3 # Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
4 # (Royal Institute of Technology, Stockholm, Sweden).
7 # Redistribution and use in source and binary forms, with or without
8 # modification, are permitted provided that the following conditions
11 # 1. Redistributions of source code must retain the above copyright
12 # notice, this list of conditions and the following disclaimer.
14 # 2. Redistributions in binary form must reproduce the above copyright
15 # notice, this list of conditions and the following disclaimer in the
16 # documentation and/or other materials provided with the distribution.
18 # 3. Neither the name of the Institute nor the names of its contributors
19 # may be used to endorse or promote products derived from this software
20 # without specific prior written permission.
22 # THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
23 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 # ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
26 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 top_builddir
="@top_builddir@"
35 env_setup
="@env_setup@"
40 KRB5_CONFIG
="${1-${objdir}/krb5.conf}"
43 testfailed
="echo test failed; cat messages.log; exit 1"
45 # If there is no useful db support compile in, disable test
59 kadmin
="${kadmin} -l -r $R"
60 kadmin5
="${kadmin} -l -r $R5"
61 kdc
="${kdc} --addresses=localhost -P $port"
63 server
=host
/datan.
test.h5l.se
64 server2
=host
/computer.example.com
65 serverip
=host
/10.11.12.13
66 serveripname
=host
/ip.
test.h5l.org
67 serveripname2
=host
/10.11.12.14
68 alias1
=host
/datan.example.com
70 aliaskeytab
=host
/datan
71 cache
="FILE:${objdir}/cache.krb5"
72 ocache
="FILE:${objdir}/ocache.krb5"
73 o2cache
="FILE:${objdir}/o2cache.krb5"
74 icache
="FILE:${objdir}/icache.krb5"
75 keytabfile
=${objdir}/server.keytab
76 keytab
="FILE:${keytabfile}"
77 ps
="proxy-service@${R}"
78 aesenctype
="aes256-cts-hmac-sha1-96"
80 kinit
="${kinit} -c $cache ${afs_no_afslog}"
81 klist
="${klist} -c $cache"
82 kgetcred
="${kgetcred} -c $cache"
83 kgetcred_imp
="${kgetcred} -c $cache --out-cache=${ocache}"
84 kdestroy
="${kdestroy} -c $cache ${afs_no_unlog}"
85 kimpersonate
="${kimpersonate} -k ${keytab} --ccache=${ocache}"
86 test_set_kvno0
="${test_set_kvno0} -c $cache"
95 echo Creating database
98 --realm-max-ticket-life=1day \
99 --realm-max-renewable-life=1month \
104 --realm-max-ticket-life=1day \
105 --realm-max-renewable-life=1month \
110 --realm-max-ticket-life=1day \
111 --realm-max-renewable-life=1month \
116 --realm-max-ticket-life=1day \
117 --realm-max-renewable-life=1month \
122 --realm-max-ticket-life=1day \
123 --realm-max-renewable-life=1month \
128 --realm-max-ticket-life=1day \
129 --realm-max-renewable-life=1month \
134 --realm-max-ticket-life=1day \
135 --realm-max-renewable-life=1month \
140 --realm-max-ticket-life=1day \
141 --realm-max-renewable-life=1month \
144 ${kadmin} cpw -r krbtgt/${R}@${R} ||
exit 1
145 ${kadmin} cpw -r krbtgt/${R}@${R} ||
exit 1
146 ${kadmin} cpw -r krbtgt/${R}@${R} ||
exit 1
147 ${kadmin} cpw -r krbtgt/${R}@${R} ||
exit 1
149 ${kadmin} add
-p foo
--use-defaults foo@
${R} ||
exit 1
150 ${kadmin} add
-p foo
--use-defaults foo@
${R2} ||
exit 1
151 ${kadmin} add
-p foo
--use-defaults foo@
${R3} ||
exit 1
152 ${kadmin} add
-p foo
--use-defaults foo@
${R4} ||
exit 1
153 ${kadmin5} add
-p foo
--use-defaults foo@
${R5} ||
exit 1
154 ${kadmin} add
-p foo
--use-defaults foo@
${R6} ||
exit 1
155 ${kadmin} add
-p foo
--use-defaults foo@
${R7} ||
exit 1
156 ${kadmin} add
-p bar
--use-defaults bar@
${R} ||
exit 1
157 ${kadmin} add
-p foo
--use-defaults remove@
${R} ||
exit 1
158 ${kadmin} add -p kaka --use-defaults ${server}@${R} ||
exit 1
159 ${kadmin} add -p kaka --use-defaults ${server}-des3@${R} ||
exit 1
160 ${kadmin} add
-p kaka
--use-defaults kt-des3@
${R} ||
exit 1
161 ${kadmin} add
-p foo
--use-defaults ${ps} ||
exit 1
162 ${kadmin} modify
--attributes=+trusted-for-delegation
${ps} ||
exit 1
163 ${kadmin} modify --constrained-delegation=${server} ${ps} ||
exit 1
164 ${kadmin} ext -k ${keytab} ${server}@${R} ||
exit 1
165 ${kadmin} ext -k ${keytab} ${ps} ||
exit 1
167 ${kadmin} add -p kaka --use-defaults ${server2}@${R2} ||
exit 1
168 ${kadmin} ext -k ${keytab} ${server2}@${R2} ||
exit 1
169 ${kadmin} add -p kaka --use-defaults ${serverip}@${R} ||
exit 1
170 ${kadmin} ext -k ${keytab} ${serverip}@${R} ||
exit 1
171 ${kadmin} add -p kaka --use-defaults ${serveripname}@${R} ||
exit 1
172 ${kadmin} ext -k ${keytab} ${serveripname}@${R} ||
exit 1
173 ${kadmin} modify --alias=${serveripname2}@${R} ${serveripname}@${R}
174 ${kadmin} add
-p foo
--use-defaults remove2@
${R2} ||
exit 1
176 ${kadmin} add -p kaka --use-defaults ${alias1}@${R} ||
exit 1
177 ${kadmin} ext -k ${keytab} ${alias1}@${R} ||
exit 1
178 ${kadmin} modify --alias=${alias2}@${R} ${alias1}@${R}
180 ${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} ||
exit 1
181 ${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} ||
exit 1
183 ${kadmin} add -p cross1 --use-defaults krbtgt/${R3}@${R2} ||
exit 1
184 ${kadmin} add -p cross2 --use-defaults krbtgt/${R2}@${R3} ||
exit 1
186 ${kadmin} add -p cross1 --use-defaults krbtgt/${R4}@${R2} ||
exit 1
187 ${kadmin} add -p cross2 --use-defaults krbtgt/${R2}@${R4} ||
exit 1
189 ${kadmin} add -p cross1 --use-defaults krbtgt/${R4}@${R3} ||
exit 1
190 ${kadmin} add -p cross2 --use-defaults krbtgt/${R3}@${R4} ||
exit 1
192 ${kadmin} add -p cross1 --use-defaults krbtgt/${R5}@${R} ||
exit 1
193 ${kadmin5} add -p cross2 --use-defaults krbtgt/${R}@${R5} ||
exit 1
195 ${kadmin5} add -p cross1 --use-defaults krbtgt/${R6}@${R5} ||
exit 1
196 ${kadmin} add -p cross2 --use-defaults krbtgt/${R5}@${R6} ||
exit 1
198 ${kadmin} add -p cross1 --use-defaults krbtgt/${R7}@${R6} ||
exit 1
199 ${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R7} ||
exit 1
201 ${kadmin} add
-p foo
--use-defaults pw-expire@
${R} ||
exit 1
202 ${kadmin} modify
--pw-expiration-time=+1day pw-expire@
${R} ||
exit 1
204 ${kadmin} add
-p foo
--use-defaults foo@
${RH} ||
exit 1
207 ${kadmin} add
-p foo
--use-defaults -- -p ||
exit 1
208 ${kadmin} delete
-- -p ||
exit 1
210 echo "Doing database check"
211 ${kadmin} check
${R} ||
exit 1
212 ${kadmin} check
${R2} ||
exit 1
213 ${kadmin} check
${R3} ||
exit 1
214 ${kadmin} check
${R4} ||
exit 1
215 ${kadmin5} check
${R5} ||
exit 1
216 ${kadmin} check
${R6} ||
exit 1
217 ${kadmin} check
${R7} ||
exit 1
219 echo "Extracting enctypes"
220 ${ktutil} -k ${keytab} list
> tempfile ||
exit 1
221 ${EGREP} -v '^FILE:' tempfile | ${EGREP} -v '^Vno' | ${EGREP} -v '^$' | \
222 awk '$1 !~ /1/ { exit 1 }' ||
exit 1
224 ${kadmin} get foo@
${R} > tempfile ||
exit 1
225 enctypes
=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://' | sed 's/\[[0-9]*\]//g'`
227 enctype_sans_aes
=`echo $enctypes | sed 's/aes[^ ]*//g'`
228 enctype_sans_des3
=`echo $enctypes | sed 's/des3-cbc-sha1//g'`
230 echo "deleting all but des enctypes on kt-des3 in keytab"
231 ${kadmin} ext -k ${keytab} kt-des3@${R} ||
exit 1
232 for a
in ${enctype_sans_des3} ; do
233 ${ktutil} -k ${keytab} remove -p kt-des3@${R} -e $a
236 echo foo
> ${objdir}/foopassword
239 env MallocStackLogging
=1 MallocStackLoggingNoCompact
=1 MallocErrorAbort
=1 MallocLogFile
=${objdir}/malloc-log \
244 if [ "$?" != 0 ] ; then
249 trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
253 echo "Getting client initial tickets"; > messages.log
254 ${kinit} --password-file=${objdir}/foopassword foo@
$R || \
255 { ec
=1 ; eval "${testfailed}"; }
256 echo "Doing krbtgt key rollover"; > messages.log
257 ${kadmin} cpw -r --keepold krbtgt/${R}@${R} ||
exit 1
258 echo "Getting tickets"; > messages.log
259 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
260 echo "Listing tickets"; > messages.log
261 ${klist} > /dev/null || { ec=1 ; eval "${testfailed}"; }
262 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
263 { ec
=1 ; eval "${testfailed}"; }
266 echo "Getting client initial tickets (http transport)"; > messages.log
267 ${kinit} --password-file=${objdir}/foopassword foo@${RH} || \
268 { ec
=1 ; eval "${testfailed}"; }
271 echo "Testing capaths logic"
272 ${kinit} --password-file=${objdir}/foopassword \
273 -e ${aesenctype} -e ${aesenctype} \
275 { ec
=1 ; eval "${testfailed}"; }
277 echo "Getting x-realm tickets with capaths for $R -> $R2"
278 ${kgetcred} foo@${R2} || { ec=1 ; eval "${testfailed}"; }
279 echo "Getting x-realm tickets with capaths for $R -> $R3"
280 ${kgetcred} foo@${R3} || { ec=1 ; eval "${testfailed}"; }
281 echo "Getting x-realm tickets with capaths for $R -> $R4"
282 ${kgetcred} foo@${R4} || { ec=1 ; eval "${testfailed}"; }
283 echo "Getting x-realm tickets with capaths for $R -> $R5"
284 ${kgetcred} foo@${R5} || { ec=1 ; eval "${testfailed}"; }
285 echo "Getting x-realm tickets with capaths for $R -> $R6"
286 ${kgetcred} foo@${R6} || { ec=1 ; eval "${testfailed}"; }
287 echo "Getting x-realm tickets with capaths for $R -> $R7"
288 ${kgetcred} foo@${R7} || { ec=1 ; eval "${testfailed}"; }
291 echo "Testing capaths logic (reverse order)"
292 ${kinit} --password-file=${objdir}/foopassword \
293 -e ${aesenctype} -e ${aesenctype} \
295 { ec
=1 ; eval "${testfailed}"; }
297 echo "Getting x-realm tickets with capaths for $R -> $R4"
298 ${kgetcred} foo@${R4} || { ec=1 ; eval "${testfailed}"; }
299 echo "Getting x-realm tickets with capaths for $R -> $R3"
300 ${kgetcred} foo@${R3} || { ec=1 ; eval "${testfailed}"; }
301 echo "Getting x-realm tickets with capaths for $R -> $R2"
302 ${kgetcred} foo@${R2} || { ec=1 ; eval "${testfailed}"; }
303 echo "Getting x-realm tickets with capaths for $R -> $R7"
304 ${kgetcred} foo@${R7} || { ec=1 ; eval "${testfailed}"; }
305 echo "Getting x-realm tickets with capaths for $R -> $R6"
306 ${kgetcred} foo@${R6} || { ec=1 ; eval "${testfailed}"; }
307 echo "Getting x-realm tickets with capaths for $R -> $R5"
308 ${kgetcred} foo@${R5} || { ec=1 ; eval "${testfailed}"; }
311 echo "Specific enctype"; > messages.log
312 ${kinit} --password-file=${objdir}/foopassword \
313 -e ${aesenctype} -e ${aesenctype} \
315 { ec
=1 ; eval "${testfailed}"; }
317 for a
in $enctypes; do
318 echo "Getting client initial tickets ($a)"; > messages.log
319 ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
320 echo "Getting tickets"; > messages.log
321 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
322 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || { ec=1 ; eval "${testfailed}"; }
327 echo "Getting client initial tickets"; > messages.log
328 ${kinit} --password-file=${objdir}/foopassword foo@
$R || \
329 { ec
=1 ; eval "${testfailed}"; }
330 for a
in $enctypes; do
331 echo "Getting tickets ($a)"; > messages.log
332 ${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
333 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
334 { ec
=1 ; eval "${testfailed}"; }
335 ${kdestroy} --credential=${server}@${R}
339 echo "Getting client initial tickets for cross realm case"; > messages.log
340 ${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
341 for a
in $enctypes; do
342 echo "Getting cross realm tickets ($a)"; > messages.log
343 ${kgetcred} -e $a ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
344 echo " checking we we got back right ticket"
345 ${klist} | grep ${server2}@ > /dev/null || { ec=1 ; eval "${testfailed}"; }
346 echo " checking if ticket is useful"
347 ${test_ap_req} ${server2}@${R2} ${keytab} ${cache} || \
348 { ec
=1 ; eval "${testfailed}"; }
349 ${kdestroy} --credential=${server2}@${R2}
353 echo "Trying x-realm TGT with kvno 0 case";
354 ${kinit} --password-file=${objdir}/foopassword foo@
$R ||
355 { ec
=1 ; eval "${testfailed}"; }
356 ${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; }
357 echo "Getting cross realm tickets"; > messages.log
358 ${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
359 ${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; }
360 echo "Getting service ticket"; > messages.log
361 ${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
364 echo "Trying x-realm TGT with kvno 0 case with key rollover";
365 ${kinit} --password-file=${objdir}/foopassword foo@
$R ||
366 { ec
=1 ; eval "${testfailed}"; }
367 ${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; }
368 echo "Getting cross realm tickets"; > messages.log
369 ${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
370 echo "Rolling over cross realm keys"; > messages.log
371 ${kadmin} cpw -r --keepold krbtgt/${R}@${R} || { ec=1 ; eval "${testfailed}"; }
372 ${kadmin} cpw -r --keepold krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
373 ${kadmin} cpw -r --keepold krbtgt/${R}@${R2} || { ec=1 ; eval "${testfailed}"; }
374 ${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; }
375 echo "Getting service ticket"; > messages.log
376 echo "Start tracing kdc, then hit return"
377 ${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
380 echo "Trying x-realm TGT with no kvno case";
381 ${kinit} --password-file=${objdir}/foopassword foo@
$R ||
382 { ec
=1 ; eval "${testfailed}"; }
383 ${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; }
384 echo "Getting cross realm tickets"; > messages.log
385 ${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
386 ${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; }
387 echo "Getting service ticket"; > messages.log
388 ${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
391 echo "Trying x-realm TGT with no kvno case with key rollover";
392 ${kinit} --password-file=${objdir}/foopassword foo@
$R ||
393 { ec
=1 ; eval "${testfailed}"; }
394 ${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; }
395 echo "Getting cross realm tickets"; > messages.log
396 ${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
397 echo "Rolling over cross realm keys"; > messages.log
398 ${kadmin} cpw -r --keepold krbtgt/${R}@${R} || { ec=1 ; eval "${testfailed}"; }
399 ${kadmin} cpw -r --keepold krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; }
400 ${kadmin} cpw -r --keepold krbtgt/${R}@${R2} || { ec=1 ; eval "${testfailed}"; }
401 ${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; }
402 echo "Getting service ticket"; > messages.log
403 echo "Start tracing kdc, then hit return"
404 ${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
407 echo "try all permutations"; > messages.log
408 for a
in $enctypes; do
409 echo "Getting client initial tickets ($a)"; > messages.log
410 ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@
$R || \
411 { ec
=1 ; eval "${testfailed}"; }
412 for b
in $enctypes; do
413 echo "Getting tickets ($a -> $b)"; > messages.log
414 ${kgetcred} -e $b ${server}@${R} || \
415 { ec
=1 ; eval "${testfailed}"; }
416 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
417 { ec
=1 ; eval "${testfailed}"; }
418 ${kdestroy} --credential=${server}@${R}
423 echo "Getting client initial tickets ip based name"; > messages.log
424 ${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
425 echo "Getting ip based name tickets"; > messages.log
426 ${kgetcred} ${serverip}@${R} || { ec=1 ; eval "${testfailed}"; }
427 echo " checking we we got back right ticket"
428 ${klist} | grep ${serverip}@ > /dev/null || { ec=1 ; eval "${testfailed}"; }
429 echo " checking if ticket is useful"
430 ${test_ap_req} ${serverip}@${R} ${keytab} ${cache} || \
431 { ec
=1 ; eval "${testfailed}"; }
434 echo "Getting client initial tickets ip based name (alias)"; > messages.log
435 ${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
436 for a
in ${serveripname} ${serveripname2} ; do
437 echo "Getting ip based name tickets (alias) $a"; > messages.log
438 ${kgetcred} ${a}@${R} || { ec=1 ; eval "${testfailed}"; }
439 echo " checking we we got back right ticket"
440 ${klist} | grep ${a}@ > /dev/null || { ec=1 ; eval "${testfailed}"; }
441 echo " checking if ticket is useful"
442 ${test_ap_req} --server-any ${a}@${R} ${keytab} ${cache} || \
443 { ec
=1 ; eval "${testfailed}"; }
447 echo "Getting server initial tickets"; > messages.log
448 ${kinit} --keytab=${keytab} ${server}@$R || { ec=1 ; eval "${testfailed}"; }
449 echo "Listing tickets"; > messages.log
450 ${klist} |
grep "Principal: ${server}" > /dev
/null || \
451 { ec
=1 ; eval "${testfailed}"; }
454 echo "Getting key for key that are a subset in keytab compared to kdb"
455 ${kinit} --keytab=${keytab} kt-des3@${R}
456 ${klist} |
grep "Principal: kt-des3" > /dev
/null || \
457 { ec
=1 ; eval "${testfailed}"; }
460 echo "initial tickets for deleted user test case"; > messages.log
461 ${kinit} --password-file=${objdir}/foopassword remove@
$R || \
462 { ec
=1 ; eval "${testfailed}"; }
463 ${kadmin} delete remove@${R} || { ec=1 ; eval "${testfailed}"; }
464 echo "try getting ticket with deleted user"; > messages.log
465 ${kgetcred} ${server}@${R} 2> /dev/null && { ec=1 ; eval "${testfailed}"; }
468 echo "cross realm case (deleted user)"; > messages.log
469 ${kinit} --password-file=${objdir}/foopassword remove2@
$R2 || \
470 { ec
=1 ; eval "${testfailed}"; }
471 ${kgetcred} krbtgt/${R}@${R2} 2> /dev
/null || \
472 { ec
=1 ; eval "${testfailed}"; }
473 ${kadmin} delete remove2@
${R2} ||
exit 1
474 ${kgetcred} ${server}@${R} 2> /dev
/null || \
475 { ec
=1 ; eval "${testfailed}"; }
478 echo "rename user"; > messages.log
479 ${kadmin} add
-p foo
--use-defaults rename@
${R} ||
exit 1
480 ${kinit} --password-file=${objdir}/foopassword rename@${R} || \
481 { ec
=1 ; eval "${testfailed}"; }
482 ${kadmin} rename rename@${R} rename2@${R} ||
exit 1
483 ${kinit} --password-file=${objdir}/foopassword rename2@${R} || \
484 { ec
=1 ; eval "${testfailed}"; }
486 ${kadmin} delete rename2@
${R} ||
exit 1
488 echo "rename user to another realm"; > messages.log
489 ${kadmin} add
-p foo
--use-defaults rename@
${R} ||
exit 1
490 ${kinit} --password-file=${objdir}/foopassword rename@${R} || \
491 { ec
=1 ; eval "${testfailed}"; }
492 ${kadmin} rename rename@${R} rename@${R2} ||
exit 1
493 ${kinit} --password-file=${objdir}/foopassword rename@${R2} || \
494 { ec
=1 ; eval "${testfailed}"; }
496 ${kadmin} delete rename@
${R2} ||
exit 1
498 echo deleting all but aes enctypes on krbtgt
499 ${kadmin} del_enctype krbtgt/${R}@${R} ${enctype_sans_aes} ||
exit 1
501 echo deleting all but des enctypes on server-des3
502 ${kadmin} del_enctype ${server}-des3@${R} ${enctype_sans_des3} ||
exit 1
503 ${kadmin} ext -k ${keytab} ${server}-des3@${R} ||
exit 1
505 echo "try all permutations (only aes)"; > messages.log
506 for a
in $enctypes; do
507 echo "Getting client initial tickets ($a)"; > messages.log
508 ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@${R} ||\
509 { ec
=1 ; eval "${testfailed}"; }
510 for b
in $enctypes; do
511 echo "Getting tickets ($a -> $b)"; > messages.log
512 ${kgetcred} -e $b ${server}@${R} || \
513 { ec
=1 ; eval "${testfailed}"; }
514 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
515 { ec
=1 ; eval "${testfailed}"; }
517 echo "Getting tickets ($a -> $b) (server des3 only)"; > messages.log
518 ${kgetcred} ${server}-des3@${R} || \
519 { ec
=1 ; eval "${testfailed}"; }
520 ${test_ap_req} ${server}-des3@${R} ${keytab} ${cache} || \
521 { ec
=1 ; eval "${testfailed}"; }
523 ${kdestroy} --credential=${server}@${R}
524 ${kdestroy} --credential=${server}-des3@${R}
529 echo deleting all enctypes on krbtgt
530 ${kadmin} del_enctype krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \
531 { ec
=1 ; eval "${testfailed}"; }
532 echo "try initial ticket w/o and keys on krbtgt"
533 ${kinit} --password-file=${objdir}/foopassword foo@${R} 2>/dev
/null
&& \
534 { ec
=1 ; eval "${testfailed}"; }
535 echo "adding random aes key"
536 ${kadmin} add_enctype -r krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \
537 { ec
=1 ; eval "${testfailed}"; }
538 echo "try initial ticket with random aes key on krbtgt"
539 ${kinit} --password-file=${objdir}/foopassword foo@${R} || \
540 { ec
=1 ; eval "${testfailed}"; }
546 if ${hxtool} info |
grep 'rsa: hx509 null RSA' > /dev
/null
; then
549 if ${hxtool} info |
grep 'rand: not available' > /dev
/null
; then
552 if ${kinit} --help 2>&1 |
grep "CA certificates" > /dev
/null
; then
556 if ${hxtool} info |
grep 'ecdsa: hcrypto null' > /dev
/null
; then
561 # If we support pkinit and have RSA, lets try that
562 if test "$pkinit" = yes -a "$rsa" = yes ; then
564 echo "try anonymous pkinit"; > messages.log
565 ${kinit} --anonymous ${R} || \
566 { ec
=1 ; eval "${testfailed}"; }
567 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
570 for type in "" "--pk-use-enckey"; do
571 echo "Trying pk-init (principal in certificate) $type"; > messages.log
572 ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit.key bar@${R} || \
573 { ec
=1 ; eval "${testfailed}"; }
574 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
577 echo "Trying pk-init (principal in pki-mapping) $type"; > messages.log
578 ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit.key foo@${R} || \
579 { ec
=1 ; eval "${testfailed}"; }
580 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
583 echo "Trying pk-init (password protected key) $type"; > messages.log
584 ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit-pw.key --password-file=${objdir}/foopassword foo@${R} || \
585 { ec
=1 ; eval "${testfailed}"; }
586 ${kgetcred} ${server}@${R} || \
587 { ec
=1 ; eval "${testfailed}"; }
590 echo "Trying pk-init (proxy cert) $type"; > messages.log
591 ${kinit} $type -C FILE:${hx509_data}/pkinit-proxy-chain.crt,${hx509_data}/pkinit-proxy.key foo@${R} || \
592 { ec
=1 ; eval "${testfailed}"; }
593 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
598 if test "$ecdsa" = yes > /dev
/null
; then
599 echo "Trying pk-init (ec certificate)"
601 ${kinit} -C FILE:${hx509_data}/pkinit-ec.crt,${hx509_data}/pkinit-ec.key bar@${R} || \
602 { ec
=1 ; eval "${testfailed}"; }
603 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
605 grep 'PK-INIT using ecdh' messages.log
> /dev
/null || \
606 { ec
=1 ; eval "${testfailed}"; }
610 echo "no pkinit (pkinit: $pkinit, rsa: $rsa)"; > messages.log
613 echo "tickets for impersonate test case"; > messages.log
614 ${kinit} --forwardable --password-file=${objdir}/foopassword ${ps} || \
615 { ec
=1 ; eval "${testfailed}"; }
616 ${kgetcred_imp} --impersonate=bar@${R} ${ps} || \
617 { ec
=1 ; eval "${testfailed}"; }
618 ${test_ap_req} ${ps} ${keytab} ${ocache} || \
619 { ec
=1 ; eval "${testfailed}"; }
620 echo " negative check"
621 ${kgetcred_imp} --impersonate=bar@${R} foo@${R} 2>/dev
/null
&& \
622 { ec
=1 ; eval "${testfailed}"; }
624 echo "test constrained delegation"; > messages.log
625 ${kgetcred_imp} --forward --impersonate=bar@${R} ${ps} || \
626 { ec
=1 ; eval "${testfailed}"; }
628 --out-cache=${o2cache} \
629 --delegation-credential-cache=${ocache} \
631 { ec
=1 ; eval "${testfailed}"; }
632 echo " try using the credential"
633 ${test_ap_req} ${server}@${R} ${keytab} ${o2cache} || \
634 { ec
=1 ; eval "${testfailed}"; }
635 echo " negative check"
637 --out-cache=${o2cache} \
638 --delegation-credential-cache=${ocache} \
639 bar@
${R} 2>/dev
/null
&& \
640 { ec
=1 ; eval "${testfailed}"; }
642 echo "test constrained delegation impersonation (non forward)"; > messages.log
644 ${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} || \
645 { ec
=1 ; eval "${testfailed}"; }
646 ${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev
/null
2>/dev
/null
&& \
647 { ec
=1 ; eval "${testfailed}"; }
649 echo "test constrained delegation impersonation (missing KRB5SignedPath)"; > messages.log
651 ${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} -f forwardable || \
652 { ec
=1 ; eval "${testfailed}"; }
653 ${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev
/null
2>/dev
/null
&& \
654 { ec
=1 ; eval "${testfailed}"; }
658 echo "check renewing" > messages.log
659 ${kinit} --renewable --password-file=${objdir}/foopassword foo@
$R || \
660 { ec
=1 ; eval "${testfailed}"; }
663 { ec
=1 ; eval "${testfailed}"; }
664 echo "check renewing MIT interface" > messages.log
665 ${kinit} --renewable --password-file=${objdir}/foopassword foo@
$R || \
666 { ec
=1 ; eval "${testfailed}"; }
668 env KRB5CCNAME
=${cache} ${test_renew} || \
669 { ec
=1 ; eval "${testfailed}"; }
672 echo "checking server aliases"; > messages.log
673 ${kinit} --password-file=${objdir}/foopassword foo@
$R || \
674 { ec
=1 ; eval "${testfailed}"; }
675 echo "Getting tickets"; > messages.log
676 ${kgetcred} ${alias1}@${R} || { ec=1 ; eval "${testfailed}"; }
677 ${kgetcred} ${alias2}@${R} || { ec=1 ; eval "${testfailed}"; }
678 echo " verify entry in keytab"
679 ${test_ap_req} ${alias1}@${R} ${keytab} ${cache} || \
680 { ec
=1 ; eval "${testfailed}"; }
681 echo " verify entry in keytab with any"
682 ${test_ap_req} --server-any ${alias1}@${R} ${keytab} ${cache} || \
683 { ec
=1 ; eval "${testfailed}"; }
684 echo " verify failure with alias entry"
685 ${test_ap_req} ${alias2}@${R} ${keytab} ${cache} 2>/dev
/null
&& \
686 { ec
=1 ; eval "${testfailed}"; }
687 echo " verify alias entry in keytab with any"
688 ${test_ap_req} --server-any ${alias2}@${R} ${keytab} ${cache} || \
689 { ec
=1 ; eval "${testfailed}"; }
692 echo "testing removal of keytab"
693 ${ktutil} -k ${keytab} destroy || { ec=1 ; eval "${testfailed}"; }
694 test -f ${keytabfile} && { ec=1 ; eval "${testfailed}"; }
696 echo "Getting client pw expire"; > messages.log
697 ${kinit} --password-file=${objdir}/foopassword \
698 pw-expire@
${R} 2>kinit-log.tmp|| \
699 { ec
=1 ; eval "${testfailed}"; }
700 grep 'Your password will expire' kinit-log.tmp
> /dev
/null || \
701 { ec
=1 ; eval "${testfailed}"; }
703 ${test_gic} --client=pw-expire@
${R} --password=foo
> kinit-log.tmp
2>/dev
/null
704 ${EGREP} "^e type: 6" kinit-log.tmp
> /dev
/null || \
705 { ec
=1 ; eval "${testfailed}"; }
706 echo " test_gic passes"
709 echo "killing kdc (${kdcpid})"
710 sh
${leaks_kill} kdc
$kdcpid ||
exit 1