2 # Blackbox tests for kinit and kerberos integration with smbclient etc
3 # Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
4 # Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org>
8 Usage: test_passwords.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX SMBCLIENT
23 samba4bindir="$BINDIR"
24 samba4kinit="$samba4bindir/samba4kinit"
25 samba_tool="$samba4bindir/samba-tool"
26 smbpasswd="$samba4bindir/smbpasswd"
27 rkpty="$samba4bindir/rkpty"
28 samba4kpasswd="$samba4bindir/samba4kpasswd"
29 newuser="$samba_tool user create"
31 . `dirname $0`/subunit.sh
39 $VALGRIND $smbclient //$SERVER/tmp -c "$cmd" $@
41 if [ x$status = x0 ]; then
49 CONFIG="--configfile=$PREFIX/dc/etc/smb.conf"
52 testit "reset password policies beside of minimum password age of 0 days" $VALGRIND $samba_tool domain passwordsettings $CONFIG set --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=0 --max-pwd-age=default || failed=`expr $failed + 1`
56 testit "create user locally" $VALGRIND $newuser $CONFIG nettestuser $USERPASS $@ || failed=`expr $failed + 1`
58 KRB5CCNAME="$PREFIX/tmpuserccache"
61 echo $USERPASS > $PREFIX/tmpuserpassfile
63 testit "kinit with user password" $samba4kinit --password-file=$PREFIX/tmpuserpassfile --request-pac nettestuser@$REALM || failed=`expr $failed + 1`
65 test_smbclient "Test login with user kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1`
67 NEWUSERPASS=testPaSS@01%
68 testit "change user password with 'samba-tool user password' (unforced)" $VALGRIND $samba_tool user password -W$DOMAIN -U$DOMAIN/nettestuser%$USERPASS -k no --newpassword=$NEWUSERPASS $@ || failed=`expr $failed + 1`
70 echo $NEWUSERPASS > ./tmpuserpassfile
71 testit "kinit with user password" $samba4kinit --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM || failed=`expr $failed + 1`
73 test_smbclient "Test login with user kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1`
76 # These tests demonstrate that a credential cache in the environment does not
77 # override a username/password, even an incorrect one, on the command line
80 testit_expect_failure "Test login with user kerberos ccache, but wrong password specified" $VALGRIND $smbclient //$SERVER/tmp -c 'ls' -k yes -Unettestuser@$REALM%wrongpass && failed=`expr $failed + 1`
81 testit_expect_failure "Test login with user kerberos ccache, but old password specified" $VALGRIND $smbclient //$SERVER/tmp -c 'ls' -k yes -Unettestuser@$REALM%$USERPASS && failed=`expr $failed + 1`
86 NEWUSERPASS=testPaSS@02%
88 # password mismatch check doesn't work yet (kpasswd bug, reported to Love)
89 #echo "check that password mismatch gives the right error"
90 #cat > ./tmpkpasswdscript <<EOF
92 #password ${USERPASS}\n
96 #send ${NEWUSERPASS}\n
97 #expect password mismatch
100 #testit "change user password with kpasswd" $rkpty ./tmpkpasswdscript $samba4kpasswd nettestuser@$REALM || failed=`expr $failed + 1`
103 echo "check that a weak password is rejected"
104 cat > ./tmpkpasswdscript <<EOF
106 password ${USERPASS}\n
111 expect Password does not meet complexity requirements
114 testit "change to weak user password with kpasswd" $rkpty ./tmpkpasswdscript $samba4kpasswd nettestuser@$REALM || failed=`expr $failed + 1`
116 echo "check that a short password is rejected"
117 cat > ./tmpkpasswdscript <<EOF
119 password ${USERPASS}\n
124 expect Password too short
127 testit "change to short user password with kpasswd" $rkpty ./tmpkpasswdscript $samba4kpasswd nettestuser@$REALM || failed=`expr $failed + 1`
130 echo "check that a strong new password is accepted"
131 cat > ./tmpkpasswdscript <<EOF
133 password ${USERPASS}\n
135 send ${NEWUSERPASS}\n
137 send ${NEWUSERPASS}\n
141 testit "change user password with kpasswd" $rkpty ./tmpkpasswdscript $samba4kpasswd nettestuser@$REALM || failed=`expr $failed + 1`
143 test_smbclient "Test login with user kerberos (unforced)" 'ls' -k yes -Unettestuser@$REALM%$NEWUSERPASS || failed=`expr $failed + 1`
145 NEWUSERPASS=testPaSS@03%
147 echo "set password with smbpasswd"
148 cat > ./tmpsmbpasswdscript <<EOF
149 expect New SMB password:
150 send ${NEWUSERPASS}\n
151 expect Retype new SMB password:
152 send ${NEWUSERPASS}\n
155 testit "set user password with smbpasswd" $rkpty ./tmpsmbpasswdscript $smbpasswd -L -c $PREFIX/dc/etc/smb.conf nettestuser || failed=`expr $failed + 1`
156 USERPASS=$NEWUSERPASS
158 test_smbclient "Test login with user (ntlm)" 'ls' -k no -Unettestuser@$REALM%$NEWUSERPASS || failed=`expr $failed + 1`
161 NEWUSERPASS=testPaSS@04%
162 testit "set password on user locally" $VALGRIND $samba_tool user setpassword nettestuser $CONFIG --newpassword=$NEWUSERPASS --must-change-at-next-login $@ || failed=`expr $failed + 1`
163 USERPASS=$NEWUSERPASS
165 NEWUSERPASS=testPaSS@05%
166 testit "change user password with 'samba-tool user password' (after must change flag set)" $VALGRIND $samba_tool user password -W$DOMAIN -U$DOMAIN/nettestuser%$USERPASS -k no --newpassword=$NEWUSERPASS $@ || failed=`expr $failed + 1`
167 USERPASS=$NEWUSERPASS
169 NEWUSERPASS=testPaSS@06%
170 testit "set password on user locally" $VALGRIND $samba_tool user setpassword $CONFIG nettestuser --newpassword=$NEWUSERPASS --must-change-at-next-login $@ || failed=`expr $failed + 1`
171 USERPASS=$NEWUSERPASS
173 NEWUSERPASS=testPaSS@07%
175 cat > ./tmpkpasswdscript <<EOF
177 password ${USERPASS}\n
179 send ${NEWUSERPASS}\n
181 send ${NEWUSERPASS}\n
185 testit "change user password with kpasswd (after must change flag set)" $rkpty ./tmpkpasswdscript $samba4kpasswd nettestuser@$REALM || failed=`expr $failed + 1`
186 USERPASS=$NEWUSERPASS
188 test_smbclient "Test login with user kerberos" 'ls' -k yes -Unettestuser@$REALM%$NEWUSERPASS || failed=`expr $failed + 1`
190 NEWUSERPASS=testPaSS@08%
191 testit "set password on user locally" $VALGRIND $samba_tool user setpassword $CONFIG nettestuser --newpassword=$NEWUSERPASS --must-change-at-next-login $@ || failed=`expr $failed + 1`
192 USERPASS=$NEWUSERPASS
194 NEWUSERPASS=testPaSS@09%
196 cat > ./tmpsmbpasswdscript <<EOF
197 expect Old SMB password:
198 password ${USERPASS}\n
199 expect New SMB password:
200 send ${NEWUSERPASS}\n
201 expect Retype new SMB password:
202 send ${NEWUSERPASS}\n
205 testit "change user password with smbpasswd (after must change flag set)" $rkpty ./tmpsmbpasswdscript $smbpasswd -r $SERVER -c $PREFIX/dc/etc/smb.conf -U nettestuser || failed=`expr $failed + 1`
207 USERPASS=$NEWUSERPASS
209 test_smbclient "Test login with user kerberos" 'ls' -k yes -Unettestuser@$REALM%$NEWUSERPASS || failed=`expr $failed + 1`
212 testit_expect_failure "try to set a non-complex password (command should not succeed)" $VALGRIND $samba_tool user password -W$DOMAIN "-U$DOMAIN/nettestuser%$USERPASS" -k no --newpassword="$NEWUSERPASS" $@ && failed=`expr $failed + 1`
214 testit "allow non-complex passwords" $VALGRIND $samba_tool domain passwordsettings set $CONFIG --complexity=off || failed=`expr $failed + 1`
216 testit "try to set a non-complex password (command should succeed)" $VALGRIND $samba_tool user password -W$DOMAIN "-U$DOMAIN/nettestuser%$USERPASS" -k no --newpassword="$NEWUSERPASS" $@ || failed=`expr $failed + 1`
217 USERPASS=$NEWUSERPASS
219 test_smbclient "test login with non-complex password" 'ls' -k no -Unettestuser@$REALM%$USERPASS || failed=`expr $failed + 1`
222 testit_expect_failure "try to set a short password (command should not succeed)" $VALGRIND $samba_tool user password -W$DOMAIN "-U$DOMAIN/nettestuser%$USERPASS" -k no --newpassword="$NEWUSERPASS" $@ && failed=`expr $failed + 1`
224 testit "allow short passwords (length 1)" $VALGRIND $samba_tool domain passwordsettings $CONFIG set --min-pwd-length=1 || failed=`expr $failed + 1`
226 testit "try to set a short password (command should succeed)" $VALGRIND $samba_tool user password -W$DOMAIN "-U$DOMAIN/nettestuser%$USERPASS" -k no --newpassword="$NEWUSERPASS" $@ || failed=`expr $failed + 1`
227 USERPASS="$NEWUSERPASS"
229 testit "require minimum password age of 1 day" $VALGRIND $samba_tool domain passwordsettings $CONFIG set --min-pwd-age=1 || failed=`expr $failed + 1`
231 testit "show password settings" $VALGRIND $samba_tool domain passwordsettings $CONFIG show || failed=`expr $failed + 1`
233 NEWUSERPASS="testPaSS@08%"
234 testit_expect_failure "try to change password too quickly (command should not succeed)" $VALGRIND $samba_tool user password -W$DOMAIN "-U$DOMAIN/nettestuser%$USERPASS" -k no --newpassword="$NEWUSERPASS" $@ && failed=`expr $failed + 1`
236 testit "reset password policies" $VALGRIND $samba_tool domain passwordsettings $CONFIG set --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=`expr $failed + 1`
238 testit "del user" $VALGRIND $samba_tool user delete nettestuser -U"$USERNAME%$PASSWORD" $CONFIG -k no $@ || failed=`expr $failed + 1`
240 rm -f tmpccfile tmppassfile tmpuserpassfile tmpuserccache tmpkpasswdscript tmpsmbpasswdscript