2 # Blackbox tests for kinit and kerberos integration with smbclient etc
3 # Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
4 # Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org>
8 Usage: test_kinit.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX ENCTYPE SMBCLIENT CONFIGURATION
25 samba4bindir="$BINDIR"
26 samba4srcdir="$SRCDIR/source4"
27 samba4kinit_binary=kinit
28 if test -x $BINDIR/samba4kinit; then
29 samba4kinit_binary=$BINDIR/samba4kinit
32 samba_tool="$samba4bindir/samba-tool"
33 texpect="$samba4bindir/texpect"
35 if test -x $BINDIR/samba4kpasswd; then
36 samba4kpasswd=$BINDIR/samba4kpasswd
39 enableaccount="$samba_tool user enable"
40 machineaccountccache="$samba4srcdir/scripting/bin/machineaccountccache"
42 . $(dirname $0)/subunit.sh
43 . $(dirname $0)/common_test_fns.inc
45 ldbmodify=$(system_or_builddir_binary ldbmodify "${BINDIR}")
46 ldbsearch=$(system_or_builddir_binary ldbsearch "${BINDIR}")
51 TEST_USER="$(mktemp -u kinittestuserXXXXXX)"
53 ADMIN_LDBMODIFY_CONFIG="-H ldap://$SERVER -U$USERNAME%$PASSWORD"
54 export ADMIN_LDBMODIFY_CONFIG
56 KRB5CCNAME_PATH="$PREFIX/tmpccache"
57 KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
58 samba4kinit="$samba4kinit_binary -c $KRB5CCNAME"
59 ADMIN_KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
61 rm -rf $KRB5CCNAME_PATH
63 testit "reset password policies beside of minimum password age of 0 days" $VALGRIND $PYTHON $samba_tool domain passwordsettings set $ADMIN_LDBMODIFY_CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=0 --max-pwd-age=default || failed=$(expr $failed + 1)
65 echo $PASSWORD >$PREFIX/tmppassfile
66 testit "kinit with password (initial)" $samba4kinit $enctype --password-file=$PREFIX/tmppassfile --request-pac $USERNAME@$REALM || failed=$(expr $failed + 1)
67 test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
69 testit "kinit with password (enterprise style)" $samba4kinit $enctype --enterprise --password-file=$PREFIX/tmppassfile --request-pac $USERNAME@$REALM || failed=$(expr $failed + 1)
70 test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
72 testit "kinit with password (windows style)" $samba4kinit $enctype --renewable --windows --password-file=$PREFIX/tmppassfile --request-pac $USERNAME@$REALM || failed=$(expr $failed + 1)
73 test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
75 testit "kinit renew ticket" $samba4kinit $enctype --request-pac -R
77 test_smbclient "Test login with kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
79 testit "check time with kerberos ccache" $VALGRIND $PYTHON $samba_tool time $SERVER $CONFIGURATION -k yes "$@" || failed=$(expr $failed + 1)
82 echo $USERPASS >$PREFIX/tmpuserpassfile
83 testit "add user with kerberos ccache" $VALGRIND $PYTHON $samba_tool user create ${TEST_USER} $USERPASS $CONFIGURATION -k yes "$@" || failed=$(expr $failed + 1)
85 echo "Getting defaultNamingContext"
86 BASEDN=$($ldbsearch $options --basedn='' -H ldap://$SERVER --scope=base DUMMY=x defaultNamingContext | grep defaultNamingContext | awk '{print $2}')
88 cat >$PREFIX/tmpldbmodify <<EOF
89 dn: cn=${TEST_USER},cn=users,$BASEDN
91 add: servicePrincipalName
92 servicePrincipalName: host/${TEST_USER}
93 replace: userPrincipalName
94 userPrincipalName: nettest@$REALM
97 testit "modify servicePrincipalName and userPrincpalName" $VALGRIND $ldbmodify -H ldap://$SERVER $PREFIX/tmpldbmodify -k yes "$@" || failed=$(expr $failed + 1)
99 testit "set user password with kerberos ccache" $VALGRIND $PYTHON $samba_tool user setpassword ${TEST_USER} --newpassword=$USERPASS $CONFIGURATION -k yes "$@" || failed=$(expr $failed + 1)
101 testit "enable user with kerberos cache" $VALGRIND $PYTHON $enableaccount ${TEST_USER} -H ldap://$SERVER -k yes "$@" || failed=$(expr $failed + 1)
103 KRB5CCNAME_PATH="$PREFIX/tmpuserccache"
104 KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
105 samba4kinit="$samba4kinit_binary -c $KRB5CCNAME"
108 rm -f $KRB5CCNAME_PATH
109 testit "kinit with user password (after enable of user and password change)" $samba4kinit $enctype --password-file=$PREFIX/tmpuserpassfile --request-pac ${TEST_USER}@$REALM || failed=$(expr $failed + 1)
111 test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
113 NEWUSERPASS=testPaSS@34%
114 testit "change user password with 'samba-tool user password' (rpc)" $VALGRIND $PYTHON $samba_tool user password -W$DOMAIN -U${TEST_USER}%$USERPASS $CONFIGURATION -k no --newpassword=$NEWUSERPASS "$@" || failed=$(expr $failed + 1)
116 echo $NEWUSERPASS >$PREFIX/tmpuserpassfile
117 rm -f $KRB5CCNAME_PATH
118 testit "kinit with user password (after rpc password change)" $samba4kinit $enctype --password-file=$PREFIX/tmpuserpassfile --request-pac ${TEST_USER}@$REALM || failed=$(expr $failed + 1)
120 test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
122 rm -f $KRB5CCNAME_PATH
123 testit "kinit with password (NT-Principal style) using UPN" $samba4kinit $enctype --password-file=$PREFIX/tmpuserpassfile --request-pac nettest@$REALM || failed=$(expr $failed + 1)
124 test_smbclient "Test login with user kerberos ccache from enterprise UPN" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
126 rm -f $KRB5CCNAME_PATH
127 testit "kinit with password (enterprise style) using UPN" $samba4kinit $enctype --enterprise --password-file=$PREFIX/tmpuserpassfile --request-pac nettest@$REALM || failed=$(expr $failed + 1)
128 test_smbclient "Test login with user kerberos ccache from enterprise UPN" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
130 rm -f $KRB5CCNAME_PATH
131 testit "kinit with password (windows style) using UPN" $samba4kinit $enctype --renewable --windows --password-file=$PREFIX/tmpuserpassfile --request-pac nettest@$REALM || failed=$(expr $failed + 1)
132 test_smbclient "Test login with user kerberos ccache from windows UPN" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
134 cat >$PREFIX/tmpldbmodify <<EOF
135 dn: cn=${TEST_USER},cn=users,$BASEDN
137 replace: userPrincipalName
138 userPrincipalName: nettest@$REALM.org
141 testit "modify userPrincipalName to be a different domain" $VALGRIND $ldbmodify $ADMIN_LDBMODIFY_CONFIG $PREFIX/tmpldbmodify $PREFIX/tmpldbmodify -k yes "$@" || failed=$(expr $failed + 1)
143 rm -f $KRB5CCNAME_PATH
144 testit "kinit with password (enterprise style) using UPN" $samba4kinit $enctype --enterprise --password-file=$PREFIX/tmpuserpassfile --request-pac nettest@$REALM.org || failed=$(expr $failed + 1)
145 test_smbclient "Test login with user kerberos ccache from enterprise UPN, different domain" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
147 USERPASS=$NEWUSERPASS
148 NEWUSERPASS=testPaSS@56%
149 echo $NEWUSERPASS >$PREFIX/tmpuserpassfile
151 cat >$PREFIX/tmpkpasswdscript <<EOF
153 password ${USERPASS}\n
155 send ${NEWUSERPASS}\n
156 expect Verify password
157 send ${NEWUSERPASS}\n
161 testit "change user password with kpasswd" $texpect $PREFIX/tmpkpasswdscript $samba4kpasswd ${TEST_USER}@$REALM || failed=$(expr $failed + 1)
163 rm -f $KRB5CCNAME_PATH
164 testit "kinit with user password (after kpasswd change)" $samba4kinit $enctype --password-file=$PREFIX/tmpuserpassfile --request-pac ${TEST_USER}@$REALM || failed=$(expr $failed + 1)
166 NEWUSERPASS=testPaSS@78%
167 echo $NEWUSERPASS >$PREFIX/tmpuserpassfile
169 test_smbclient "Test login with user kerberos ccache (after kpasswd change)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
171 cat >$PREFIX/tmpkpasswdscript <<EOF
173 send ${NEWUSERPASS}\n
174 expect Verify password
175 send ${NEWUSERPASS}\n
179 testit "set user password with kpasswd" $texpect $PREFIX/tmpkpasswdscript $samba4kpasswd --cache=$ADMIN_KRB5CCNAME ${TEST_USER}@$REALM || failed=$(expr $failed + 1)
181 rm -f $KRB5CCNAME_PATH
182 testit "kinit with user password (after kpasswd set)" $samba4kinit $enctype --password-file=$PREFIX/tmpuserpassfile --request-pac ${TEST_USER}@$REALM || failed=$(expr $failed + 1)
184 test_smbclient "Test login with user kerberos ccache (after kpasswd set)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
186 NEWUSERPASS=testPaSS@910%
187 echo $NEWUSERPASS >$PREFIX/tmpuserpassfile
189 cat >$PREFIX/tmpkpasswdscript <<EOF
191 send ${NEWUSERPASS}\n
192 expect Verify password
193 send ${NEWUSERPASS}\n
197 testit "set user password with kpasswd and servicePrincipalName" $texpect $PREFIX/tmpkpasswdscript $samba4kpasswd --cache=$PREFIX/tmpccache host/${TEST_USER}@$REALM || failed=$(expr $failed + 1)
199 testit "kinit with user password (after set with kpasswd and spn)" $samba4kinit $enctype --password-file=$PREFIX/tmpuserpassfile --request-pac ${TEST_USER}@$REALM || failed=$(expr $failed + 1)
201 test_smbclient "Test login with user kerberos ccache (after set with kpasswd and spn)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
203 cat >$PREFIX/tmpldbmodify <<EOF
204 dn: cn=${TEST_USER},cn=users,$BASEDN
210 USERPASS=$NEWUSERPASS
211 NEWUSERPASS=testPaSS@911%
213 testit "modify pwdLastSet" $VALGRIND $ldbmodify $ADMIN_LDBMODIFY_CONFIG $PREFIX/tmpldbmodify $PREFIX/tmpldbmodify -k yes "$@" || failed=$(expr $failed + 1)
215 cat >$PREFIX/tmppasswordchange <<EOF
216 expect ${TEST_USER}@${REALM}'s Password:
218 expect Your password will expire at
219 expect Changing password
221 send ${NEWUSERPASS}\n
222 expect Repeat new password:
223 send ${NEWUSERPASS}\n
224 expect Success: Password changed
227 testit "kinit with user password for expired password" $texpect $PREFIX/tmppasswordchange $samba4kinit $enctype --request-pac ${TEST_USER}@$REALM && failed=$(expr $failed + 1)
229 test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
231 echo $NEWUSERPASS >$PREFIX/tmpuserpassfile
232 testit "kinit with user password (after password change forced by expiration)" $samba4kinit $enctype --password-file=$PREFIX/tmpuserpassfile --request-pac ${TEST_USER}@$REALM || failed=$(expr $failed + 1)
234 test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
236 KRB5CCNAME_PATH="$PREFIX/tmpccache"
237 KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
238 samba4kinit="$samba4kinit_binary -c $KRB5CCNAME"
241 rm -rf $KRB5CCNAME_PATH
243 lowerrealm=$(echo $REALM | tr '[A-Z]' '[a-z]')
244 test_smbclient "Test login with user kerberos lowercase realm" 'ls' "$unc" --use-kerberos=required -U${TEST_USER}@$lowerrealm%$NEWUSERPASS || failed=$(expr $failed + 1)
245 test_smbclient "Test login with user kerberos lowercase realm 2" 'ls' "$unc" --use-kerberos=required -U${TEST_USER}@$REALM%$NEWUSERPASS --realm=$lowerrealm || failed=$(expr $failed + 1)
247 testit "del user with kerberos ccache" $VALGRIND $PYTHON $samba_tool user delete ${TEST_USER} $CONFIGURATION -k yes "$@" || failed=$(expr $failed + 1)
249 rm -f $KRB5CCNAME_PATH
250 testit "kinit with machineaccountccache script" $PYTHON $machineaccountccache $CONFIGURATION $KRB5CCNAME || failed=$(expr $failed + 1)
251 test_smbclient "Test machine account login with kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
253 testit "reset password policies" $VALGRIND $PYTHON $samba_tool domain passwordsettings set $ADMIN_LDBMODIFY_CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=$(expr $failed + 1)
255 rm -f $PREFIX/tmpccache tmpccfile tmppassfile tmpuserpassfile tmpuserccache tmpkpasswdscript