3 # Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
4 # (Royal Institute of Technology, Stockholm, Sweden).
7 # Redistribution and use in source and binary forms, with or without
8 # modification, are permitted provided that the following conditions
11 # 1. Redistributions of source code must retain the above copyright
12 # notice, this list of conditions and the following disclaimer.
14 # 2. Redistributions in binary form must reproduce the above copyright
15 # notice, this list of conditions and the following disclaimer in the
16 # documentation and/or other materials provided with the distribution.
18 # 3. Neither the name of the Institute nor the names of its contributors
19 # may be used to endorse or promote products derived from this software
20 # without specific prior written permission.
22 # THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
23 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 # ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
26 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 top_builddir
="@top_builddir@"
35 env_setup
="@env_setup@"
40 KRB5_CONFIG
="${1-${objdir}/krb5.conf}"
43 testfailed
="echo test failed; cat messages.log; exit 1"
45 # If there is no useful db support compile in, disable test
60 kadmin
="${kadmin} -l -r $R"
61 kadmin5
="${kadmin} -l -r $R5"
62 kdc
="${kdc} --addresses=localhost -P $port"
63 kpasswdd
="${kpasswdd} --addresses=localhost -p $pwport"
65 server
=host
/datan.
test.h5l.se
66 server2
=host
/computer.example.com
67 serverip
=host
/10.11.12.13
68 serveripname
=host
/ip.
test.h5l.org
69 serveripname2
=host
/10.11.12.14
70 alias1
=host
/datan.example.com
72 aliaskeytab
=host
/datan
73 cache
="FILE:${objdir}/cache.krb5"
74 ocache
="FILE:${objdir}/ocache.krb5"
75 o2cache
="FILE:${objdir}/o2cache.krb5"
76 icache
="FILE:${objdir}/icache.krb5"
77 keytabfile
=${objdir}/server.keytab
78 keytab
="FILE:${keytabfile}"
79 ps
="proxy-service@${R}"
80 aesenctype
="aes256-cts-hmac-sha1-96"
82 kinit
="${kinit} -c $cache ${afs_no_afslog}"
83 klist
="${klist} -c $cache"
84 kgetcred
="${kgetcred} -c $cache"
85 kgetcred_imp
="${kgetcred} -c $cache --out-cache=${ocache}"
86 kdestroy
="${kdestroy} -c $cache ${afs_no_unlog}"
87 kimpersonate
="${kimpersonate} -k ${keytab} --ccache=${ocache}"
88 test_set_kvno0
="${test_set_kvno0} -c $cache"
97 echo Creating database
100 --realm-max-ticket-life=1day \
101 --realm-max-renewable-life=1month \
106 --realm-max-ticket-life=1day \
107 --realm-max-renewable-life=1month \
112 --realm-max-ticket-life=1day \
113 --realm-max-renewable-life=1month \
118 --realm-max-ticket-life=1day \
119 --realm-max-renewable-life=1month \
124 --realm-max-ticket-life=1day \
125 --realm-max-renewable-life=1month \
130 --realm-max-ticket-life=1day \
131 --realm-max-renewable-life=1month \
136 --realm-max-ticket-life=1day \
137 --realm-max-renewable-life=1month \
142 --realm-max-ticket-life=1day \
143 --realm-max-renewable-life=1month \
146 ${kadmin} cpw -r krbtgt/${R}@${R} ||
exit 1
147 ${kadmin} cpw -r krbtgt/${R}@${R} ||
exit 1
148 ${kadmin} cpw -r krbtgt/${R}@${R} ||
exit 1
149 ${kadmin} cpw -r krbtgt/${R}@${R} ||
exit 1
151 ${kadmin} add
-p foo
--use-defaults foo@
${R} ||
exit 1
152 ${kadmin} add
-p foo
--use-defaults foo@
${R2} ||
exit 1
153 ${kadmin} add
-p foo
--use-defaults foo@
${R3} ||
exit 1
154 ${kadmin} add
-p foo
--use-defaults foo@
${R4} ||
exit 1
155 ${kadmin5} add
-p foo
--use-defaults foo@
${R5} ||
exit 1
156 ${kadmin} add
-p foo
--use-defaults foo@
${R6} ||
exit 1
157 ${kadmin} add
-p foo
--use-defaults foo@
${R7} ||
exit 1
158 ${kadmin} add
-p bar
--use-defaults bar@
${R} ||
exit 1
159 ${kadmin} add
-p foo
--use-defaults remove@
${R} ||
exit 1
160 ${kadmin} add -p kaka --use-defaults ${server}@${R} ||
exit 1
161 ${kadmin} add -p kaka --use-defaults ${server}-des3@${R} ||
exit 1
162 ${kadmin} add
-p kaka
--use-defaults kt-des3@
${R} ||
exit 1
163 ${kadmin} add
-p kaka
--use-defaults foo
/des3-only@
${R} ||
exit 1
164 ${kadmin} add
-p kaka
--use-defaults bar
/des3-only@
${R} ||
exit 1
165 ${kadmin} add
-p kaka
--use-defaults foo
/aes-only@
${R} ||
exit 1
166 ${kadmin} add
-p foo
--use-defaults ${ps} ||
exit 1
167 ${kadmin} modify
--attributes=+trusted-for-delegation
${ps} ||
exit 1
168 ${kadmin} modify --constrained-delegation=${server} ${ps} ||
exit 1
169 ${kadmin} ext -k ${keytab} ${server}@${R} ||
exit 1
170 ${kadmin} ext -k ${keytab} ${ps} ||
exit 1
172 ${kadmin} add -p kaka --use-defaults ${server2}@${R2} ||
exit 1
173 ${kadmin} ext -k ${keytab} ${server2}@${R2} ||
exit 1
174 ${kadmin} add -p kaka --use-defaults ${serverip}@${R} ||
exit 1
175 ${kadmin} ext -k ${keytab} ${serverip}@${R} ||
exit 1
176 ${kadmin} add -p kaka --use-defaults ${serveripname}@${R} ||
exit 1
177 ${kadmin} ext -k ${keytab} ${serveripname}@${R} ||
exit 1
178 ${kadmin} modify --alias=${serveripname2}@${R} ${serveripname}@${R}
179 ${kadmin} add
-p foo
--use-defaults remove2@
${R2} ||
exit 1
181 ${kadmin} add -p kaka --use-defaults ${alias1}@${R} ||
exit 1
182 ${kadmin} ext -k ${keytab} ${alias1}@${R} ||
exit 1
183 ${kadmin} modify --alias=${alias2}@${R} ${alias1}@${R}
185 ${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} ||
exit 1
186 ${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} ||
exit 1
188 ${kadmin} add -p cross1 --use-defaults krbtgt/${R3}@${R2} ||
exit 1
189 ${kadmin} add -p cross2 --use-defaults krbtgt/${R2}@${R3} ||
exit 1
191 ${kadmin} add -p cross1 --use-defaults krbtgt/${R4}@${R2} ||
exit 1
192 ${kadmin} add -p cross2 --use-defaults krbtgt/${R2}@${R4} ||
exit 1
194 ${kadmin} add -p cross1 --use-defaults krbtgt/${R4}@${R3} ||
exit 1
195 ${kadmin} add -p cross2 --use-defaults krbtgt/${R3}@${R4} ||
exit 1
197 ${kadmin} add -p cross1 --use-defaults krbtgt/${R5}@${R} ||
exit 1
198 ${kadmin5} add -p cross2 --use-defaults krbtgt/${R}@${R5} ||
exit 1
200 ${kadmin5} add -p cross1 --use-defaults krbtgt/${R6}@${R5} ||
exit 1
201 ${kadmin} add -p cross2 --use-defaults krbtgt/${R5}@${R6} ||
exit 1
203 ${kadmin} add -p cross1 --use-defaults krbtgt/${R7}@${R6} ||
exit 1
204 ${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R7} ||
exit 1
206 ${kadmin} add
-p foo
--use-defaults pw-expire@
${R} ||
exit 1
207 ${kadmin} modify
--pw-expiration-time=+1day pw-expire@
${R} ||
exit 1
209 ${kadmin} add
-p foo
--use-defaults pw-expired@
${R} ||
exit 1
210 ${kadmin} modify
--pw-expiration-time=2012-06-12 pw-expired@
${R} ||
exit 1
212 ${kadmin} add
-p foo
--use-defaults account-expired@
${R} ||
exit 1
213 ${kadmin} modify
--expiration-time=2012-06-12 account-expired@
${R} ||
exit 1
215 ${kadmin} add
-p foo
--use-defaults foo@
${RH} ||
exit 1
218 ${kadmin} add
-p foo
--use-defaults -- -p ||
exit 1
219 ${kadmin} delete
-- -p ||
exit 1
221 echo "Doing database check"
222 ${kadmin} check
${R} ||
exit 1
223 ${kadmin} check
${R2} ||
exit 1
224 ${kadmin} check
${R3} ||
exit 1
225 ${kadmin} check
${R4} ||
exit 1
226 ${kadmin5} check
${R5} ||
exit 1
227 ${kadmin} check
${R6} ||
exit 1
228 ${kadmin} check
${R7} ||
exit 1
230 echo "Extracting enctypes"
231 ${ktutil} -k ${keytab} list
> tempfile ||
exit 1
232 ${EGREP} -v '^FILE:' tempfile | ${EGREP} -v '^Vno' | ${EGREP} -v '^$' | \
233 awk '$1 !~ /1/ { exit 1 }' ||
exit 1
235 ${kadmin} get foo@
${R} > tempfile ||
exit 1
236 enctypes
=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://' | sed 's/\[[0-9]*\]//g'`
238 enctype_sans_aes
=`echo $enctypes | sed 's/aes[^ ]*//g'`
239 enctype_sans_des3
=`echo $enctypes | sed 's/des3-cbc-sha1//g'`
241 echo "deleting all but des enctypes on kt-des3 in keytab"
242 ${kadmin} ext -k ${keytab} kt-des3@${R} ||
exit 1
243 for a
in ${enctype_sans_des3} ; do
244 ${ktutil} -k ${keytab} remove -p kt-des3@${R} -e $a
247 echo "checking globbing keys rules"
248 ${kadmin} get foo
/des3-only@
${R} > tempfile ||
exit 1
249 enctypes
=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://' | sed 's/\[[0-9]*\]//g' | sed 's/ //g'`
250 if [ X
"$enctypes" != Xdes3-cbc-sha1
] ; then
251 echo "des3 only is not only des3: $enctypes"
255 ${kadmin} get foo
/aes-only@
${R} > tempfile ||
exit 1
256 enctypes
=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://' | sed 's/\[[0-9]*\]//g' | sed 's/ //g'`
257 if [ X
"$enctypes" != Xaes256-cts-hmac-sha1-96
] ; then
258 echo "aes only is not only aes: $enctypes"
263 echo foo
> ${objdir}/foopassword
265 echo Starting kdc
; > messages.log
266 env MallocStackLogging
=1 MallocStackLoggingNoCompact
=1 MallocErrorAbort
=1 MallocLogFile
=${objdir}/malloc-log \
271 if [ "$?" != 0 ] ; then
276 echo Starting kpasswdd
; > messages.log
277 env
${HEIM_MALLOC_DEBUG} ${kpasswdd} &
281 trap "kill -9 ${kdcpid} ${kpasswddpid}; echo signal killing kdc kpasswdd; exit 1;" EXIT
285 echo "Getting client initial tickets"; > messages.log
286 ${kinit} --password-file=${objdir}/foopassword foo@
$R || \
287 { ec
=1 ; eval "${testfailed}"; }
288 echo "Doing krbtgt key rollover"; > messages.log
289 ${kadmin} cpw -r --keepold krbtgt/${R}@${R} ||
exit 1
290 echo "Getting tickets"; > messages.log
291 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
292 echo "Listing tickets"; > messages.log
293 ${klist} > /dev/null || { ec=1 ; eval "${testfailed}"; }
294 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
295 { ec
=1 ; eval "${testfailed}"; }
298 echo "Getting client initial tickets (http transport)"; > messages.log
299 ${kinit} --password-file=${objdir}/foopassword foo@${RH} || \
300 { ec
=1 ; eval "${testfailed}"; }
303 echo "Testing capaths logic"
304 ${kinit} --password-file=${objdir}/foopassword \
305 -e ${aesenctype} -e ${aesenctype} \
307 { ec
=1 ; eval "${testfailed}"; }
309 echo "Getting x-realm tickets with capaths for $R -> $R2"
310 ${kgetcred} foo@${R2} || { ec=1 ; eval "${testfailed}"; }
311 echo "Getting x-realm tickets with capaths for $R -> $R3"
312 ${kgetcred} foo@${R3} || { ec=1 ; eval "${testfailed}"; }
313 echo "Getting x-realm tickets with capaths for $R -> $R4"
314 ${kgetcred} foo@${R4} || { ec=1 ; eval "${testfailed}"; }
315 echo "Getting x-realm tickets with capaths for $R -> $R5"
316 ${kgetcred} foo@${R5} || { ec=1 ; eval "${testfailed}"; }
317 echo "Getting x-realm tickets with capaths for $R -> $R6"
318 ${kgetcred} foo@${R6} || { ec=1 ; eval "${testfailed}"; }
319 echo "Getting x-realm tickets with capaths for $R -> $R7"
320 ${kgetcred} foo@${R7} || { ec=1 ; eval "${testfailed}"; }
323 echo "Testing capaths logic (reverse order)"
324 ${kinit} --password-file=${objdir}/foopassword \
325 -e ${aesenctype} -e ${aesenctype} \
327 { ec
=1 ; eval "${testfailed}"; }
329 echo "Getting x-realm tickets with capaths for $R -> $R4"
330 ${kgetcred} foo@${R4} || { ec=1 ; eval "${testfailed}"; }
331 echo "Getting x-realm tickets with capaths for $R -> $R3"
332 ${kgetcred} foo@${R3} || { ec=1 ; eval "${testfailed}"; }
333 echo "Getting x-realm tickets with capaths for $R -> $R2"
334 ${kgetcred} foo@${R2} || { ec=1 ; eval "${testfailed}"; }
335 echo "Getting x-realm tickets with capaths for $R -> $R7"
336 ${kgetcred} foo@${R7} || { ec=1 ; eval "${testfailed}"; }
337 echo "Getting x-realm tickets with capaths for $R -> $R6"
338 ${kgetcred} foo@${R6} || { ec=1 ; eval "${testfailed}"; }
339 echo "Getting x-realm tickets with capaths for $R -> $R5"
340 ${kgetcred} foo@${R5} || { ec=1 ; eval "${testfailed}"; }
343 echo "Testing forwardable/renewable flag copying in TGS-REQ"
344 ${kinit} -f --renewable -r 5d
--password-file=${objdir}/foopassword foo@
$R || \
345 { ec
=1 ; eval "${testfailed}"; }
346 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
347 ${klist} -f |
grep ${server} |
grep FRA
> /dev
/null || \
348 { ec
=1 ; eval "${testfailed}"; }
351 echo "Specific enctype"; > messages.log
352 ${kinit} --password-file=${objdir}/foopassword \
353 -e ${aesenctype} -e ${aesenctype} \
355 { ec
=1 ; eval "${testfailed}"; }
357 for a
in $enctypes; do
358 echo "Getting client initial tickets ($a)"; > messages.log
359 ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
360 echo "Getting tickets"; > messages.log
361 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
362 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || { ec=1 ; eval "${testfailed}"; }
367 echo "Getting client initial tickets"; > messages.log
368 ${kinit} --password-file=${objdir}/foopassword foo@
$R || \
369 { ec
=1 ; eval "${testfailed}"; }
370 for a
in $enctypes; do
371 echo "Getting tickets ($a)"; > messages.log
372 ${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
373 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
374 { ec
=1 ; eval "${testfailed}"; }
375 ${kdestroy} --credential=${server}@${R}
379 echo "Getting client initial tickets for cross realm case"; > messages.log
380 ${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
381 for a
in $enctypes; do
382 echo "Getting cross realm tickets ($a)"; > messages.log
383 ${kgetcred} -e $a ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
384 echo " checking we we got back right ticket"
385 ${klist} | grep ${server2}@ > /dev/null || { ec=1 ; eval "${testfailed}"; }
386 echo " checking if ticket is useful"
387 ${test_ap_req} ${server2}@${R2} ${keytab} ${cache} || \
388 { ec
=1 ; eval "${testfailed}"; }
389 ${kdestroy} --credential=${server2}@${R2}
393 echo "Trying x-realm TGT with kvno 0 case";
394 ${kinit} --password-file=${objdir}/foopassword foo@
$R ||
395 { ec
=1 ; eval "${testfailed}"; }
396 ${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; }
397 echo "Getting cross realm tickets"; > messages.log
398 ${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
399 ${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; }
400 echo "Getting service ticket"; > messages.log
401 ${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
404 echo "Trying x-realm TGT with kvno 0 case with key rollover";
405 ${kinit} --password-file=${objdir}/foopassword foo@
$R ||
406 { ec
=1 ; eval "${testfailed}"; }
407 ${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; }
408 echo "Getting cross realm tickets"; > messages.log
409 ${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
410 echo "Rolling over cross realm keys"; > messages.log
411 ${kadmin} cpw -r --keepold krbtgt/${R}@${R} || { ec=1 ; eval "${testfailed}"; }
412 ${kadmin} cpw -r --keepold krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
413 ${kadmin} cpw -r --keepold krbtgt/${R}@${R2} || { ec=1 ; eval "${testfailed}"; }
414 ${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; }
415 echo "Getting service ticket"; > messages.log
416 echo "Start tracing kdc, then hit return"
417 ${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
420 echo "Trying x-realm TGT with no kvno case";
421 ${kinit} --password-file=${objdir}/foopassword foo@
$R ||
422 { ec
=1 ; eval "${testfailed}"; }
423 ${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; }
424 echo "Getting cross realm tickets"; > messages.log
425 ${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
426 ${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; }
427 echo "Getting service ticket"; > messages.log
428 ${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
431 echo "Trying x-realm TGT with no kvno case with key rollover";
432 ${kinit} --password-file=${objdir}/foopassword foo@
$R ||
433 { ec
=1 ; eval "${testfailed}"; }
434 ${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; }
435 echo "Getting cross realm tickets"; > messages.log
436 ${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
437 echo "Rolling over cross realm keys"; > messages.log
438 ${kadmin} cpw -r --keepold krbtgt/${R}@${R} || { ec=1 ; eval "${testfailed}"; }
439 ${kadmin} cpw -r --keepold krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
440 ${kadmin} cpw -r --keepold krbtgt/${R}@${R2} || { ec=1 ; eval "${testfailed}"; }
441 ${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; }
442 echo "Getting service ticket"; > messages.log
443 echo "Start tracing kdc, then hit return"
444 ${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
447 echo "try all permutations"; > messages.log
448 for a
in $enctypes; do
449 echo "Getting client initial tickets ($a)"; > messages.log
450 ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@
$R || \
451 { ec
=1 ; eval "${testfailed}"; }
452 for b
in $enctypes; do
453 echo "Getting tickets ($a -> $b)"; > messages.log
454 ${kgetcred} -e $b ${server}@${R} || \
455 { ec
=1 ; eval "${testfailed}"; }
456 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
457 { ec
=1 ; eval "${testfailed}"; }
458 ${kdestroy} --credential=${server}@${R}
463 echo "Getting client initial tickets ip based name"; > messages.log
464 ${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
465 echo "Getting ip based name tickets"; > messages.log
466 ${kgetcred} ${serverip}@${R} || { ec=1 ; eval "${testfailed}"; }
467 echo " checking we we got back right ticket"
468 ${klist} | grep ${serverip}@ > /dev/null || { ec=1 ; eval "${testfailed}"; }
469 echo " checking if ticket is useful"
470 ${test_ap_req} ${serverip}@${R} ${keytab} ${cache} || \
471 { ec
=1 ; eval "${testfailed}"; }
474 echo "Getting client initial tickets ip based name (alias)"; > messages.log
475 ${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
476 for a
in ${serveripname} ${serveripname2} ; do
477 echo "Getting ip based name tickets (alias) $a"; > messages.log
478 ${kgetcred} ${a}@${R} || { ec=1 ; eval "${testfailed}"; }
479 echo " checking we we got back right ticket"
480 ${klist} | grep ${a}@ > /dev/null || { ec=1 ; eval "${testfailed}"; }
481 echo " checking if ticket is useful"
482 ${test_ap_req} --server-any ${a}@${R} ${keytab} ${cache} || \
483 { ec
=1 ; eval "${testfailed}"; }
487 echo "Getting server initial tickets"; > messages.log
488 ${kinit} --keytab=${keytab} ${server}@$R || { ec=1 ; eval "${testfailed}"; }
489 echo "Listing tickets"; > messages.log
490 ${klist} |
grep "Principal: ${server}" > /dev
/null || \
491 { ec
=1 ; eval "${testfailed}"; }
494 echo "Getting key for key that are a subset in keytab compared to kdb"
495 ${kinit} --keytab=${keytab} kt-des3@${R}
496 ${klist} |
grep "Principal: kt-des3" > /dev
/null || \
497 { ec
=1 ; eval "${testfailed}"; }
500 echo "initial tickets for deleted user test case"; > messages.log
501 ${kinit} --password-file=${objdir}/foopassword remove@
$R || \
502 { ec
=1 ; eval "${testfailed}"; }
503 ${kadmin} delete remove@${R} || { ec=1 ; eval "${testfailed}"; }
504 echo "try getting ticket with deleted user"; > messages.log
505 ${kgetcred} ${server}@${R} 2> /dev/null && { ec=1 ; eval "${testfailed}"; }
508 echo "cross realm case (deleted user)"; > messages.log
509 ${kinit} --password-file=${objdir}/foopassword remove2@
$R2 || \
510 { ec
=1 ; eval "${testfailed}"; }
511 ${kgetcred} krbtgt/${R}@${R2} 2> /dev
/null || \
512 { ec
=1 ; eval "${testfailed}"; }
513 ${kadmin} delete remove2@
${R2} ||
exit 1
514 ${kgetcred} ${server}@${R} 2> /dev
/null || \
515 { ec
=1 ; eval "${testfailed}"; }
518 echo "rename user"; > messages.log
519 ${kadmin} add
-p foo
--use-defaults rename@
${R} ||
exit 1
520 ${kinit} --password-file=${objdir}/foopassword rename@${R} || \
521 { ec
=1 ; eval "${testfailed}"; }
522 ${kadmin} rename rename@${R} rename2@${R} ||
exit 1
523 ${kinit} --password-file=${objdir}/foopassword rename2@${R} || \
524 { ec
=1 ; eval "${testfailed}"; }
526 ${kadmin} delete rename2@
${R} ||
exit 1
528 echo "rename user to another realm"; > messages.log
529 ${kadmin} add
-p foo
--use-defaults rename@
${R} ||
exit 1
530 ${kinit} --password-file=${objdir}/foopassword rename@${R} || \
531 { ec
=1 ; eval "${testfailed}"; }
532 ${kadmin} rename rename@${R} rename@${R2} ||
exit 1
533 ${kinit} --password-file=${objdir}/foopassword rename@${R2} || \
534 { ec
=1 ; eval "${testfailed}"; }
536 ${kadmin} delete rename@
${R2} ||
exit 1
538 echo deleting all but aes enctypes on krbtgt
539 ${kadmin} del_enctype krbtgt/${R}@${R} ${enctype_sans_aes} ||
exit 1
541 echo deleting all but des enctypes on server-des3
542 ${kadmin} del_enctype ${server}-des3@${R} ${enctype_sans_des3} ||
exit 1
543 ${kadmin} ext -k ${keytab} ${server}-des3@${R} ||
exit 1
545 echo "try all permutations (only aes)"; > messages.log
546 for a
in $enctypes; do
547 echo "Getting client initial tickets ($a)"; > messages.log
548 ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@${R} ||\
549 { ec
=1 ; eval "${testfailed}"; }
550 for b
in $enctypes; do
551 echo "Getting tickets ($a -> $b)"; > messages.log
552 ${kgetcred} -e $b ${server}@${R} || \
553 { ec
=1 ; eval "${testfailed}"; }
554 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
555 { ec
=1 ; eval "${testfailed}"; }
557 echo "Getting tickets ($a -> $b) (server des3 only)"; > messages.log
558 ${kgetcred} ${server}-des3@${R} || \
559 { ec
=1 ; eval "${testfailed}"; }
560 ${test_ap_req} ${server}-des3@${R} ${keytab} ${cache} || \
561 { ec
=1 ; eval "${testfailed}"; }
563 ${kdestroy} --credential=${server}@${R}
564 ${kdestroy} --credential=${server}-des3@${R}
569 echo deleting all enctypes on krbtgt
570 ${kadmin} del_enctype krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \
571 { ec
=1 ; eval "${testfailed}"; }
572 echo "try initial ticket w/o and keys on krbtgt"
573 ${kinit} --password-file=${objdir}/foopassword foo@${R} 2>/dev
/null
&& \
574 { ec
=1 ; eval "${testfailed}"; }
575 echo "adding random aes key"
576 ${kadmin} add_enctype -r krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \
577 { ec
=1 ; eval "${testfailed}"; }
578 echo "try initial ticket with random aes key on krbtgt"
579 ${kinit} --password-file=${objdir}/foopassword foo@${R} || \
580 { ec
=1 ; eval "${testfailed}"; }
586 if ${hxtool} info |
grep 'rsa: hx509 null RSA' > /dev
/null
; then
589 if ${hxtool} info |
grep 'rand: not available' > /dev
/null
; then
592 if ${kinit} --help 2>&1 |
grep "CA certificates" > /dev
/null
; then
596 if ${hxtool} info |
grep 'ecdsa: hcrypto null' > /dev
/null
; then
601 # If we support pkinit and have RSA, lets try that
602 if test "$pkinit" = yes -a "$rsa" = yes ; then
604 echo "try anonymous pkinit"; > messages.log
605 ${kinit} --anonymous ${R} || \
606 { ec
=1 ; eval "${testfailed}"; }
607 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
610 for type in "" "--pk-use-enckey"; do
611 echo "Trying pk-init (principal in certificate) $type"; > messages.log
612 ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit.key bar@${R} || \
613 { ec
=1 ; eval "${testfailed}"; }
614 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
617 echo "Trying pk-init (principal in pki-mapping) $type"; > messages.log
618 ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit.key foo@${R} || \
619 { ec
=1 ; eval "${testfailed}"; }
620 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
623 echo "Trying pk-init (password protected key) $type"; > messages.log
624 ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit-pw.key --password-file=${objdir}/foopassword foo@${R} || \
625 { ec
=1 ; eval "${testfailed}"; }
626 ${kgetcred} ${server}@${R} || \
627 { ec
=1 ; eval "${testfailed}"; }
630 echo "Trying pk-init (proxy cert) $type"; > messages.log
631 ${kinit} $type -C FILE:${hx509_data}/pkinit-proxy-chain.crt,${hx509_data}/pkinit-proxy.key foo@${R} || \
632 { ec
=1 ; eval "${testfailed}"; }
633 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
638 if test "$ecdsa" = yes > /dev
/null
; then
639 echo "Trying pk-init (ec certificate)"
641 ${kinit} -C FILE:${hx509_data}/pkinit-ec.crt,${hx509_data}/pkinit-ec.key bar@${R} || \
642 { ec
=1 ; eval "${testfailed}"; }
643 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
645 grep 'PK-INIT using ecdh' messages.log
> /dev
/null || \
646 { ec
=1 ; eval "${testfailed}"; }
650 echo "no pkinit (pkinit: $pkinit, rsa: $rsa)"; > messages.log
653 echo "tickets for impersonate test case"; > messages.log
654 ${kinit} --forwardable --password-file=${objdir}/foopassword ${ps} || \
655 { ec
=1 ; eval "${testfailed}"; }
656 ${kgetcred_imp} --impersonate=bar@${R} ${ps} || \
657 { ec
=1 ; eval "${testfailed}"; }
658 ${test_ap_req} ${ps} ${keytab} ${ocache} || \
659 { ec
=1 ; eval "${testfailed}"; }
660 echo " negative check"
661 ${kgetcred_imp} --impersonate=bar@${R} foo@${R} 2>/dev
/null
&& \
662 { ec
=1 ; eval "${testfailed}"; }
664 echo "test constrained delegation"; > messages.log
665 ${kgetcred_imp} --forward --impersonate=bar@${R} ${ps} || \
666 { ec
=1 ; eval "${testfailed}"; }
668 --out-cache=${o2cache} \
669 --delegation-credential-cache=${ocache} \
671 { ec
=1 ; eval "${testfailed}"; }
672 echo " try using the credential"
673 ${test_ap_req} ${server}@${R} ${keytab} ${o2cache} || \
674 { ec
=1 ; eval "${testfailed}"; }
675 echo " negative check"
677 --out-cache=${o2cache} \
678 --delegation-credential-cache=${ocache} \
679 bar@
${R} 2>/dev
/null
&& \
680 { ec
=1 ; eval "${testfailed}"; }
682 echo "test constrained delegation impersonation (non forward)"; > messages.log
684 ${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} || \
685 { ec
=1 ; eval "${testfailed}"; }
686 ${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev
/null
2>/dev
/null
&& \
687 { ec
=1 ; eval "${testfailed}"; }
689 echo "test constrained delegation impersonation (missing KRB5SignedPath)"; > messages.log
691 ${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} -f forwardable || \
692 { ec
=1 ; eval "${testfailed}"; }
693 ${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev
/null
2>/dev
/null
&& \
694 { ec
=1 ; eval "${testfailed}"; }
698 echo "check renewing" > messages.log
699 ${kinit} --renewable --password-file=${objdir}/foopassword foo@
$R || \
700 { ec
=1 ; eval "${testfailed}"; }
703 { ec
=1 ; eval "${testfailed}"; }
704 echo "check renewing MIT interface" > messages.log
705 ${kinit} --renewable --password-file=${objdir}/foopassword foo@
$R || \
706 { ec
=1 ; eval "${testfailed}"; }
708 env KRB5CCNAME
=${cache} ${test_renew} || \
709 { ec
=1 ; eval "${testfailed}"; }
712 echo "checking server aliases"; > messages.log
713 ${kinit} --password-file=${objdir}/foopassword foo@
$R || \
714 { ec
=1 ; eval "${testfailed}"; }
715 echo "Getting tickets"; > messages.log
716 ${kgetcred} ${alias1}@${R} || { ec=1 ; eval "${testfailed}"; }
717 ${kgetcred} ${alias2}@${R} || { ec=1 ; eval "${testfailed}"; }
718 echo " verify entry in keytab"
719 ${test_ap_req} ${alias1}@${R} ${keytab} ${cache} || \
720 { ec
=1 ; eval "${testfailed}"; }
721 echo " verify entry in keytab with any"
722 ${test_ap_req} --server-any ${alias1}@${R} ${keytab} ${cache} || \
723 { ec
=1 ; eval "${testfailed}"; }
724 echo " verify failure with alias entry"
725 ${test_ap_req} ${alias2}@${R} ${keytab} ${cache} 2>/dev
/null
&& \
726 { ec
=1 ; eval "${testfailed}"; }
727 echo " verify alias entry in keytab with any"
728 ${test_ap_req} --server-any ${alias2}@${R} ${keytab} ${cache} || \
729 { ec
=1 ; eval "${testfailed}"; }
732 echo "testing removal of keytab"
733 ${ktutil} -k ${keytab} destroy || { ec=1 ; eval "${testfailed}"; }
734 test -f ${keytabfile} && { ec=1 ; eval "${testfailed}"; }
736 echo "Checking client pw expire"; > messages.log
737 ${kinit} --password-file=${objdir}/foopassword \
738 pw-expire@
${R} 2>kinit-log.tmp|| \
739 { ec
=1 ; eval "${testfailed}"; }
740 grep 'Your password will expire' kinit-log.tmp
> /dev
/null || \
741 { ec
=1 ; eval "${testfailed}"; }
743 ${test_gic} --client=pw-expire@
${R} --password=foo
> kinit-log.tmp
2>/dev
/null
744 ${EGREP} "^e type: 6" kinit-log.tmp
> /dev
/null || \
745 { ec
=1 ; eval "${testfailed}"; }
746 echo " test_gic passes"
749 echo "Checking password expiration" ; > messages.log
751 kinitpty
=${objdir}/foopassword.rkpty
752 cat > ${kinitpty} <<EOF
755 expect Password has expired
760 expect Success: Password changed
763 echo "Checking client pw expire"; > messages.log
764 ${rkpty} ${kinitpty} ${kinit} pw-expired@${R}|| \
765 { ec
=1 ; eval "${testfailed}"; }
770 echo "killing kdc (${kdcpid}) kpasswdd (${kpasswddpid})"
771 sh
${leaks_kill} kdc
$kdcpid ||
exit 1
772 sh
${leaks_kill} kpasswdd
$kpasswddpid ||
exit 1