s4:selftest Split out PKINIT tests from test_kinit.sh and test enc types

This allows us to run the PKINIT tests only against the main DC (for
which the certificates were generated), while testing the available
encryption types in each functional level.

In particular, we need to assert that AES encryption is available in
the 2008 functional level.

Andrew Bartlett

diff --git a/source4/selftest/tests.sh b/source4/selftest/tests.sh
index a5a4f78638a32947520811d6644c834117fae1c9..706c01a88c94a957c408c8e9d3344b76154f6f11 100755 (executable)
--- a/source4/selftest/tests.sh
+++ b/source4/selftest/tests.sh
@@ -364,7 +364,10 @@ planperltestsuite "selftest.samba4.pl" none $samba4srcdir/../selftest/test_samba
 
 plantestsuite "blackbox.ndrdump" none $samba4srcdir/librpc/tests/test_ndrdump.sh
 plantestsuite "blackbox.net" dc $samba4srcdir/utils/tests/test_net.sh "\$SERVER" "\$USERNAME" "\$PASSWORD" "\$DOMAIN"
-plantestsuite "blackbox.kinit" dc $bbdir/test_kinit.sh "\$SERVER" "\$USERNAME" "\$PASSWORD" "\$REALM" "\$DOMAIN" "$PREFIX" $CONFIGURATION 
+plantestsuite "blackbox.pkinit" dc $bbdir/test_pkinit.sh "\$SERVER" "\$USERNAME" "\$PASSWORD" "\$REALM" "\$DOMAIN" "$PREFIX" aes256-cts-hmac-sha1-96 $CONFIGURATION 
+plantestsuite "blackbox.kinit" dc $bbdir/test_kinit.sh "\$SERVER" "\$USERNAME" "\$PASSWORD" "\$REALM" "\$DOMAIN" "$PREFIX" aes256-cts-hmac-sha1-96 $CONFIGURATION 
+plantestsuite "blackbox.kinit" fl2000dc $bbdir/test_kinit.sh "\$SERVER" "\$USERNAME" "\$PASSWORD" "\$REALM" "\$DOMAIN" "$PREFIX" arcfour-hmac-md5 $CONFIGURATION 
+plantestsuite "blackbox.kinit" fl2008r2dc $bbdir/test_kinit.sh "\$SERVER" "\$USERNAME" "\$PASSWORD" "\$REALM" "\$DOMAIN" "$PREFIX" aes256-cts-hmac-sha1-96 $CONFIGURATION 
 plantestsuite "blackbox.passwords" dc:local $bbdir/test_passwords.sh "\$SERVER" "\$USERNAME" "\$PASSWORD" "\$REALM" "\$DOMAIN" "$PREFIX"
 plantestsuite "blackbox.export.keytab" dc:local $bbdir/test_export_keytab.sh "\$SERVER" "\$USERNAME" "\$REALM" "\$DOMAIN" "$PREFIX"
 plantestsuite "blackbox.cifsdd" dc $samba4srcdir/client/tests/test_cifsdd.sh "\$SERVER" "\$USERNAME" "\$PASSWORD" "\$DOMAIN" 

diff --git a/testprogs/blackbox/test_kinit.sh b/testprogs/blackbox/test_kinit.sh
index 504d4f4250c564e9b741b8ab6510b8729b9b8665..03734520429b2f862f7f213b717065553a57448e 100755 (executable)
--- a/testprogs/blackbox/test_kinit.sh
+++ b/testprogs/blackbox/test_kinit.sh
@@ -16,7 +16,8 @@ PASSWORD=$3
 REALM=$4
 DOMAIN=$5
 PREFIX=$6
-shift 6
+ENCTYPE=$7
+shift 7
 failed=0
 
 samba4bindir="$BUILDDIR/bin"
@@ -48,18 +49,17 @@ test_smbclient() {
        return $status
 }
 
+enctype="-e $ENCTYPE"
+
 KRB5CCNAME="$PREFIX/tmpccache"
 export KRB5CCNAME
 
 echo $PASSWORD > ./tmppassfile
-#testit "kinit with keytab" $samba4kinit --keytab=$PREFIX/dc/private/secrets.keytab $SERVER\$@$REALM   || failed=`expr $failed + 1`
-testit "kinit with password" $samba4kinit --password-file=./tmppassfile --request-pac $USERNAME@$REALM   || failed=`expr $failed + 1`
-testit "kinit with password (enterprise style)" $samba4kinit --enterprise --password-file=./tmppassfile --request-pac $USERNAME@$REALM   || failed=`expr $failed + 1`
-testit "kinit with password (windows style)" $samba4kinit --windows --password-file=./tmppassfile --request-pac $USERNAME@$REALM   || failed=`expr $failed + 1`
-testit "kinit with pkinit (name specified)" $samba4kinit --request-pac --renewable --pk-user=FILE:$PREFIX/dc/private/tls/admincert.pem,$PREFIX/dc/private/tls/adminkey.pem $USERNAME@$REALM || failed=`expr $failed + 1`
-testit "kinit with pkinit (enterprise name specified)" $samba4kinit --request-pac --renewable --pk-user=FILE:$PREFIX/dc/private/tls/admincert.pem,$PREFIX/dc/private/tls/adminkey.pem --enterprise $USERNAME@$REALM || failed=`expr $failed + 1`
-testit "kinit with pkinit (enterprise name in cert)" $samba4kinit --request-pac --renewable --pk-user=FILE:$PREFIX/dc/private/tls/admincertupn.pem,$PREFIX/dc/private/tls/adminkey.pem --pk-enterprise || failed=`expr $failed + 1`
-testit "kinit renew ticket" $samba4kinit --request-pac -R
+#testit "kinit with keytab" $samba4kinit $enctype --keytab=$PREFIX/dc/private/secrets.keytab $SERVER\$@$REALM   || failed=`expr $failed + 1`
+testit "kinit with password" $samba4kinit $enctype --password-file=./tmppassfile --request-pac $USERNAME@$REALM   || failed=`expr $failed + 1`
+testit "kinit with password (enterprise style)" $samba4kinit $enctype --enterprise --password-file=./tmppassfile --request-pac $USERNAME@$REALM   || failed=`expr $failed + 1`
+testit "kinit with password (windows style)" $samba4kinit $enctype  --renewable --windows --password-file=./tmppassfile --request-pac $USERNAME@$REALM   || failed=`expr $failed + 1`
+testit "kinit renew ticket" $samba4kinit $enctype --request-pac -R
 
 test_smbclient "Test login with kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1`
 
@@ -89,7 +89,7 @@ testit "enable user with kerberos cache" $VALGRIND $enableaccount nettestuser -H
 KRB5CCNAME="$PREFIX/tmpuserccache"
 export KRB5CCNAME
 
-testit "kinit with user password" $samba4kinit --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM   || failed=`expr $failed + 1`
+testit "kinit with user password" $samba4kinit $enctype --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM   || failed=`expr $failed + 1`
 
 test_smbclient "Test login with user kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1`
 
@@ -97,7 +97,7 @@ NEWUSERPASS=testPaSS@34%
 testit "change user password with 'net password change' (rpc)" $VALGRIND $net password change -W$DOMAIN -U$DOMAIN\\nettestuser%$USERPASS $CONFIGURATION  -k no $NEWUSERPASS $@ || failed=`expr $failed + 1`
 
 echo $NEWUSERPASS > ./tmpuserpassfile
-testit "kinit with user password" $samba4kinit --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM   || failed=`expr $failed + 1`
+testit "kinit with user password" $samba4kinit $enctype --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM   || failed=`expr $failed + 1`
 
 test_smbclient "Test login with user kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1`
 
@@ -118,7 +118,7 @@ EOF
 
 testit "change user password with kpasswd" $rkpty ./tmpkpasswdscript $samba4kpasswd nettestuser@$REALM || failed=`expr $failed + 1`
 
-testit "kinit with user password" $samba4kinit --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM   || failed=`expr $failed + 1`
+testit "kinit with user password" $samba4kinit $enctype --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM   || failed=`expr $failed + 1`
 
 NEWUSERPASS=testPaSS@78%
 echo $NEWUSERPASS > ./tmpuserpassfile
@@ -135,7 +135,7 @@ EOF
 
 testit "set user password with kpasswd" $rkpty ./tmpkpasswdscript $samba4kpasswd --cache=$PREFIX/tmpccache nettestuser@$REALM || failed=`expr $failed + 1`
 
-testit "kinit with user password" $samba4kinit --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM   || failed=`expr $failed + 1`
+testit "kinit with user password" $samba4kinit $enctype --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM   || failed=`expr $failed + 1`
 
 test_smbclient "Test login with user kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1`
 
@@ -152,7 +152,7 @@ EOF
 
 testit "set user password with kpasswd and servicePrincipalName" $rkpty ./tmpkpasswdscript $samba4kpasswd --cache=$PREFIX/tmpccache host/nettestuser@$REALM || failed=`expr $failed + 1`
 
-testit "kinit with user password" $samba4kinit --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM   || failed=`expr $failed + 1`
+testit "kinit with user password" $samba4kinit $enctype --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM   || failed=`expr $failed + 1`
 
 test_smbclient "Test login with user kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1`
 

diff --git a/testprogs/blackbox/test_pkinit.sh b/testprogs/blackbox/test_pkinit.sh
new file mode 100755 (executable)
index 0000000..e901f0f
--- /dev/null
+++ b/testprogs/blackbox/test_pkinit.sh
@@ -0,0 +1,65 @@
+#!/bin/sh
+# Blackbox tests for kinit and kerberos integration with smbclient etc
+# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
+# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org>
+
+if [ $# -lt 5 ]; then
+cat <<EOF
+Usage: test_kinit.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX
+EOF
+exit 1;
+fi
+
+SERVER=$1
+USERNAME=$2
+PASSWORD=$3
+REALM=$4
+DOMAIN=$5
+PREFIX=$6
+ENCTYPE=$7
+shift 7
+failed=0
+
+samba4bindir="$BUILDDIR/bin"
+smbclient="$samba4bindir/smbclient$EXEEXT"
+samba4kinit="$samba4bindir/samba4kinit$EXEEXT"
+net="$samba4bindir/net$EXEEXT"
+ldbmodify="$samba4bindir/ldbmodify$EXEEXT"
+ldbsearch="$samba4bindir/ldbsearch$EXEEXT"
+rkpty="$samba4bindir/rkpty$EXEEXT"
+samba4kpasswd="$samba4bindir/samba4kpasswd$EXEEXT"
+enableaccount="$samba4bindir/net enableaccount"
+machineaccountccache="$BUILDDIR/scripting/bin/machineaccountccache"
+
+. `dirname $0`/subunit.sh
+
+test_smbclient() {
+       name="$1"
+       cmd="$2"
+       shift
+       shift
+       echo "test: $name"
+       $VALGRIND $smbclient $CONFIGURATION //$SERVER/tmp -c "$cmd" -W "$DOMAIN" $@
+       status=$?
+       if [ x$status = x0 ]; then
+               echo "success: $name"
+       else
+               echo "failure: $name"
+       fi
+       return $status
+}
+
+enctype="-e $ENCTYPE"
+
+KRB5CCNAME="$PREFIX/tmpccache"
+export KRB5CCNAME
+
+testit "kinit with pkinit (name specified)" $samba4kinit $enctype --request-pac --renewable --pk-user=FILE:$PREFIX/dc/private/tls/admincert.pem,$PREFIX/dc/private/tls/adminkey.pem $USERNAME@$REALM || failed=`expr $failed + 1`
+testit "kinit with pkinit (enterprise name specified)" $samba4kinit $enctype --request-pac --renewable --pk-user=FILE:$PREFIX/dc/private/tls/admincert.pem,$PREFIX/dc/private/tls/adminkey.pem --enterprise $USERNAME@$REALM || failed=`expr $failed + 1`
+testit "kinit with pkinit (enterprise name in cert)" $samba4kinit $enctype --request-pac --renewable --pk-user=FILE:$PREFIX/dc/private/tls/admincertupn.pem,$PREFIX/dc/private/tls/adminkey.pem --pk-enterprise || failed=`expr $failed + 1`
+testit "kinit renew ticket" $samba4kinit --request-pac -R
+
+test_smbclient "Test login with kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1`
+
+rm -f $PREFIX/tmpccache
+exit $failed