.log
453 ${kgetcred} ${serverip}@${R} || { ec=1 ; eval "${testfailed}"; }
454 echo " checking we we got back right ticket"
455 ${klist} | grep ${serverip}@ > /dev/null || { ec=1 ; eval "${testfailed}"; }
456 echo " checking if ticket is useful"
457 ${test_ap_req} ${serverip}@${R} ${keytab} ${cache} || \
458 { ec
=1 ; eval "${testfailed}"; }
461 echo "Getting client initial tickets ip based name (alias)"; > messages.log
462 ${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
463 for a
in ${serveripname} ${serveripname2} ; do
464 echo "Getting ip based name tickets (alias) $a"; > messages.log
465 ${kgetcred} ${a}@${R} || { ec=1 ; eval "${testfailed}"; }
466 echo " checking we we got back right ticket"
467 ${klist} | grep ${a}@ > /dev/null || { ec=1 ; eval "${testfailed}"; }
468 echo " checking if ticket is useful"
469 ${test_ap_req} --server-any ${a}@${R} ${keytab} ${cache} || \
470 { ec
=1 ; eval "${testfailed}"; }
474 echo "Getting server initial tickets"; > messages.log
475 ${kinit} --keytab=${keytab} ${server}@$R || { ec=1 ; eval "${testfailed}"; }
476 echo "Listing tickets"; > messages.log
477 ${klist} |
grep "Principal: ${server}" > /dev
/null || \
478 { ec
=1 ; eval "${testfailed}"; }
481 echo "Getting key for key that are a subset in keytab compared to kdb"
482 ${kinit} --keytab=${keytab} kt-des3@${R}
483 ${klist} |
grep "Principal: kt-des3" > /dev
/null || \
484 { ec
=1 ; eval "${testfailed}"; }
487 echo "initial tickets for deleted user test case"; > messages.log
488 ${kinit} --password-file=${objdir}/foopassword remove@
$R || \
489 { ec
=1 ; eval "${testfailed}"; }
490 ${kadmin} delete remove@${R} || { ec=1 ; eval "${testfailed}"; }
491 echo "try getting ticket with deleted user"; > messages.log
492 ${kgetcred} ${server}@${R} 2> /dev/null && { ec=1 ; eval "${testfailed}"; }
495 echo "cross realm case (deleted user)"; > messages.log
496 ${kinit} --password-file=${objdir}/foopassword remove2@
$R2 || \
497 { ec
=1 ; eval "${testfailed}"; }
498 ${kgetcred} krbtgt/${R}@${R2} 2> /dev
/null || \
499 { ec
=1 ; eval "${testfailed}"; }
500 ${kadmin} delete remove2@
${R2} ||
exit 1
501 ${kgetcred} ${server}@${R} 2> /dev
/null || \
502 { ec
=1 ; eval "${testfailed}"; }
505 echo "rename user"; > messages.log
506 ${kadmin} add
-p foo
--use-defaults rename@
${R} ||
exit 1
507 ${kinit} --password-file=${objdir}/foopassword rename@${R} || \
508 { ec
=1 ; eval "${testfailed}"; }
509 ${kadmin} rename rename@${R} rename2@${R} ||
exit 1
510 ${kinit} --password-file=${objdir}/foopassword rename2@${R} || \
511 { ec
=1 ; eval "${testfailed}"; }
513 ${kadmin} delete rename2@
${R} ||
exit 1
515 echo "rename user to another realm"; > messages.log
516 ${kadmin} add
-p foo
--use-defaults rename@
${R} ||
exit 1
517 ${kinit} --password-file=${objdir}/foopassword rename@${R} || \
518 { ec
=1 ; eval "${testfailed}"; }
519 ${kadmin} rename rename@${R} rename@${R2} ||
exit 1
520 ${kinit} --password-file=${objdir}/foopassword rename@${R2} || \
521 { ec
=1 ; eval "${testfailed}"; }
523 ${kadmin} delete rename@
${R2} ||
exit 1
525 echo deleting all but aes enctypes on krbtgt
526 ${kadmin} del_enctype krbtgt/${R}@${R} ${enctype_sans_aes} ||
exit 1
528 echo deleting all but des enctypes on server-des3
529 ${kadmin} del_enctype ${server}-des3@${R} ${enctype_sans_des3} ||
exit 1
530 ${kadmin} ext -k ${keytab} ${server}-des3@${R} ||
exit 1
532 echo "try all permutations (only aes)"; > messages.log
533 for a
in $enctypes; do
534 echo "Getting client initial tickets ($a)"; > messages.log
535 ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@${R} ||\
536 { ec
=1 ; eval "${testfailed}"; }
537 for b
in $enctypes; do
538 echo "Getting tickets ($a -> $b)"; > messages.log
539 ${kgetcred} -e $b ${server}@${R} || \
540 { ec
=1 ; eval "${testfailed}"; }
541 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
542 { ec
=1 ; eval "${testfailed}"; }
544 echo "Getting tickets ($a -> $b) (server des3 only)"; > messages.log
545 ${kgetcred} ${server}-des3@${R} || \
546 { ec
=1 ; eval "${testfailed}"; }
547 ${test_ap_req} ${server}-des3@${R} ${keytab} ${cache} || \
548 { ec
=1 ; eval "${testfailed}"; }
550 ${kdestroy} --credential=${server}@${R}
551 ${kdestroy} --credential=${server}-des3@${R}
556 echo deleting all enctypes on krbtgt
557 ${kadmin} del_enctype krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \
558 { ec
=1 ; eval "${testfailed}"; }
559 echo "try initial ticket w/o and keys on krbtgt"
560 ${kinit} --password-file=${objdir}/foopassword foo@${R} 2>/dev
/null
&& \
561 { ec
=1 ; eval "${testfailed}"; }
562 echo "adding random aes key"
563 ${kadmin} add_enctype -r krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \
564 { ec
=1 ; eval "${testfailed}"; }
565 echo "try initial ticket with random aes key on krbtgt"
566 ${kinit} --password-file=${objdir}/foopassword foo@${R} || \
567 { ec
=1 ; eval "${testfailed}"; }
573 if ${hxtool} info |
grep 'rsa: hx509 null RSA' > /dev
/null
; then
576 if ${hxtool} info |
grep 'rand: not available' > /dev
/null
; then
579 if ${kinit} --help 2>&1 |
grep "CA certificates" > /dev
/null
; then
583 if ${hxtool} info |
grep 'ecdsa: hcrypto null' > /dev
/null
; then
588 # If we support pkinit and have RSA, lets try that
589 if test "$pkinit" = yes -a "$rsa" = yes ; then
591 echo "try anonymous pkinit"; > messages.log
592 ${kinit} --anonymous ${R} || \
593 { ec
=1 ; eval "${testfailed}"; }
594 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
597 for type in "" "--pk-use-enckey"; do
598 echo "Trying pk-init (principal in certificate) $type"; > messages.log
599 ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit.key bar@${R} || \
600 { ec
=1 ; eval "${testfailed}"; }
601 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
604 echo "Trying pk-init (principal in pki-mapping) $type"; > messages.log
605 ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit.key foo@${R} || \
606 { ec
=1 ; eval "${testfailed}"; }
607 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
610 echo "Trying pk-init (password protected key) $type"; > messages.log
611 ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit-pw.key --password-file=${objdir}/foopassword foo@${R} || \
612 { ec
=1 ; eval "${testfailed}"; }
613 ${kgetcred} ${server}@${R} || \
614 { ec
=1 ; eval "${testfailed}"; }
617 echo "Trying pk-init (proxy cert) $type"; > messages.log
618 ${kinit} $type -C FILE:${hx509_data}/pkinit-proxy-chain.crt,${hx509_data}/pkinit-proxy.key foo@${R} || \
619 { ec
=1 ; eval "${testfailed}"; }
620 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
625 if test "$ecdsa" = yes > /dev
/null
; then
626 echo "Trying pk-init (ec certificate)"
628 ${kinit} -C FILE:${hx509_data}/pkinit-ec.crt,${hx509_data}/pkinit-ec.key bar@${R} || \
629 { ec
=1 ; eval "${testfailed}"; }
630 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
632 grep 'PK-INIT using ecdh' messages.log
> /dev
/null || \
633 { ec
=1 ; eval "${testfailed}"; }
637 echo "no pkinit (pkinit: $pkinit, rsa: $rsa)"; > messages.log
640 echo "tickets for impersonate test case"; > messages.log
641 ${kinit} --forwardable --password-file=${objdir}/foopassword ${ps} || \
642 { ec
=1 ; eval "${testfailed}"; }
643 ${kgetcred_imp} --impersonate=bar@${R} ${ps} || \
644 { ec
=1 ; eval "${testfailed}"; }
645 ${test_ap_req} ${ps} ${keytab} ${ocache} || \
646 { ec
=1 ; eval "${testfailed}"; }
647 echo " negative check"
648 ${kgetcred_imp} --impersonate=bar@${R} foo@${R} 2>/dev
/null
&& \
649 { ec
=1 ; eval "${testfailed}"; }
651 echo "test constrained delegation"; > messages.log
652 ${kgetcred_imp} --forward --impersonate=bar@${R} ${ps} || \
653 { ec
=1 ; eval "${testfailed}"; }
655 --out-cache=${o2cache} \
656 --delegation-credential-cache=${ocache} \
658 { ec
=1 ; eval "${testfailed}"; }
659 echo " try using the credential"
660 ${test_ap_req} ${server}@${R} ${keytab} ${o2cache} || \
661 { ec
=1 ; eval "${testfailed}"; }
662 echo " negative check"
664 --out-cache=${o2cache} \
665 --delegation-credential-cache=${ocache} \
666 bar@
${R} 2>/dev
/null
&& \
667 { ec
=1 ; eval "${testfailed}"; }
669 echo "test constrained delegation impersonation (non forward)"; > messages.log
671 ${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} || \
672 { ec
=1 ; eval "${testfailed}"; }
673 ${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev
/null
2>/dev
/null
&& \
674 { ec
=1 ; eval "${testfailed}"; }
676 echo "test constrained delegation impersonation (missing KRB5SignedPath)"; > messages.log
678 ${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} -f forwardable || \
679 { ec
=1 ; eval "${testfailed}"; }
680 ${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev
/null
2>/dev
/null
&& \
681 { ec
=1 ; eval "${testfailed}"; }
685 echo "check renewing" > messages.log
686 ${kinit} --renewable --password-file=${objdir}/foopassword foo@
$R || \
687 { ec
=1 ; eval "${testfailed}"; }
690 { ec
=1 ; eval "${testfailed}"; }
691 echo "check renewing MIT interface" > messages.log
692 ${kinit} --renewable --password-file=${objdir}/foopassword foo@
$R || \
693 { ec
=1 ; eval "${testfailed}"; }
695 env KRB5CCNAME
=${cache} ${test_renew} || \
696 { ec
=1 ; eval "${testfailed}"; }
699 echo "checking server aliases"; > messages.log
700 ${kinit} --password-file=${objdir}/foopassword foo@
$R || \
701 { ec
=1 ; eval "${testfailed}"; }
702 echo "Getting tickets"; > messages.log
703 ${kgetcred} ${alias1}@${R} || { ec=1 ; eval "${testfailed}"; }
704 ${kgetcred} ${alias2}@${R} || { ec=1 ; eval "${testfailed}"; }
705 echo " verify entry in keytab"
706 ${test_ap_req} ${alias1}@${R} ${keytab} ${cache} || \
707 { ec
=1 ; eval "${testfailed}"; }
708 echo " verify entry in keytab with any"
709 ${test_ap_req} --server-any ${alias1}@${R} ${keytab} ${cache} || \
710 { ec
=1 ; eval "${testfailed}"; }
711 echo " verify failure with alias entry"
712 ${test_ap_req} ${alias2}@${R} ${keytab} ${cache} 2>/dev
/null
&& \
713 { ec
=1 ; eval "${testfailed}"; }
714 echo " verify alias entry in keytab with any"
715 ${test_ap_req} --server-any ${alias2}@${R} ${keytab} ${cache} || \
716 { ec
=1 ; eval "${testfailed}"; }
719 echo "testing removal of keytab"
720 ${ktutil} -k ${keytab} destroy || { ec=1 ; eval "${testfailed}"; }
721 test -f ${keytabfile} && { ec=1 ; eval "${testfailed}"; }
723 echo "Getting client pw expire"; > messages.log
724 ${kinit} --password-file=${objdir}/foopassword \
725 pw-expire@
${R} 2>kinit-log.tmp|| \
726 { ec
=1 ; eval "${testfailed}"; }
727 grep 'Your password will expire' kinit-log.tmp
> /dev
/null || \
728 { ec
=1 ; eval "${testfailed}"; }
730 ${test_gic} --client=pw-expire@
${R} --password=foo
> kinit-log.tmp
2>/dev
/null
731 ${EGREP} "^e type: 6" kinit-log.tmp
> /dev
/null || \
732 { ec
=1 ; eval "${testfailed}"; }
733 echo " test_gic passes"
736 echo "killing kdc (${kdcpid})"
737 sh
${leaks_kill} kdc
$kdcpid ||
exit 1