s3-selftest Add tests to show kerberos works across a password change

It is important that a machine account password change does not
invalidate existing tickets.

This is only for the default kerberos method with a password in
secrets.tdb.  The keytab based methods are still not tested.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Apr  6 05:24:48 CEST 2011 on sn-devel-104

diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 66f7a4403e3a97dc95c1aa01685e52f3acca5269..b6c851a49d61b1897ccbde5a71c3d5ceb9b00001 100644 (file)
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -298,19 +298,29 @@ $ret->{USERNAME} = KTEST\\Administrator
 # ticket_lifetime = 799718400
 # renew_lifetime = 799718400
 #
-# The commands run were:
+# The commands for the -2 keytab where were:
 # kinit administrator@KTEST.SAMBA.EXAMPLE.COM
 # kvno host/localktest6@KTEST.SAMBA.EXAMPLE.COM
 # kvno cifs/localktest6@KTEST.SAMBA.EXAMPLE.COM
 # kvno host/LOCALKTEST6@KTEST.SAMBA.EXAMPLE.COM
 # kvno cifs/LOCALKTEST6@KTEST.SAMBA.EXAMPLE.COM
 #
-# This creates a credential cache with a very long lifetime (2036 at at 2011-04)
+# and then for the -3 keytab, I did
+#
+# net changetrustpw; kdestroy and the same again.
+#
+# This creates a credential cache with a very long lifetime (2036 at
+# at 2011-04), and shows that running 'net changetrustpw' does not
+# break existing logins (for the secrets.tdb method at least).
+#
 
        $ret->{KRB5_CCACHE}="FILE:$prefix/krb5_ccache";
 
-       system("cp $self->{srcdir}/source3/selftest/ktest-krb5_ccache $prefix/krb5_ccache");
-       chmod 0600, "$prefix/krb5_ccache";
+       system("cp $self->{srcdir}/source3/selftest/ktest-krb5_ccache-2 $prefix/krb5_ccache-2");
+       chmod 0600, "$prefix/krb5_ccache-2";
+
+       system("cp $self->{srcdir}/source3/selftest/ktest-krb5_ccache-3 $prefix/krb5_ccache-3");
+       chmod 0600, "$prefix/krb5_ccache-3";
 
        $self->check_or_start($ret,
                              ($ENV{SMBD_MAXTIME} or 2700),

diff --git a/source3/selftest/ktest-krb5_ccache b/source3/selftest/ktest-krb5_ccache-2
similarity index 100%
rename from source3/selftest/ktest-krb5_ccache
rename to source3/selftest/ktest-krb5_ccache-2

diff --git a/source3/selftest/ktest-krb5_ccache-3 b/source3/selftest/ktest-krb5_ccache-3
new file mode 100644 (file)
index 0000000..a056beb
Binary files /dev/null and b/source3/selftest/ktest-krb5_ccache-3 differ

diff --git a/source3/selftest/ktest-secrets.tdb b/source3/selftest/ktest-secrets.tdb
index c09c3152884223efc743d974cc538a0bf52f2938..cf5c3d05dc92c318e67562bb84b08f1eae300f8d 100644 (file)
Binary files a/source3/selftest/ktest-secrets.tdb and b/source3/selftest/ktest-secrets.tdb differ

diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 826b84fa3ba6d7b669c248ad967eb6bdf5e4d302..3fd44c52ca433e802570dcccb176afbd1c17b540 100755 (executable)
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -219,7 +219,10 @@ if sub.returncode == 0:
             e = ""
             a = ""
             binding_string = "ncacn_np:$SERVER[%s%s%s%s]" % (a, s, z, e)
-            options = binding_string + " -k yes --krb5-ccache=$PREFIX/ktest/krb5_ccache"
+            options = binding_string + " -k yes --krb5-ccache=$PREFIX/ktest/krb5_ccache-2"
+            plansmbtorturetestsuite(test, "ktest", options, 'over kerberos with old ccache ncacn_np with [%s%s%s%s] ' % (a, s, z, e))
+
+            options = binding_string + " -k yes --krb5-ccache=$PREFIX/ktest/krb5_ccache-3"
             plansmbtorturetestsuite(test, "ktest", options, 'over kerberos ncacn_np with [%s%s%s%s] ' % (a, s, z, e))