2 # Blackbox tests for kinit and kerberos integration with smbclient etc
3 # Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
4 # Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org>
8 Usage: test_passwords.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX
22 samba4bindir="$BUILDDIR/bin"
23 smbclient="$samba4bindir/smbclient$EXEEXT"
24 samba4kinit="$samba4bindir/samba4kinit$EXEEXT"
25 net="$samba4bindir/net$EXEEXT"
26 rkpty="$samba4bindir/rkpty$EXEEXT"
27 samba4kpasswd="$samba4bindir/samba4kpasswd$EXEEXT"
28 newuser="$net newuser"
30 . `dirname $0`/subunit.sh
38 $VALGRIND $smbclient //$SERVER/tmp -c "$cmd" -W "$DOMAIN" $@
40 if [ x$status = x0 ]; then
48 CONFIG="--configfile=$PREFIX/dc/etc/smb.conf"
53 testit "create user locally" $VALGRIND $newuser $CONFIG nettestuser $USERPASS $@ || failed=`expr $failed + 1`
55 KRB5CCNAME="$PREFIX/tmpuserccache"
58 echo $USERPASS > $PREFIX/tmpuserpassfile
60 testit "kinit with user password" $samba4kinit --password-file=$PREFIX/tmpuserpassfile --request-pac nettestuser@$REALM || failed=`expr $failed + 1`
62 test_smbclient "Test login with user kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1`
64 NEWUSERPASS=testPaSS@02%
65 testit "change user password with 'net password change' (unforced)" $VALGRIND $net password change -W$DOMAIN -U$DOMAIN/nettestuser%$USERPASS -k no $NEWUSERPASS $@ || failed=`expr $failed + 1`
67 echo $NEWUSERPASS > ./tmpuserpassfile
68 testit "kinit with user password" $samba4kinit --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM || failed=`expr $failed + 1`
70 test_smbclient "Test login with user kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1`
75 NEWUSERPASS=testPaSS@03%
77 # password mismatch check doesn't work yet (kpasswd bug, reported to Love)
78 #echo "check that password mismatch gives the right error"
79 #cat > ./tmpkpasswdscript <<EOF
81 #password ${USERPASS}\n
85 #send ${NEWUSERPASS}\n
86 #expect password mismatch
89 #testit "change user password with kpasswd" $rkpty ./tmpkpasswdscript $samba4kpasswd nettestuser@$REALM || failed=`expr $failed + 1`
92 echo "check that a weak password is rejected"
93 cat > ./tmpkpasswdscript <<EOF
95 password ${USERPASS}\n
100 expect Password does not meet complexity requirements
103 testit "change to weak user password with kpasswd" $rkpty ./tmpkpasswdscript $samba4kpasswd nettestuser@$REALM || failed=`expr $failed + 1`
105 echo "check that a short password is rejected"
106 cat > ./tmpkpasswdscript <<EOF
108 password ${USERPASS}\n
113 expect Password too short
116 testit "change to short user password with kpasswd" $rkpty ./tmpkpasswdscript $samba4kpasswd nettestuser@$REALM || failed=`expr $failed + 1`
119 echo "check that a strong new password is accepted"
120 cat > ./tmpkpasswdscript <<EOF
122 password ${USERPASS}\n
124 send ${NEWUSERPASS}\n
126 send ${NEWUSERPASS}\n
130 testit "change user password with kpasswd" $rkpty ./tmpkpasswdscript $samba4kpasswd nettestuser@$REALM || failed=`expr $failed + 1`
132 test_smbclient "Test login with user kerberos (unforced)" 'ls' -k yes -Unettestuser@$REALM%$NEWUSERPASS || failed=`expr $failed + 1`
135 NEWUSERPASS=testPaSS@04%
136 testit "set password on user locally" $VALGRIND $net setpassword $CONFIG nettestuser --newpassword=$NEWUSERPASS --must-change-at-next-login $@ || failed=`expr $failed + 1`
137 USERPASS=$NEWUSERPASS
139 NEWUSERPASS=testPaSS@05%
140 testit "change user password with 'net password change' (after must change flag set)" $VALGRIND $net password change -W$DOMAIN -U$DOMAIN/nettestuser%$USERPASS -k no $NEWUSERPASS $@ || failed=`expr $failed + 1`
141 USERPASS=$NEWUSERPASS
143 NEWUSERPASS=testPaSS@06%
144 testit "set password on user locally" $VALGRIND $net setpassword $CONFIG nettestuser --newpassword=$NEWUSERPASS --must-change-at-next-login $@ || failed=`expr $failed + 1`
145 USERPASS=$NEWUSERPASS
147 NEWUSERPASS=testPaSS@07%
149 cat > ./tmpkpasswdscript <<EOF
151 password ${USERPASS}\n
153 send ${NEWUSERPASS}\n
155 send ${NEWUSERPASS}\n
159 testit "change user password with kpasswd (after must change flag set)" $rkpty ./tmpkpasswdscript $samba4kpasswd nettestuser@$REALM || failed=`expr $failed + 1`
160 USERPASS=$NEWUSERPASS
162 test_smbclient "Test login with user kerberos" 'ls' -k yes -Unettestuser@$REALM%$NEWUSERPASS || failed=`expr $failed + 1`
164 testit "reset password policies" $VALGRIND $net pwsettings set $CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=`expr $failed + 1`
167 testit_expect_failure "try to set a non-complex password (command should not succeed)" $VALGRIND $net password change -W$DOMAIN "-U$DOMAIN/nettestuser%$USERPASS" -k no "$NEWUSERPASS" $@ && failed=`expr $failed + 1`
169 testit "allow non-complex passwords" $VALGRIND $net pwsettings set $CONFIG --complexity=off || failed=`expr $failed + 1`
171 testit "try to set a non-complex password (command should succeed)" $VALGRIND $net password change -W$DOMAIN "-U$DOMAIN/nettestuser%$USERPASS" -k no "$NEWUSERPASS" $@ || failed=`expr $failed + 1`
172 USERPASS=$NEWUSERPASS
174 test_smbclient "test login with non-complex password" 'ls' -k no -Unettestuser@$REALM%$USERPASS || failed=`expr $failed + 1`
177 testit_expect_failure "try to set a short password (command should not succeed)" $VALGRIND $net password change -W$DOMAIN "-U$DOMAIN/nettestuser%$USERPASS" -k no "$NEWUSERPASS" $@ && failed=`expr $failed + 1`
179 testit "allow short passwords (length 1)" $VALGRIND $net pwsettings $CONFIG set --min-pwd-length=1 || failed=`expr $failed + 1`
181 testit "try to set a short password (command should succeed)" $VALGRIND $net password change -W$DOMAIN "-U$DOMAIN/nettestuser%$USERPASS" -k no "$NEWUSERPASS" $@ || failed=`expr $failed + 1`
182 USERPASS="$NEWUSERPASS"
184 testit "require minimum password age of 1 day" $VALGRIND $net pwsettings $CONFIG set --min-pwd-age=1 || failed=`expr $failed + 1`
186 testit "show password settings" $VALGRIND $net pwsettings $CONFIG show || failed=`expr $failed + 1`
188 NEWUSERPASS="testPaSS@08%"
189 testit_expect_failure "try to change password too quickly (command should not succeed)" $VALGRIND $net password change -W$DOMAIN "-U$DOMAIN/nettestuser%$USERPASS" -k no "$NEWUSERPASS" $@ && failed=`expr $failed + 1`
191 testit "reset password policies" $VALGRIND $net pwsettings $CONFIG set --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=`expr $failed + 1`
193 testit "del user" $VALGRIND $net user delete nettestuser -U"$USERNAME%$PASSWORD" -k no $@ || failed=`expr $failed + 1`
195 rm -f tmpccfile tmppassfile tmpuserpassfile tmpuserccache tmpkpasswdscript