2 # Blackbox tests for kinit and trust validation
3 # Copyright (c) 2015 Stefan Metzmacher <metze@samba.org>
4 # Copyright (c) 2016 Andreas Schneider <asn@samba.org>
8 Usage: test_kinit_trusts.sh SERVER USERNAME PASSWORD REALM DOMAIN TRUST_USERNAME TRUST_PASSWORD TRUST_REALM TRUST_DOMAIN PREFIX TYPE
31 samba_bindir="$BINDIR"
32 samba_srcdir="$SRCDIR/source4"
34 samba_kdestroy=kdestroy
37 samba_tool="$samba_bindir/samba-tool"
38 samba_texpect="$samba_bindir/texpect"
40 smbclient="$samba_bindir/smbclient"
41 wbinfo="$samba_bindir/wbinfo"
42 rpcclient="$samba_bindir/rpcclient"
44 SMBCLIENT_UNC="//$SERVER.$REALM/tmp"
46 . `dirname $0`/subunit.sh
54 $VALGRIND $smbclient $CONFIGURATION $SMBCLIENT_UNC -c "$cmd" $@
56 if [ x$status = x0 ]; then
64 KRB5CCNAME_PATH="$PREFIX/test_kinit_trusts_ccache"
65 KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
67 rm -rf $KRB5CCNAME_PATH
69 cat > $PREFIX/tmpkinitscript <<EOF
71 send ${TRUST_PASSWORD}\n
74 ###########################################################
75 ### Test incoming trust direction
76 ###########################################################
78 testit "kinit with password" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1`
79 test_smbclient "Test login with kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1`
82 smbclient="$samba_bindir/smbclient4"
84 testit "kinit with password" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1`
85 test_smbclient "Test login with kerberos ccache (smbclient4)" 'ls' -k yes || failed=`expr $failed + 1`
88 smbclient="$samba_bindir/smbclient"
90 testit "kinit with password (enterprise)" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit -E $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1`
91 test_smbclient "Test login with kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1`
95 if test x"${TYPE}" = x"forest" ;then
96 testit "kinit with password (enterprise UPN)" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit -E testdenied_upn@${TRUST_REALM}.upn || failed=`expr $failed + 1`
97 test_smbclient "Test login with user kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1`
102 testit "kinit with password (enterprise)" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit -E $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1`
103 test_smbclient "Test login with kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1`
105 testit "kinit renew ticket" $samba_kinit -R
106 test_smbclient "Test login with kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1`
108 testit "check time with kerberos ccache" $VALGRIND $samba_tool time $SERVER.$REALM $CONFIGURATION -k yes $@ || failed=`expr $failed + 1`
112 lowerrealm=$(echo $TRUST_REALM | tr '[A-Z]' '[a-z]')
113 test_smbclient "Test login with user kerberos lowercase realm" 'ls' -k yes -d5 -U$TRUST_USERNAME@$lowerrealm%$TRUST_PASSWORD || failed=`expr $failed + 1`
114 test_smbclient "Test login with user kerberos lowercase realm 2" 'ls' -k yes -U$TRUST_USERNAME@$TRUST_REALM%$TRUST_PASSWORD --realm=$lowerrealm || failed=`expr $failed + 1`
116 ###########################################################
117 ### Test outgoing trust direction
118 ###########################################################
120 SMBCLIENT_UNC="//$TRUST_SERVER.$TRUST_REALM/tmp"
121 test_smbclient "Test user login with the first outgoing secret" 'ls' -k yes -U$USERNAME@$REALM%$PASSWORD || failed=`expr $failed + 1`
123 testit_expect_failure "setpassword should not work" $VALGRIND $samba_tool user setpassword "${TRUST_DOMAIN}\$" --random-password || failed=`expr $failed + 1`
125 testit "wbinfo ping dc" $VALGRIND $wbinfo --ping-dc --domain=$TRUST_DOMAIN || failed=`expr $failed + 1`
126 testit "wbinfo change outgoing trust pw" $VALGRIND $wbinfo --change-secret --domain=$TRUST_DOMAIN || failed=`expr $failed + 1`
127 testit "wbinfo check outgoing trust pw" $VALGRIND $wbinfo --check-secret --domain=$TRUST_DOMAIN || failed=`expr $failed + 1`
129 test_smbclient "Test user login with the changed outgoing secret" 'ls' -k yes -U$USERNAME@$REALM%$PASSWORD || failed=`expr $failed + 1`
135 rm -f $KRB5CCNAME_PATH
136 rm -f $PREFIX/tmpkinituserpassscript
137 rm -f $PREFIX/tmpkinitscript