testprogs: Consistantly use kinit -c $KRB5CCNAME

[samba.git] / testprogs / blackbox / test_client_kerberos.sh

#!/bin/sh
# Blackbox tests for kerberos client options
# Copyright (c) 2019      Andreas Schneider <asn@samba.org>

if [ $# -lt 6 ]; then
cat <<EOF
Usage: test_client_kerberos.sh DOMAIN REALM USERNAME PASSWORD SERVER PREFIX CONFIGURATION
EOF
exit 1;
fi

DOMAIN=$1
REALM=$2
USERNAME=$3
PASSWORD=$4
SERVER=$5
PREFIX=$6
CONFIGURATION=$7
shift 7

failed=0

. $(dirname $0)/subunit.sh
. $(dirname $0)/common_test_fns.inc

samba_bindir="$BINDIR"
samba_rpcclient="$samba_bindir/rpcclient"
samba_smbclient="$samba_bindir/smbclient"
samba_smbtorture="$samba_bindir/smbtorture"

samba_kinit=kinit
if test -x ${samba_bindir}/samba4kinit; then
    samba_kinit=${samba_bindir}/samba4kinit
fi

samba_kdestroy=kdestroy
if test -x ${samba_bindir}/samba4kdestroy; then
    samba_kinit=${samba_bindir}/samba4kdestroy
fi

test_rpc_getusername() {
    eval echo "$cmd"
    out=$(eval $cmd)
    ret=$?
    if [ $ret -ne 0 ] ; then
       echo "Failed to connect! Error: $ret"
       echo "$out"
       return 1
    fi

    echo "$out" | grep -q "Account Name: $USERNAME, Authority Name: $DOMAIN"
    ret=$?
    if [ $ret -ne 0 ] ; then
       echo "Incorrect account/authority name! Error: $ret"
       echo "$out"
       return 1
    fi

    return 0
}

test_smbclient() {
    eval echo "$cmd"
    out=$(eval $cmd)
    ret=$?
    if [ $ret -ne 0 ] ; then
       echo "Failed to connect! Error: $ret"
       echo "$out"
    fi

    return $ret
}

test_smbclient_kerberos() {
    eval echo "$cmd -d5"
    out=$(eval $cmd)
    ret=$?
    if [ $ret -ne 0 ] ; then
        echo "Failed to connect! Error: $ret"
        echo "$out"
        return 1
    fi

    echo "$out" | grep "Doing init for" >/dev/null 2>&1
    ret=$?
    if [ $ret -eq 0 ] ; then
        echo "Kinit failed for smbclient"
        echo "$out"
        return 1
    fi

    return 0
}

KRB5CCNAME_PATH="$PREFIX/ccache_client_kerberos"
KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
export KRB5CCNAME

### RPCCLIENT (legacy)
cmd='$samba_rpcclient ncacn_np:${SERVER} -U${USERNAME}%${PASSWORD} --configfile=${CONFIGURATION} -c getusername 2>&1'
testit "test rpcclient legacy ntlm" \
    test_rpc_getusername || \
    failed=$(expr $failed + 1)

cmd='echo ${PASSWORD} | USER=${USERNAME} $samba_rpcclient ncacn_np:${SERVER} --configfile=${CONFIGURATION} -c getusername 2>&1'
testit "test rpcclient legacy ntlm interactive" \
    test_rpc_getusername || \
    failed=$(expr $failed + 1)

cmd='echo ${PASSWORD} | $samba_rpcclient ncacn_np:${SERVER} -U${USERNAME} --configfile=${CONFIGURATION} -c getusername 2>&1'
testit "test rpcclient legacy ntlm interactive with -U" \
    test_rpc_getusername || \
    failed=$(expr $failed + 1)

cmd='$samba_rpcclient ncacn_np:${SERVER} -U${USERNAME}%${PASSWORD} -k --configfile=${CONFIGURATION} -c getusername 2>&1'
testit "test rpcclient legacy kerberos" \
    test_rpc_getusername || \
    failed=$(expr $failed + 1)

cmd='echo ${PASSWORD} | $samba_rpcclient ncacn_np:${SERVER} -U${USERNAME} -k --configfile=${CONFIGURATION} -c getusername 2>&1'
testit_expect_failure "test rpcclient legacy kerberos interactive (negative test)" \
    test_rpc_getusername || \
    failed=$(expr $failed + 1)

kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD}
cmd='$samba_rpcclient ncacn_np:${SERVER} -k --configfile=${CONFIGURATION} -c getusername 2>&1'
testit "test rpcclient legacy kerberos ccache" \
    test_rpc_getusername || \
    failed=$(expr $failed + 1)
$samba_kdestroy

### RPCCLIENT
cmd='$samba_rpcclient ncacn_np:${SERVER} -U${USERNAME}%${PASSWORD} --use-kerberos=disabled --configfile=${CONFIGURATION} -c getusername 2>&1'
testit "test rpcclient ntlm" \
    test_rpc_getusername || \
    failed=$(expr $failed + 1)

cmd='echo ${PASSWORD} | USER=${USERNAME} $samba_rpcclient ncacn_np:${SERVER} --use-kerberos=disabled --configfile=${CONFIGURATION} -c getusername 2>&1'
testit "test rpcclient ntlm interactive" \
    test_rpc_getusername || \
    failed=$(expr $failed + 1)

cmd='echo ${PASSWORD} | $samba_rpcclient ncacn_np:${SERVER} -U${USERNAME} --use-kerberos=disabled --configfile=${CONFIGURATION} -c getusername 2>&1'
testit "test rpcclient ntlm interactive with -U" \
    test_rpc_getusername || \
    failed=$(expr $failed + 1)

cmd='$samba_rpcclient ncacn_np:${SERVER} -U${USERNAME}%${PASSWORD} --use-kerberos=required --configfile=${CONFIGURATION} -c getusername 2>&1'
testit "test rpcclient kerberos" \
    test_rpc_getusername || \
    failed=$(expr $failed + 1)

cmd='echo ${PASSWORD} | $samba_rpcclient ncacn_np:${SERVER} -U${USERNAME} --use-krb5-ccache=$KRB5CCNAME --configfile=${CONFIGURATION} -c getusername 2>&1'
testit_expect_failure "test rpcclient kerberos interactive (negative test)" \
    test_rpc_getusername || \
    failed=$(expr $failed + 1)

kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD}
cmd='$samba_rpcclient ncacn_np:${SERVER} --use-krb5-ccache=$KRB5CCNAME --configfile=${CONFIGURATION} -c getusername 2>&1'
testit "test rpcclient kerberos ccache" \
    test_rpc_getusername || \
    failed=$(expr $failed + 1)
$samba_kdestroy

### SMBTORTURE (legacy)

cmd='$samba_smbtorture -U${USERNAME}%${PASSWORD} --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1'
testit "test smbtorture legacy default" \
    test_rpc_getusername || \
    failed=$(expr $failed + 1)

cmd='$samba_smbtorture -U${USERNAME}%${PASSWORD} -k no --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1'
testit "test smbtorture legacy ntlm (kerberos=no)" \
    test_rpc_getusername || \
    failed=$(expr $failed + 1)

cmd='$samba_smbtorture -U${USERNAME}%${PASSWORD} -k yes --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1'
testit "test smbtorture legacy kerberos=yes" \
    test_rpc_getusername || \
    failed=$(expr $failed + 1)

kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD}
cmd='$samba_smbtorture -k yes --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1'
testit "test smbtorture legacy kerberos=yes ccache" \
    test_rpc_getusername || \
    failed=$(expr $failed + 1)
$samba_kdestroy

kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD}
cmd='$samba_smbtorture -k no --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1'
testit_expect_failure "test smbtorture legacy kerberos=no ccache (negative test)" \
    test_rpc_getusername || \
    failed=$(expr $failed + 1)
$samba_kdestroy

### SMBTORTURE

cmd='$samba_smbtorture -U${USERNAME}%${PASSWORD} --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1'
testit "test smbtorture default" \
    test_rpc_getusername || \
    failed=$(expr $failed + 1)

cmd='$samba_smbtorture -U${USERNAME}%${PASSWORD} --use-kerberos=disabled --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1'
testit "test smbtorture ntlm (kerberos=no)" \
    test_rpc_getusername || \
    failed=$(expr $failed + 1)

cmd='$samba_smbtorture -U${USERNAME}%${PASSWORD} --use-kerberos=required --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1'
testit "test smbtorture kerberos=yes" \
    test_rpc_getusername || \
    failed=$(expr $failed + 1)

kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD}
cmd='$samba_smbtorture --use-krb5-ccache=$KRB5CCNAME --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1'
testit "test smbtorture kerberos=yes ccache" \
    test_rpc_getusername || \
    failed=$(expr $failed + 1)
$samba_kdestroy

kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD}
cmd='$samba_smbtorture --use-kerbers=required --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1'
testit_expect_failure "test smbtorture kerberos=no ccache (negative test)" \
    test_rpc_getusername || \
    failed=$(expr $failed + 1)
$samba_kdestroy

### SMBCLIENT (legacy)
cmd='$samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -U${USERNAME}%${PASSWORD} --configfile=${CONFIGURATION} -c "ls; quit"'
testit "test smbclient legacy ntlm" \
    test_smbclient || \
    failed=$(expr $failed + 1)

cmd='echo ${PASSWORD} | USER=$USERNAME $samba_smbclient //${SERVER}/tmp -W ${DOMAIN} --configfile=${CONFIGURATION} -c "ls; quit"'
testit "test smbclient legacy ntlm interactive" \
    test_smbclient || \
    failed=$(expr $failed + 1)

cmd='echo ${PASSWORD} | $samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -U${USERNAME} --configfile=${CONFIGURATION} -c "ls; quit"'
testit "test smbclient legacy ntlm interactive with -U" \
    test_smbclient || \
    failed=$(expr $failed + 1)

cmd='$samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -U${USERNAME}%${PASSWORD} -k --configfile=${CONFIGURATION} -c "ls; quit"'
testit "test smbclient legacy kerberos" \
    test_smbclient || \
    failed=$(expr $failed + 1)

kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD}
cmd='$samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -k --configfile=${CONFIGURATION} -c "ls; quit"'
testit "test smbclient legacy kerberos ccache" \
    test_smbclient || \
    failed=$(expr $failed + 1)
$samba_kdestroy

### SMBCLIENT tests for --use-kerberos=desired|required|disabled
cmd='$samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -U${USERNAME}%${PASSWORD} --use-kerberos=disabled --configfile=${CONFIGURATION} -c "ls; quit"'
testit "test smbclient ntlm" \
    test_smbclient || \
    failed=$(expr $failed + 1)

cmd='echo ${PASSWORD} | USER=$USERNAME $samba_smbclient //${SERVER}/tmp -W ${DOMAIN} --use-kerberos=disabled --configfile=${CONFIGURATION} -c "ls; quit"'
testit "test smbclient ntlm interactive" \
    test_smbclient || \
    failed=$(expr $failed + 1)

cmd='echo ${PASSWORD} | $samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -U${USERNAME} --use-kerberos=disabled --configfile=${CONFIGURATION} -c "ls; quit"'
testit "test smbclient ntlm interactive with -U" \
    test_smbclient || \
    failed=$(expr $failed + 1)

cmd='$samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -U${USERNAME}%${PASSWORD} --use-kerberos=desired --configfile=${CONFIGURATION} -c "ls; quit"'
testit "test smbclient kerberos=desired" \
    test_smbclient_kerberos || \
    failed=$(expr $failed + 1)

cmd='$samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -U${USERNAME}%${PASSWORD} --use-kerberos=required --configfile=${CONFIGURATION} -c "ls; quit"'
testit "test smbclient kerberos=required" \
    test_smbclient_kerberos || \
    failed=$(expr $failed + 1)

kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD}
cmd='$samba_smbclient //${SERVER}/tmp --use-krb5-ccache=$KRB5CCNAME ---configfile=${CONFIGURATION} -c "ls; quit"'
testit "test smbclient kerberos=required ccache" \
    test_smbclient || \
    failed=$(expr $failed + 1)
$samba_kdestroy

rm -rf $KRB5CCNAME_PATH

exit $failed